* [FFmpeg-devel] [PATCH] tools: add target_enc_fuzzer.c
@ 2024-04-20 1:10 Michael Niedermayer
2024-04-20 1:48 ` James Almer
2024-04-20 7:50 ` Stefano Sabatini
0 siblings, 2 replies; 5+ messages in thread
From: Michael Niedermayer @ 2024-04-20 1:10 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
Makefile | 3 +
tools/Makefile | 3 +
tools/target_enc_fuzzer.c | 213 ++++++++++++++++++++++++++++++++++++++
3 files changed, 219 insertions(+)
create mode 100644 tools/target_enc_fuzzer.c
diff --git a/Makefile b/Makefile
index b309dbc4db9..de727cbe00e 100644
--- a/Makefile
+++ b/Makefile
@@ -52,6 +52,9 @@ $(TOOLS): %$(EXESUF): %.o
target_dec_%_fuzzer$(EXESUF): target_dec_%_fuzzer.o $(FF_DEP_LIBS)
$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
+target_enc_%_fuzzer$(EXESUF): target_enc_%_fuzzer.o $(FF_DEP_LIBS)
+ $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
+
tools/target_bsf_%_fuzzer$(EXESUF): tools/target_bsf_%_fuzzer.o $(FF_DEP_LIBS)
$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
diff --git a/tools/Makefile b/tools/Makefile
index 72e8e709a8d..2a11fa0ae62 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -5,6 +5,9 @@ TOOLS-$(CONFIG_ZLIB) += cws2fws
tools/target_dec_%_fuzzer.o: tools/target_dec_fuzzer.c
$(COMPILE_C) -DFFMPEG_DECODER=$*
+tools/target_enc_%_fuzzer.o: tools/target_enc_fuzzer.c
+ $(COMPILE_C) -DFFMPEG_ENCODER=$*
+
tools/target_bsf_%_fuzzer.o: tools/target_bsf_fuzzer.c
$(COMPILE_C) -DFFMPEG_BSF=$*
diff --git a/tools/target_enc_fuzzer.c b/tools/target_enc_fuzzer.c
new file mode 100644
index 00000000000..bc9f98c1443
--- /dev/null
+++ b/tools/target_enc_fuzzer.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (c) 2024 Michael Niedermayer <michael-ffmpeg@niedermayer.cc>
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ * Based on target_dec_fuzzer
+ */
+
+#include "config.h"
+#include "libavutil/avassert.h"
+#include "libavutil/avstring.h"
+#include "libavutil/cpu.h"
+#include "libavutil/imgutils.h"
+#include "libavutil/intreadwrite.h"
+#include "libavutil/mem.h"
+
+#include "libavcodec/avcodec.h"
+#include "libavcodec/bytestream.h"
+#include "libavcodec/codec_internal.h"
+#include "libavformat/avformat.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+extern const FFCodec * codec_list[];
+
+static void error(const char *err)
+{
+ fprintf(stderr, "%s", err);
+ exit(1);
+}
+
+static const FFCodec *c = NULL;
+static const FFCodec *AVCodecInitialize(enum AVCodecID codec_id)
+{
+ const AVCodec *res;
+
+ res = avcodec_find_decoder(codec_id);
+ if (!res)
+ error("Failed to find decoder");
+ return ffcodec(res);
+}
+
+// Ensure we don't loop forever
+const uint32_t maxiteration = 8096;
+
+
+static int encode(AVCodecContext *enc_ctx, AVFrame *frame, AVPacket *pkt)
+{
+ int ret;
+
+ ret = avcodec_send_frame(enc_ctx, frame);
+ if (ret < 0)
+ return ret;
+
+ while (ret >= 0) {
+ ret = avcodec_receive_packet(enc_ctx, pkt);
+ if (ret == AVERROR(EAGAIN)) {
+ return 0;
+ } else if (ret < 0) {
+ return ret;
+ }
+
+ av_packet_unref(pkt);
+ }
+ av_assert0(0);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ uint64_t maxpixels_per_frame = 512 * 512;
+ uint64_t maxpixels;
+
+ uint64_t maxsamples;
+ const uint8_t *end = data + size;
+ uint32_t it = 0;
+ uint64_t nb_samples = 0;
+ AVDictionary *opts = NULL;
+
+ if (!c) {
+#ifdef FFMPEG_ENCODER
+#define ENCODER_SYMBOL0(CODEC) ff_##CODEC##_encoder
+#define ENCODER_SYMBOL(CODEC) ENCODER_SYMBOL0(CODEC)
+ extern FFCodec ENCODER_SYMBOL(FFMPEG_ENCODER);
+ codec_list[0] = &ENCODER_SYMBOL(FFMPEG_ENCODER);
+
+ c = &ENCODER_SYMBOL(FFMPEG_ENCODER);
+#else
+ c = AVCodecInitialize(FFMPEG_CODEC); // Done once.
+#endif
+ av_log_set_level(AV_LOG_PANIC);
+ }
+
+ av_assert0(c->p.type == AVMEDIA_TYPE_VIDEO);
+
+ maxpixels = maxpixels_per_frame * maxiteration;
+
+ maxpixels_per_frame = FFMIN(maxpixels_per_frame , maxpixels);
+
+ AVCodecContext* ctx = avcodec_alloc_context3(&c->p);
+ if (!ctx)
+ error("Failed memory allocation");
+
+ if (ctx->max_pixels == 0 || ctx->max_pixels > maxpixels_per_frame)
+ ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs
+
+ ctx->pix_fmt = AV_PIX_FMT_YUV420P;
+ if (size > 1024) {
+ GetByteContext gbc;
+ int flags;
+ int64_t flags64;
+
+ size -= 1024;
+ bytestream2_init(&gbc, data + size, 1024);
+ ctx->width = bytestream2_get_le32(&gbc) & 0xFFFF;
+ ctx->height = bytestream2_get_le32(&gbc) & 0xFFFF;
+ ctx->bit_rate = bytestream2_get_le64(&gbc);
+ ctx->gop_size = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
+ ctx->max_b_frames = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
+ ctx->time_base.num = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
+ ctx->time_base.den = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
+ ctx->framerate.num = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
+ ctx->framerate.den = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
+
+ flags = bytestream2_get_byte(&gbc);
+ if (flags & 2)
+ ctx->strict_std_compliance = FF_COMPLIANCE_EXPERIMENTAL;
+
+ if (flags & 0x40)
+ av_force_cpu_flags(0);
+
+ flags64 = bytestream2_get_le64(&gbc);
+
+ int npixfmts = 0;
+ while (c->p.pix_fmts[npixfmts++] != AV_PIX_FMT_NONE)
+ ;
+ ctx->pix_fmt = c->p.pix_fmts[bytestream2_get_byte(&gbc) % npixfmts];
+
+ switch (c->p.id) {
+ case AV_CODEC_ID_FFV1:{
+ int coder = bytestream2_get_byte(&gbc)&3;
+ if (coder == 3) coder = -2;
+ av_dict_set_int(&opts, "coder", coder, 0);
+ av_dict_set_int(&opts, "context", bytestream2_get_byte(&gbc)&1, 0);
+ av_dict_set_int(&opts, "slicecrc", bytestream2_get_byte(&gbc)&1, 0);
+ break;}
+ }
+ }
+ if (ctx->width == 0 || av_image_check_size(ctx->width, ctx->height, 0, ctx))
+ ctx->width = ctx->height = 64;
+
+ int res = avcodec_open2(ctx, &c->p, &opts);
+ if (res < 0) {
+ avcodec_free_context(&ctx);
+ av_dict_free(&opts);
+ return 0; // Failure of avcodec_open2() does not imply that a issue was found
+ }
+
+
+ AVFrame *frame = av_frame_alloc();
+ AVPacket *avpkt = av_packet_alloc();
+ if (!frame || !avpkt)
+ error("Failed memory allocation");
+
+ frame->format = ctx->pix_fmt;
+ frame->width = ctx->width;
+ frame->height = ctx->height;
+
+ res = av_frame_get_buffer(frame, 0);
+ if (res < 0)
+ error("Failed av_frame_get_buffer");
+ int frame_size = frame->buf[0]->size;
+
+ while (data < end && it < maxiteration) {
+ res = av_frame_make_writable(frame);
+ if (res < 0)
+ error("Failed av_frame_make_writable\n");
+
+ int buf_size = FFMIN(end-data, frame_size);
+ memcpy(frame->buf[0]->data, data, buf_size);
+ data += buf_size;
+
+ frame->pts = nb_samples;
+
+ encode(ctx, frame, avpkt);
+ it++;
+
+ av_packet_unref(avpkt);
+ }
+
+ encode(ctx, NULL, avpkt);
+ av_packet_unref(avpkt);
+
+// fprintf(stderr, "frames encoded: %"PRId64", iterations: %d\n", nb_samples , it);
+
+ av_frame_free(&frame);
+ avcodec_free_context(&ctx);
+ av_packet_free(&avpkt);
+ av_dict_free(&opts);
+ return 0;
+}
--
2.25.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH] tools: add target_enc_fuzzer.c
2024-04-20 1:10 [FFmpeg-devel] [PATCH] tools: add target_enc_fuzzer.c Michael Niedermayer
@ 2024-04-20 1:48 ` James Almer
2024-04-21 17:11 ` Michael Niedermayer
2024-04-20 7:50 ` Stefano Sabatini
1 sibling, 1 reply; 5+ messages in thread
From: James Almer @ 2024-04-20 1:48 UTC (permalink / raw)
To: ffmpeg-devel
On 4/19/2024 10:10 PM, Michael Niedermayer wrote:
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> Makefile | 3 +
> tools/Makefile | 3 +
> tools/target_enc_fuzzer.c | 213 ++++++++++++++++++++++++++++++++++++++
> 3 files changed, 219 insertions(+)
> create mode 100644 tools/target_enc_fuzzer.c
>
> diff --git a/Makefile b/Makefile
> index b309dbc4db9..de727cbe00e 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -52,6 +52,9 @@ $(TOOLS): %$(EXESUF): %.o
> target_dec_%_fuzzer$(EXESUF): target_dec_%_fuzzer.o $(FF_DEP_LIBS)
> $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>
> +target_enc_%_fuzzer$(EXESUF): target_enc_%_fuzzer.o $(FF_DEP_LIBS)
> + $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
> +
> tools/target_bsf_%_fuzzer$(EXESUF): tools/target_bsf_%_fuzzer.o $(FF_DEP_LIBS)
> $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>
> diff --git a/tools/Makefile b/tools/Makefile
> index 72e8e709a8d..2a11fa0ae62 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -5,6 +5,9 @@ TOOLS-$(CONFIG_ZLIB) += cws2fws
> tools/target_dec_%_fuzzer.o: tools/target_dec_fuzzer.c
> $(COMPILE_C) -DFFMPEG_DECODER=$*
>
> +tools/target_enc_%_fuzzer.o: tools/target_enc_fuzzer.c
> + $(COMPILE_C) -DFFMPEG_ENCODER=$*
> +
> tools/target_bsf_%_fuzzer.o: tools/target_bsf_fuzzer.c
> $(COMPILE_C) -DFFMPEG_BSF=$*
>
> diff --git a/tools/target_enc_fuzzer.c b/tools/target_enc_fuzzer.c
> new file mode 100644
> index 00000000000..bc9f98c1443
> --- /dev/null
> +++ b/tools/target_enc_fuzzer.c
> @@ -0,0 +1,213 @@
> +/*
> + * Copyright (c) 2024 Michael Niedermayer <michael-ffmpeg@niedermayer.cc>
> + *
> + * This file is part of FFmpeg.
> + *
> + * FFmpeg is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2.1 of the License, or (at your option) any later version.
> + *
> + * FFmpeg is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with FFmpeg; if not, write to the Free Software
> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> + *
> + * Based on target_dec_fuzzer
> + */
> +
> +#include "config.h"
> +#include "libavutil/avassert.h"
> +#include "libavutil/avstring.h"
> +#include "libavutil/cpu.h"
> +#include "libavutil/imgutils.h"
> +#include "libavutil/intreadwrite.h"
> +#include "libavutil/mem.h"
> +
> +#include "libavcodec/avcodec.h"
> +#include "libavcodec/bytestream.h"
> +#include "libavcodec/codec_internal.h"
> +#include "libavformat/avformat.h"
> +
> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
> +
> +extern const FFCodec * codec_list[];
> +
> +static void error(const char *err)
> +{
> + fprintf(stderr, "%s", err);
> + exit(1);
> +}
> +
> +static const FFCodec *c = NULL;
> +static const FFCodec *AVCodecInitialize(enum AVCodecID codec_id)
> +{
> + const AVCodec *res;
> +
> + res = avcodec_find_decoder(codec_id);
> + if (!res)
> + error("Failed to find decoder");
> + return ffcodec(res);
> +}
> +
> +// Ensure we don't loop forever
> +const uint32_t maxiteration = 8096;
> +
> +
> +static int encode(AVCodecContext *enc_ctx, AVFrame *frame, AVPacket *pkt)
> +{
> + int ret;
> +
> + ret = avcodec_send_frame(enc_ctx, frame);
> + if (ret < 0)
> + return ret;
> +
> + while (ret >= 0) {
> + ret = avcodec_receive_packet(enc_ctx, pkt);
> + if (ret == AVERROR(EAGAIN)) {
> + return 0;
> + } else if (ret < 0) {
> + return ret;
> + }
> +
> + av_packet_unref(pkt);
> + }
> + av_assert0(0);
> +}
> +
> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
> + uint64_t maxpixels_per_frame = 512 * 512;
> + uint64_t maxpixels;
> +
> + uint64_t maxsamples;
> + const uint8_t *end = data + size;
> + uint32_t it = 0;
> + uint64_t nb_samples = 0;
> + AVDictionary *opts = NULL;
> +
> + if (!c) {
> +#ifdef FFMPEG_ENCODER
> +#define ENCODER_SYMBOL0(CODEC) ff_##CODEC##_encoder
> +#define ENCODER_SYMBOL(CODEC) ENCODER_SYMBOL0(CODEC)
> + extern FFCodec ENCODER_SYMBOL(FFMPEG_ENCODER);
> + codec_list[0] = &ENCODER_SYMBOL(FFMPEG_ENCODER);
> +
> + c = &ENCODER_SYMBOL(FFMPEG_ENCODER);
> +#else
> + c = AVCodecInitialize(FFMPEG_CODEC); // Done once.
> +#endif
> + av_log_set_level(AV_LOG_PANIC);
> + }
> +
> + av_assert0(c->p.type == AVMEDIA_TYPE_VIDEO);
> +
> + maxpixels = maxpixels_per_frame * maxiteration;
> +
> + maxpixels_per_frame = FFMIN(maxpixels_per_frame , maxpixels);
> +
> + AVCodecContext* ctx = avcodec_alloc_context3(&c->p);
> + if (!ctx)
> + error("Failed memory allocation");
> +
> + if (ctx->max_pixels == 0 || ctx->max_pixels > maxpixels_per_frame)
> + ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs
> +
> + ctx->pix_fmt = AV_PIX_FMT_YUV420P;
> + if (size > 1024) {
> + GetByteContext gbc;
> + int flags;
> + int64_t flags64;
> +
> + size -= 1024;
> + bytestream2_init(&gbc, data + size, 1024);
> + ctx->width = bytestream2_get_le32(&gbc) & 0xFFFF;
> + ctx->height = bytestream2_get_le32(&gbc) & 0xFFFF;
> + ctx->bit_rate = bytestream2_get_le64(&gbc);
> + ctx->gop_size = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> + ctx->max_b_frames = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> + ctx->time_base.num = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> + ctx->time_base.den = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> + ctx->framerate.num = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> + ctx->framerate.den = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> +
> + flags = bytestream2_get_byte(&gbc);
> + if (flags & 2)
> + ctx->strict_std_compliance = FF_COMPLIANCE_EXPERIMENTAL;
> +
> + if (flags & 0x40)
> + av_force_cpu_flags(0);
> +
> + flags64 = bytestream2_get_le64(&gbc);
> +
> + int npixfmts = 0;
> + while (c->p.pix_fmts[npixfmts++] != AV_PIX_FMT_NONE)
> + ;
> + ctx->pix_fmt = c->p.pix_fmts[bytestream2_get_byte(&gbc) % npixfmts];
> +
> + switch (c->p.id) {
> + case AV_CODEC_ID_FFV1:{
> + int coder = bytestream2_get_byte(&gbc)&3;
> + if (coder == 3) coder = -2;
> + av_dict_set_int(&opts, "coder", coder, 0);
> + av_dict_set_int(&opts, "context", bytestream2_get_byte(&gbc)&1, 0);
> + av_dict_set_int(&opts, "slicecrc", bytestream2_get_byte(&gbc)&1, 0);
> + break;}
> + }
> + }
> + if (ctx->width == 0 || av_image_check_size(ctx->width, ctx->height, 0, ctx))
> + ctx->width = ctx->height = 64;
> +
> + int res = avcodec_open2(ctx, &c->p, &opts);
> + if (res < 0) {
> + avcodec_free_context(&ctx);
> + av_dict_free(&opts);
> + return 0; // Failure of avcodec_open2() does not imply that a issue was found
> + }
> +
> +
> + AVFrame *frame = av_frame_alloc();
> + AVPacket *avpkt = av_packet_alloc();
> + if (!frame || !avpkt)
> + error("Failed memory allocation");
> +
> + frame->format = ctx->pix_fmt;
> + frame->width = ctx->width;
> + frame->height = ctx->height;
> +
> + res = av_frame_get_buffer(frame, 0);
> + if (res < 0)
> + error("Failed av_frame_get_buffer");
> + int frame_size = frame->buf[0]->size;
> +
> + while (data < end && it < maxiteration) {
> + res = av_frame_make_writable(frame);
This will result in potential copy of data that ultimately will be
overwritten by the memcpy below.
Call av_buffer_unref() in a loop for all AV_NUM_DATA_POINTERS buffers in
frame->buf (Don't bother with frame->extended_buf since this is for
video only), then alloc new ones with av_frame_get_buffer().
> + if (res < 0)
> + error("Failed av_frame_make_writable\n");
> +
> + int buf_size = FFMIN(end-data, frame_size);
I guess av_frame_make_writable() might be ok only if buf_size ends up
being smaller than frame_size, otherwise there will be uninitialized bytes.
> + memcpy(frame->buf[0]->data, data, buf_size);
This will waste bytes from the input by writing into all the padding and
space between lines. You could use av_image_copy_plane() or
av_image_copy() instead.
> + data += buf_size;
> +
> + frame->pts = nb_samples;
> +
> + encode(ctx, frame, avpkt);
If avcodec_receive_packet() returns a legitimate error, you should not
ignore it here, and break the loop instead.
> + it++;
> +
> + av_packet_unref(avpkt);
> + }
> +
> + encode(ctx, NULL, avpkt);
> + av_packet_unref(avpkt);
> +
> +// fprintf(stderr, "frames encoded: %"PRId64", iterations: %d\n", nb_samples , it);
> +
> + av_frame_free(&frame);
> + avcodec_free_context(&ctx);
> + av_packet_free(&avpkt);
> + av_dict_free(&opts);
> + return 0;
> +}
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH] tools: add target_enc_fuzzer.c
2024-04-20 1:10 [FFmpeg-devel] [PATCH] tools: add target_enc_fuzzer.c Michael Niedermayer
2024-04-20 1:48 ` James Almer
@ 2024-04-20 7:50 ` Stefano Sabatini
2024-04-21 17:07 ` Michael Niedermayer
1 sibling, 1 reply; 5+ messages in thread
From: Stefano Sabatini @ 2024-04-20 7:50 UTC (permalink / raw)
To: FFmpeg development discussions and patches
On date Saturday 2024-04-20 03:10:37 +0200, Michael Niedermayer wrote:
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> Makefile | 3 +
> tools/Makefile | 3 +
> tools/target_enc_fuzzer.c | 213 ++++++++++++++++++++++++++++++++++++++
> 3 files changed, 219 insertions(+)
> create mode 100644 tools/target_enc_fuzzer.c
>
> diff --git a/Makefile b/Makefile
> index b309dbc4db9..de727cbe00e 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -52,6 +52,9 @@ $(TOOLS): %$(EXESUF): %.o
> target_dec_%_fuzzer$(EXESUF): target_dec_%_fuzzer.o $(FF_DEP_LIBS)
> $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>
> +target_enc_%_fuzzer$(EXESUF): target_enc_%_fuzzer.o $(FF_DEP_LIBS)
> + $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
> +
> tools/target_bsf_%_fuzzer$(EXESUF): tools/target_bsf_%_fuzzer.o $(FF_DEP_LIBS)
> $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>
> diff --git a/tools/Makefile b/tools/Makefile
> index 72e8e709a8d..2a11fa0ae62 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -5,6 +5,9 @@ TOOLS-$(CONFIG_ZLIB) += cws2fws
> tools/target_dec_%_fuzzer.o: tools/target_dec_fuzzer.c
> $(COMPILE_C) -DFFMPEG_DECODER=$*
>
> +tools/target_enc_%_fuzzer.o: tools/target_enc_fuzzer.c
> + $(COMPILE_C) -DFFMPEG_ENCODER=$*
> +
> tools/target_bsf_%_fuzzer.o: tools/target_bsf_fuzzer.c
> $(COMPILE_C) -DFFMPEG_BSF=$*
>
> diff --git a/tools/target_enc_fuzzer.c b/tools/target_enc_fuzzer.c
> new file mode 100644
> index 00000000000..bc9f98c1443
> --- /dev/null
> +++ b/tools/target_enc_fuzzer.c
> @@ -0,0 +1,213 @@
> +/*
> + * Copyright (c) 2024 Michael Niedermayer <michael-ffmpeg@niedermayer.cc>
> + *
> + * This file is part of FFmpeg.
> + *
> + * FFmpeg is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2.1 of the License, or (at your option) any later version.
> + *
> + * FFmpeg is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with FFmpeg; if not, write to the Free Software
> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> + *
> + * Based on target_dec_fuzzer
> + */
> +
> +#include "config.h"
> +#include "libavutil/avassert.h"
> +#include "libavutil/avstring.h"
> +#include "libavutil/cpu.h"
> +#include "libavutil/imgutils.h"
> +#include "libavutil/intreadwrite.h"
> +#include "libavutil/mem.h"
> +
> +#include "libavcodec/avcodec.h"
> +#include "libavcodec/bytestream.h"
> +#include "libavcodec/codec_internal.h"
> +#include "libavformat/avformat.h"
> +
> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
> +
> +extern const FFCodec * codec_list[];
> +
> +static void error(const char *err)
> +{
> + fprintf(stderr, "%s", err);
> + exit(1);
> +}
> +
> +static const FFCodec *c = NULL;
> +static const FFCodec *AVCodecInitialize(enum AVCodecID codec_id)
nit: snake_case, also the function is used once and the code can be
embedded in the code
[...]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH] tools: add target_enc_fuzzer.c
2024-04-20 7:50 ` Stefano Sabatini
@ 2024-04-21 17:07 ` Michael Niedermayer
0 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2024-04-21 17:07 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 576 bytes --]
On Sat, Apr 20, 2024 at 09:50:19AM +0200, Stefano Sabatini wrote:
> On date Saturday 2024-04-20 03:10:37 +0200, Michael Niedermayer wrote:
[...]
> > +static const FFCodec *AVCodecInitialize(enum AVCodecID codec_id)
>
> nit: snake_case, also the function is used once and the code can be
> embedded in the code
This is from the decoder fuzzer, it seems not needed at all so i droped it
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The worst form of inequality is to try to make unequal things equal.
-- Aristotle
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH] tools: add target_enc_fuzzer.c
2024-04-20 1:48 ` James Almer
@ 2024-04-21 17:11 ` Michael Niedermayer
0 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2024-04-21 17:11 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 10471 bytes --]
On Fri, Apr 19, 2024 at 10:48:05PM -0300, James Almer wrote:
> On 4/19/2024 10:10 PM, Michael Niedermayer wrote:
> > Sponsored-by: Sovereign Tech Fund
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > Makefile | 3 +
> > tools/Makefile | 3 +
> > tools/target_enc_fuzzer.c | 213 ++++++++++++++++++++++++++++++++++++++
> > 3 files changed, 219 insertions(+)
> > create mode 100644 tools/target_enc_fuzzer.c
> >
> > diff --git a/Makefile b/Makefile
> > index b309dbc4db9..de727cbe00e 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -52,6 +52,9 @@ $(TOOLS): %$(EXESUF): %.o
> > target_dec_%_fuzzer$(EXESUF): target_dec_%_fuzzer.o $(FF_DEP_LIBS)
> > $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
> > +target_enc_%_fuzzer$(EXESUF): target_enc_%_fuzzer.o $(FF_DEP_LIBS)
> > + $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
> > +
> > tools/target_bsf_%_fuzzer$(EXESUF): tools/target_bsf_%_fuzzer.o $(FF_DEP_LIBS)
> > $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
> > diff --git a/tools/Makefile b/tools/Makefile
> > index 72e8e709a8d..2a11fa0ae62 100644
> > --- a/tools/Makefile
> > +++ b/tools/Makefile
> > @@ -5,6 +5,9 @@ TOOLS-$(CONFIG_ZLIB) += cws2fws
> > tools/target_dec_%_fuzzer.o: tools/target_dec_fuzzer.c
> > $(COMPILE_C) -DFFMPEG_DECODER=$*
> > +tools/target_enc_%_fuzzer.o: tools/target_enc_fuzzer.c
> > + $(COMPILE_C) -DFFMPEG_ENCODER=$*
> > +
> > tools/target_bsf_%_fuzzer.o: tools/target_bsf_fuzzer.c
> > $(COMPILE_C) -DFFMPEG_BSF=$*
> > diff --git a/tools/target_enc_fuzzer.c b/tools/target_enc_fuzzer.c
> > new file mode 100644
> > index 00000000000..bc9f98c1443
> > --- /dev/null
> > +++ b/tools/target_enc_fuzzer.c
> > @@ -0,0 +1,213 @@
> > +/*
> > + * Copyright (c) 2024 Michael Niedermayer <michael-ffmpeg@niedermayer.cc>
> > + *
> > + * This file is part of FFmpeg.
> > + *
> > + * FFmpeg is free software; you can redistribute it and/or
> > + * modify it under the terms of the GNU Lesser General Public
> > + * License as published by the Free Software Foundation; either
> > + * version 2.1 of the License, or (at your option) any later version.
> > + *
> > + * FFmpeg is distributed in the hope that it will be useful,
> > + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> > + * Lesser General Public License for more details.
> > + *
> > + * You should have received a copy of the GNU Lesser General Public
> > + * License along with FFmpeg; if not, write to the Free Software
> > + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> > + *
> > + * Based on target_dec_fuzzer
> > + */
> > +
> > +#include "config.h"
> > +#include "libavutil/avassert.h"
> > +#include "libavutil/avstring.h"
> > +#include "libavutil/cpu.h"
> > +#include "libavutil/imgutils.h"
> > +#include "libavutil/intreadwrite.h"
> > +#include "libavutil/mem.h"
> > +
> > +#include "libavcodec/avcodec.h"
> > +#include "libavcodec/bytestream.h"
> > +#include "libavcodec/codec_internal.h"
> > +#include "libavformat/avformat.h"
> > +
> > +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
> > +
> > +extern const FFCodec * codec_list[];
> > +
> > +static void error(const char *err)
> > +{
> > + fprintf(stderr, "%s", err);
> > + exit(1);
> > +}
> > +
> > +static const FFCodec *c = NULL;
> > +static const FFCodec *AVCodecInitialize(enum AVCodecID codec_id)
> > +{
> > + const AVCodec *res;
> > +
> > + res = avcodec_find_decoder(codec_id);
> > + if (!res)
> > + error("Failed to find decoder");
> > + return ffcodec(res);
> > +}
> > +
> > +// Ensure we don't loop forever
> > +const uint32_t maxiteration = 8096;
> > +
> > +
> > +static int encode(AVCodecContext *enc_ctx, AVFrame *frame, AVPacket *pkt)
> > +{
> > + int ret;
> > +
> > + ret = avcodec_send_frame(enc_ctx, frame);
> > + if (ret < 0)
> > + return ret;
> > +
> > + while (ret >= 0) {
> > + ret = avcodec_receive_packet(enc_ctx, pkt);
> > + if (ret == AVERROR(EAGAIN)) {
> > + return 0;
> > + } else if (ret < 0) {
> > + return ret;
> > + }
> > +
> > + av_packet_unref(pkt);
> > + }
> > + av_assert0(0);
> > +}
> > +
> > +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
> > + uint64_t maxpixels_per_frame = 512 * 512;
> > + uint64_t maxpixels;
> > +
> > + uint64_t maxsamples;
> > + const uint8_t *end = data + size;
> > + uint32_t it = 0;
> > + uint64_t nb_samples = 0;
> > + AVDictionary *opts = NULL;
> > +
> > + if (!c) {
> > +#ifdef FFMPEG_ENCODER
> > +#define ENCODER_SYMBOL0(CODEC) ff_##CODEC##_encoder
> > +#define ENCODER_SYMBOL(CODEC) ENCODER_SYMBOL0(CODEC)
> > + extern FFCodec ENCODER_SYMBOL(FFMPEG_ENCODER);
> > + codec_list[0] = &ENCODER_SYMBOL(FFMPEG_ENCODER);
> > +
> > + c = &ENCODER_SYMBOL(FFMPEG_ENCODER);
> > +#else
> > + c = AVCodecInitialize(FFMPEG_CODEC); // Done once.
> > +#endif
> > + av_log_set_level(AV_LOG_PANIC);
> > + }
> > +
> > + av_assert0(c->p.type == AVMEDIA_TYPE_VIDEO);
> > +
> > + maxpixels = maxpixels_per_frame * maxiteration;
> > +
> > + maxpixels_per_frame = FFMIN(maxpixels_per_frame , maxpixels);
> > +
> > + AVCodecContext* ctx = avcodec_alloc_context3(&c->p);
> > + if (!ctx)
> > + error("Failed memory allocation");
> > +
> > + if (ctx->max_pixels == 0 || ctx->max_pixels > maxpixels_per_frame)
> > + ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs
> > +
> > + ctx->pix_fmt = AV_PIX_FMT_YUV420P;
> > + if (size > 1024) {
> > + GetByteContext gbc;
> > + int flags;
> > + int64_t flags64;
> > +
> > + size -= 1024;
> > + bytestream2_init(&gbc, data + size, 1024);
> > + ctx->width = bytestream2_get_le32(&gbc) & 0xFFFF;
> > + ctx->height = bytestream2_get_le32(&gbc) & 0xFFFF;
> > + ctx->bit_rate = bytestream2_get_le64(&gbc);
> > + ctx->gop_size = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> > + ctx->max_b_frames = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> > + ctx->time_base.num = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> > + ctx->time_base.den = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> > + ctx->framerate.num = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> > + ctx->framerate.den = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> > +
> > + flags = bytestream2_get_byte(&gbc);
> > + if (flags & 2)
> > + ctx->strict_std_compliance = FF_COMPLIANCE_EXPERIMENTAL;
> > +
> > + if (flags & 0x40)
> > + av_force_cpu_flags(0);
> > +
> > + flags64 = bytestream2_get_le64(&gbc);
> > +
> > + int npixfmts = 0;
> > + while (c->p.pix_fmts[npixfmts++] != AV_PIX_FMT_NONE)
> > + ;
> > + ctx->pix_fmt = c->p.pix_fmts[bytestream2_get_byte(&gbc) % npixfmts];
> > +
> > + switch (c->p.id) {
> > + case AV_CODEC_ID_FFV1:{
> > + int coder = bytestream2_get_byte(&gbc)&3;
> > + if (coder == 3) coder = -2;
> > + av_dict_set_int(&opts, "coder", coder, 0);
> > + av_dict_set_int(&opts, "context", bytestream2_get_byte(&gbc)&1, 0);
> > + av_dict_set_int(&opts, "slicecrc", bytestream2_get_byte(&gbc)&1, 0);
> > + break;}
> > + }
> > + }
> > + if (ctx->width == 0 || av_image_check_size(ctx->width, ctx->height, 0, ctx))
> > + ctx->width = ctx->height = 64;
> > +
> > + int res = avcodec_open2(ctx, &c->p, &opts);
> > + if (res < 0) {
> > + avcodec_free_context(&ctx);
> > + av_dict_free(&opts);
> > + return 0; // Failure of avcodec_open2() does not imply that a issue was found
> > + }
> > +
> > +
> > + AVFrame *frame = av_frame_alloc();
> > + AVPacket *avpkt = av_packet_alloc();
> > + if (!frame || !avpkt)
> > + error("Failed memory allocation");
> > +
> > + frame->format = ctx->pix_fmt;
> > + frame->width = ctx->width;
> > + frame->height = ctx->height;
> > +
> > + res = av_frame_get_buffer(frame, 0);
> > + if (res < 0)
> > + error("Failed av_frame_get_buffer");
> > + int frame_size = frame->buf[0]->size;
> > +
> > + while (data < end && it < maxiteration) {
> > + res = av_frame_make_writable(frame);
>
> This will result in potential copy of data that ultimately will be
> overwritten by the memcpy below.
>
> Call av_buffer_unref() in a loop for all AV_NUM_DATA_POINTERS buffers in
> frame->buf (Don't bother with frame->extended_buf since this is for video
> only), then alloc new ones with av_frame_get_buffer().
ok
>
> > + if (res < 0)
> > + error("Failed av_frame_make_writable\n");
> > +
> > + int buf_size = FFMIN(end-data, frame_size);
>
> I guess av_frame_make_writable() might be ok only if buf_size ends up being
> smaller than frame_size, otherwise there will be uninitialized bytes.
i addeded a memset()
>
> > + memcpy(frame->buf[0]->data, data, buf_size);
>
> This will waste bytes from the input by writing into all the padding and
> space between lines. You could use av_image_copy_plane() or av_image_copy()
> instead.
I didnt do this because
if we access out of array the fuzzer detects it but if we access out of w x h but
inside the allocated space the fuzzer would not see that as an error. So the
values there could matter for the execution path that follows. And it should
be reproducable so better these bytes are fuzzer controlled too
new patch submitted
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-04-21 17:11 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-20 1:10 [FFmpeg-devel] [PATCH] tools: add target_enc_fuzzer.c Michael Niedermayer
2024-04-20 1:48 ` James Almer
2024-04-21 17:11 ` Michael Niedermayer
2024-04-20 7:50 ` Stefano Sabatini
2024-04-21 17:07 ` Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git