From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [PATCH v2] tools: add target_enc_fuzzer.c
Date: Sun, 21 Apr 2024 14:31:32 -0300
Message-ID: <32ca6e3b-e171-4e7b-8be4-99e520b7804b@gmail.com> (raw)
In-Reply-To: <20240421170556.2260278-1-michael@niedermayer.cc>
On 4/21/2024 2:05 PM, Michael Niedermayer wrote:
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> Makefile | 3 +
> tools/Makefile | 3 +
> tools/target_enc_fuzzer.c | 201 ++++++++++++++++++++++++++++++++++++++
> 3 files changed, 207 insertions(+)
> create mode 100644 tools/target_enc_fuzzer.c
>
> diff --git a/Makefile b/Makefile
> index b309dbc4db9..de727cbe00e 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -52,6 +52,9 @@ $(TOOLS): %$(EXESUF): %.o
> target_dec_%_fuzzer$(EXESUF): target_dec_%_fuzzer.o $(FF_DEP_LIBS)
> $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>
> +target_enc_%_fuzzer$(EXESUF): target_enc_%_fuzzer.o $(FF_DEP_LIBS)
> + $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
> +
> tools/target_bsf_%_fuzzer$(EXESUF): tools/target_bsf_%_fuzzer.o $(FF_DEP_LIBS)
> $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>
> diff --git a/tools/Makefile b/tools/Makefile
> index 72e8e709a8d..2a11fa0ae62 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -5,6 +5,9 @@ TOOLS-$(CONFIG_ZLIB) += cws2fws
> tools/target_dec_%_fuzzer.o: tools/target_dec_fuzzer.c
> $(COMPILE_C) -DFFMPEG_DECODER=$*
>
> +tools/target_enc_%_fuzzer.o: tools/target_enc_fuzzer.c
> + $(COMPILE_C) -DFFMPEG_ENCODER=$*
> +
> tools/target_bsf_%_fuzzer.o: tools/target_bsf_fuzzer.c
> $(COMPILE_C) -DFFMPEG_BSF=$*
>
> diff --git a/tools/target_enc_fuzzer.c b/tools/target_enc_fuzzer.c
> new file mode 100644
> index 00000000000..43f5c4c133c
> --- /dev/null
> +++ b/tools/target_enc_fuzzer.c
> @@ -0,0 +1,201 @@
> +/*
> + * Copyright (c) 2024 Michael Niedermayer <michael-ffmpeg@niedermayer.cc>
> + *
> + * This file is part of FFmpeg.
> + *
> + * FFmpeg is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2.1 of the License, or (at your option) any later version.
> + *
> + * FFmpeg is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with FFmpeg; if not, write to the Free Software
> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> + *
> + * Based on target_dec_fuzzer
> + */
> +
> +#include "config.h"
> +#include "libavutil/avassert.h"
> +#include "libavutil/avstring.h"
> +#include "libavutil/cpu.h"
> +#include "libavutil/imgutils.h"
> +#include "libavutil/intreadwrite.h"
> +#include "libavutil/mem.h"
> +
> +#include "libavcodec/avcodec.h"
> +#include "libavcodec/bytestream.h"
> +#include "libavcodec/codec_internal.h"
> +#include "libavformat/avformat.h"
> +
> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
> +
> +extern const FFCodec * codec_list[];
> +
> +static void error(const char *err)
> +{
> + fprintf(stderr, "%s", err);
> + exit(1);
> +}
> +
> +static const FFCodec *c = NULL;
> +
> +// Ensure we don't loop forever
> +const uint32_t maxiteration = 8096;
> +
> +
> +static int encode(AVCodecContext *enc_ctx, AVFrame *frame, AVPacket *pkt)
> +{
> + int ret;
> +
> + ret = avcodec_send_frame(enc_ctx, frame);
> + if (ret < 0)
> + return ret;
> +
> + while (ret >= 0) {
> + ret = avcodec_receive_packet(enc_ctx, pkt);
> + if (ret == AVERROR(EAGAIN)) {
> + return 0;
> + } else if (ret < 0) {
> + return ret;
> + }
> +
> + av_packet_unref(pkt);
> + }
> + av_assert0(0);
> +}
> +
> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
> + uint64_t maxpixels_per_frame = 512 * 512;
> + uint64_t maxpixels;
> +
> + const uint8_t *end = data + size;
> + uint32_t it = 0;
> + uint64_t nb_samples = 0;
> + AVDictionary *opts = NULL;
> +
> + if (!c) {
> +#define ENCODER_SYMBOL0(CODEC) ff_##CODEC##_encoder
> +#define ENCODER_SYMBOL(CODEC) ENCODER_SYMBOL0(CODEC)
> + extern FFCodec ENCODER_SYMBOL(FFMPEG_ENCODER);
> + codec_list[0] = &ENCODER_SYMBOL(FFMPEG_ENCODER);
> +
> + c = &ENCODER_SYMBOL(FFMPEG_ENCODER);
> + av_log_set_level(AV_LOG_PANIC);
> + }
> +
> + av_assert0(c->p.type == AVMEDIA_TYPE_VIDEO);
> +
> + maxpixels = maxpixels_per_frame * maxiteration;
> +
> + maxpixels_per_frame = FFMIN(maxpixels_per_frame , maxpixels);
> +
> + AVCodecContext* ctx = avcodec_alloc_context3(&c->p);
> + if (!ctx)
> + error("Failed memory allocation");
> +
> + if (ctx->max_pixels == 0 || ctx->max_pixels > maxpixels_per_frame)
> + ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs
> +
> + ctx->pix_fmt = AV_PIX_FMT_YUV420P;
> + if (size > 1024) {
> + GetByteContext gbc;
> + int flags;
> + int64_t flags64;
> +
> + size -= 1024;
> + bytestream2_init(&gbc, data + size, 1024);
> + ctx->width = bytestream2_get_le32(&gbc) & 0xFFFF;
> + ctx->height = bytestream2_get_le32(&gbc) & 0xFFFF;
> + ctx->bit_rate = bytestream2_get_le64(&gbc);
> + ctx->gop_size = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> + ctx->max_b_frames = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> + ctx->time_base.num = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> + ctx->time_base.den = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> + ctx->framerate.num = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> + ctx->framerate.den = bytestream2_get_le32(&gbc) & 0x7FFFFFFF;
> +
> + flags = bytestream2_get_byte(&gbc);
> + if (flags & 2)
> + ctx->strict_std_compliance = FF_COMPLIANCE_EXPERIMENTAL;
> +
> + if (flags & 0x40)
> + av_force_cpu_flags(0);
> +
> + flags64 = bytestream2_get_le64(&gbc);
> +
> + int npixfmts = 0;
> + while (c->p.pix_fmts[npixfmts++] != AV_PIX_FMT_NONE)
> + ;
> + ctx->pix_fmt = c->p.pix_fmts[bytestream2_get_byte(&gbc) % npixfmts];
> +
> + switch (c->p.id) {
> + case AV_CODEC_ID_FFV1:{
> + int coder = bytestream2_get_byte(&gbc)&3;
> + if (coder == 3) coder = -2;
> + av_dict_set_int(&opts, "coder", coder, 0);
> + av_dict_set_int(&opts, "context", bytestream2_get_byte(&gbc)&1, 0);
> + av_dict_set_int(&opts, "slicecrc", bytestream2_get_byte(&gbc)&1, 0);
> + break;}
> + }
> + }
> + if (ctx->width == 0 || av_image_check_size(ctx->width, ctx->height, 0, ctx))
> + ctx->width = ctx->height = 64;
> +
> + int res = avcodec_open2(ctx, &c->p, &opts);
> + if (res < 0) {
> + avcodec_free_context(&ctx);
> + av_dict_free(&opts);
> + return 0; // Failure of avcodec_open2() does not imply that a issue was found
> + }
> +
> +
> + AVFrame *frame = av_frame_alloc();
> + AVPacket *avpkt = av_packet_alloc();
> + if (!frame || !avpkt)
> + error("Failed memory allocation");
> +
> + frame->format = ctx->pix_fmt;
> + frame->width = ctx->width;
> + frame->height = ctx->height;
> +
> + while (data < end && it < maxiteration) {
> + res = av_frame_get_buffer(frame, 0);
> + if (res < 0)
> + error("Failed av_frame_get_buffer");
> + int frame_size = frame->buf[0]->size;
> +
> + int buf_size = FFMIN(end-data, frame_size);
> + memcpy(frame->buf[0]->data, data, buf_size);
> + if (frame_size - buf_size)
> + memset(frame->buf[0]->data + buf_size, 0, frame_size - buf_size);
This assumes av_frame_get_buffer() allocates a single buffer, which is
not documented. Better do this in a loop for all potential buffers, like
you're doing when freeing them below.
> + data += buf_size;
> +
> + frame->pts = nb_samples;
> +
> + res = encode(ctx, frame, avpkt);
> + if (res < 0)
> + break;
> + it++;
> + for (int i=0; i<FF_ARRAY_ELEMS(frame->buf); i++)
> + av_buffer_unref(&frame->buf[i]);
> +
> + av_packet_unref(avpkt);
> + }
> +
> + encode(ctx, NULL, avpkt);
> + av_packet_unref(avpkt);
> +
> +// fprintf(stderr, "frames encoded: %"PRId64", iterations: %d\n", nb_samples , it);
> +
> + av_frame_free(&frame);
> + avcodec_free_context(&ctx);
> + av_packet_free(&avpkt);
> + av_dict_free(&opts);
> + return 0;
> +}
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
prev parent reply other threads:[~2024-04-21 17:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-21 17:05 Michael Niedermayer
2024-04-21 17:31 ` James Almer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=32ca6e3b-e171-4e7b-8be4-99e520b7804b@gmail.com \
--to=jamrial@gmail.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git