From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 5985C496E1 for ; Sun, 18 Feb 2024 01:47:25 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5B4C168D311; Sun, 18 Feb 2024 03:47:24 +0200 (EET) Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2508C68D1C4 for ; Sun, 18 Feb 2024 03:47:18 +0200 (EET) Received: by mail-pg1-f170.google.com with SMTP id 41be03b00d2f7-5d8ddbac4fbso2741273a12.0 for ; Sat, 17 Feb 2024 17:47:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708220835; x=1708825635; darn=ffmpeg.org; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=V6xZ0npERjB9+gi7jpyruj6DgCYQza8GcaF6Ej1eejE=; b=bXR6FncnPxCdX9JMgqmhYdKbSfk8aZHJgekrWqw2khlHKf4t4rzaOagofw8FzkhnWh eagxX4EspUkeOz4Cxcr6nU5I427QBYFIl7W7fJOOjCu7fXrJoeUBjl5p0JAuTFx4yp49 KUN7o8EpomOHWTgpeLTtgn85PBa+Ep9jACAcbPjTs/yZBH8HH36K7ku2qB7i1TQHbugZ cRwvMeIFF2GOS8QSugCKy46nwV95BM7Axz0lkCor+jbTNfolwxnzb99p/zyclwMsD83x VcSuiyp5VSH9PRc3ANp8Ep25brQLvTpccgcI+6FRGL+++O1i4LA0cGO9o6kR6JTmMEl4 cBtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708220835; x=1708825635; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=V6xZ0npERjB9+gi7jpyruj6DgCYQza8GcaF6Ej1eejE=; b=LI4pEGOV0y+9UC38oSq4h7Vckn2i8w7tCtoN1eZ8ywrRblKksr+8dwVdE5kdhhwdJp pPKnPK1iYsz5DzYJT0Sx9QqRH3oh1WJ2asV92nVsWNJU5/dZ794ZtmChNDlLOSwu7AhK HNsy5TU1JXZxbnlUUEml8BsEKVviwegkASsPBlFOY8NVtUg7MT1zUATRdJEbuXtIIzi/ JrsCbfTcuRyY9mzppU8Cm9Jn0YEadqIG+HH/nGiYT9f/wlrf7grXVineCHFMsJ0caGxk psGqS7UplFIsVAN9ndc6UawOylHGUEW5TS5hsHukl6eXzvu3YAMJ6Zff3nuorR1+PP5d Z3KQ== X-Gm-Message-State: AOJu0YxFBW9G54LOxFDdkxlUVW+cX296JflwEj4RO+D2cEuhn6DF9dad QKgT5MuwVuldqiV2f1C7dhLl4RT46xCRP5F3Rzn/hhalnfEM1cWJ0ikTnXIj X-Google-Smtp-Source: AGHT+IH7MGYC2KGHDeItfczTTTGJZv0mVmTPqnpJMmx2SPl5FYgE/MH3Kcvqg67rFe8kEpAqZ4ht4Q== X-Received: by 2002:a05:6a20:c4a0:b0:19e:b6c6:8f15 with SMTP id eo32-20020a056a20c4a000b0019eb6c68f15mr7505869pzb.25.1708220835284; Sat, 17 Feb 2024 17:47:15 -0800 (PST) Received: from [192.168.0.16] (host197.190-225-105.telecom.net.ar. [190.225.105.197]) by smtp.gmail.com with ESMTPSA id q1-20020a656841000000b005d8fdbbd5edsm1828072pgt.65.2024.02.17.17.47.14 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 17 Feb 2024 17:47:14 -0800 (PST) Message-ID: <392c789e-9bbd-4ed1-b6ce-a13d7e75377e@gmail.com> Date: Sat, 17 Feb 2024 22:47:13 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: ffmpeg-devel@ffmpeg.org References: <20240217234851.23208-1-michael@niedermayer.cc> <314d0e5c-4e94-4ecd-870d-d767f9cb617b@gmail.com> <20240218010321.GN6420@pb2> From: James Almer In-Reply-To: <20240218010321.GN6420@pb2> Subject: Re: [FFmpeg-devel] [PATCH] tools: Add target_sws_fuzzer.c X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 2/17/2024 10:03 PM, Michael Niedermayer wrote: > On Sat, Feb 17, 2024 at 09:13:21PM -0300, James Almer wrote: >> >> >> On 2/17/2024 8:48 PM, Michael Niedermayer wrote: >>> Signed-off-by: Michael Niedermayer >>> --- >>> Makefile | 3 + >>> tools/Makefile | 3 + >>> tools/target_sws_fuzzer.c | 168 ++++++++++++++++++++++++++++++++++++++ >>> 3 files changed, 174 insertions(+) >>> create mode 100644 tools/target_sws_fuzzer.c >>> >>> diff --git a/Makefile b/Makefile >>> index dbc930270b3..b309dbc4db9 100644 >>> --- a/Makefile >>> +++ b/Makefile >>> @@ -64,6 +64,9 @@ tools/target_dem_fuzzer$(EXESUF): tools/target_dem_fuzzer.o $(FF_DEP_LIBS) >>> tools/target_io_dem_fuzzer$(EXESUF): tools/target_io_dem_fuzzer.o $(FF_DEP_LIBS) >>> $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH) >>> +tools/target_sws_fuzzer$(EXESUF): tools/target_sws_fuzzer.o $(FF_DEP_LIBS) >>> + $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH) >>> + >>> tools/enum_options$(EXESUF): ELIBS = $(FF_EXTRALIBS) >>> tools/enum_options$(EXESUF): $(FF_DEP_LIBS) >>> diff --git a/tools/Makefile b/tools/Makefile >>> index dee6a416688..72e8e709a8d 100644 >>> --- a/tools/Makefile >>> +++ b/tools/Makefile >>> @@ -17,6 +17,9 @@ tools/target_dem_fuzzer.o: tools/target_dem_fuzzer.c >>> tools/target_io_dem_fuzzer.o: tools/target_dem_fuzzer.c >>> $(COMPILE_C) -DIO_FLAT=0 >>> +tools/target_sws_fuzzer.o: tools/target_sws_fuzzer.c >>> + $(COMPILE_C) >>> + >>> tools/enc_recon_frame_test$(EXESUF): tools/decode_simple.o >>> tools/venc_data_dump$(EXESUF): tools/decode_simple.o >>> tools/scale_slice_test$(EXESUF): tools/decode_simple.o >>> diff --git a/tools/target_sws_fuzzer.c b/tools/target_sws_fuzzer.c >>> new file mode 100644 >>> index 00000000000..babb6e81629 >>> --- /dev/null >>> +++ b/tools/target_sws_fuzzer.c >>> @@ -0,0 +1,168 @@ >>> +/* >>> + * Copyright (c) 2024 Michael Niedermayer >>> + * >>> + * This file is part of FFmpeg. >>> + * >>> + * FFmpeg is free software; you can redistribute it and/or >>> + * modify it under the terms of the GNU Lesser General Public >>> + * License as published by the Free Software Foundation; either >>> + * version 2.1 of the License, or (at your option) any later version. >>> + * >>> + * FFmpeg is distributed in the hope that it will be useful, >>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of >>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >>> + * Lesser General Public License for more details. >>> + * >>> + * You should have received a copy of the GNU Lesser General Public >>> + * License along with FFmpeg; if not, write to the Free Software >>> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA >>> + */ >>> + >>> +#include "config.h" >>> +#include "libavutil/avassert.h" >>> +#include "libavutil/avstring.h" >>> +#include "libavutil/cpu.h" >>> +#include "libavutil/imgutils.h" >>> +#include "libavutil/intreadwrite.h" >>> +#include "libavutil/opt.h" >>> + >>> +#include "libavcodec/bytestream.h" >>> + >>> +#include "libswscale/swscale.h" >>> + >>> + >>> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); >>> + >>> +static void error(const char *err) >>> +{ >>> + fprintf(stderr, "%s", err); >>> + exit(1); >>> +} >>> + >>> +static int alloc_plane(uint8_t *data[AV_VIDEO_MAX_PLANES], int stride[AV_VIDEO_MAX_PLANES], int w, int h, int format, int *hshift, int *vshift) >>> +{ >>> + int ret = av_image_fill_linesizes(stride, format, w); >>> + if (ret < 0) >>> + return -1; >>> + >>> + av_pix_fmt_get_chroma_sub_sample(format, hshift, vshift); >>> + >>> + for(int p=0; p>> + if (stride[p]) { >>> + stride[p] = FFALIGN(stride[p], 32); >>> + int ph = AV_CEIL_RSHIFT(h, (p == 1 || p == 2) ? *vshift : 0); >>> + av_log(0,0, "P:%d St %d ph %d\n", p, stride[p], ph); >>> + data[p] = av_mallocz(stride[p] * ph + 32); >>> + if (!data[p]) >>> + return -1; >>> + } >>> + } >>> + if (format == AV_PIX_FMT_PAL8) { >>> + data[1] = av_mallocz(256*4); >>> + if (!data[1]) >>> + return -1; >>> + } >>> + return 0; >> >> av_image_alloc()? Would be better to actually test sws with buffers created >> by our own public helpers. > > av_image_alloc() allocates the planes in one continous piece > so teh fuzzer would not be able to detect accesses over the end of the first > or accesses prior the 2nd. > > So this is not possible Then use av_image_fill_plane_sizes() after av_image_fill_linesizes() and then allocate the buffers with its output. See fuzz_video_get_buffer() in test_dec_fuzzer.c It's best if we don't rewrite basic buffer allocation and size calculation functions every time we add new code. > > >> >>> +} >>> + >>> +static void free_plane(uint8_t *data[AV_VIDEO_MAX_PLANES]) >>> +{ >>> + for(int p=0; p>> + av_freep(&data[p]); >>> +} >>> + >>> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { >>> + int srcW= 48, srcH = 48; >>> + int dstW= 48, dstH = 48; >>> + int srcHShift, srcVShift; >>> + int dstHShift, dstVShift; >>> + unsigned flags = 1; >>> + int srcStride[AV_VIDEO_MAX_PLANES] = {0}; >>> + int dstStride[AV_VIDEO_MAX_PLANES] = {0}; >>> + int ret; >>> + const uint8_t *end = data + size; >>> + enum AVPixelFormat srcFormat = AV_PIX_FMT_YUV420P; >>> + enum AVPixelFormat dstFormat = AV_PIX_FMT_YUV420P; >>> + uint8_t *src[4] = { 0 }; >>> + uint8_t *dst[4] = { 0 }; >> >> AV_VIDEO_MAX_PLANES. > > will change > > >> >>> + struct SwsContext *sws = NULL; >>> + const AVPixFmtDescriptor *desc_src, *desc_dst; >>> + >>> + if (size > 128) { >>> + GetByteContext gbc; >>> + int64_t flags64; >>> + >>> + size -= 128; >>> + bytestream2_init(&gbc, data + size, 128); >>> + srcW = bytestream2_get_le32(&gbc) % 256; >>> + srcH = bytestream2_get_le32(&gbc) % 256; >>> + dstW = bytestream2_get_le32(&gbc) % 256; >>> + dstH = bytestream2_get_le32(&gbc) % 256; >>> + flags = bytestream2_get_le32(&gbc); >>> + >>> + srcFormat = bytestream2_get_le32(&gbc) % AV_PIX_FMT_NB; >>> + dstFormat = bytestream2_get_le32(&gbc) % AV_PIX_FMT_NB; >> >> nit: Maybe sanitize the choices with sws_isSupportedInput() and >> sws_isSupportedOutput()? Unless having sws_init_context() fail with invalid >> arguments is also intended. > > Honestly i do not know which way is best Leave it as is, it's not important. > > >> >>> + >>> + flags64 = bytestream2_get_le64(&gbc); >>> + if (flags64 & 0x10) >>> + av_force_cpu_flags(0); >>> + >>> + if (av_image_check_size(srcW, srcH, srcFormat, NULL)) >>> + srcW = srcH = 123; >>> + if (av_image_check_size(dstW, dstH, dstFormat, NULL)) >>> + dstW = dstH = 123; >> >> Is there a format where this could fail, knowing the dimensions are at most >> 255x255? > > The 255 is temporary, a less restrictive size should be choosen as there may > be bugs with huge sizes. Its just that these really slow it down > > >> >>> + //TODO alphablend >>> + } >>> + >>> + desc_src = av_pix_fmt_desc_get(srcFormat); >>> + desc_dst = av_pix_fmt_desc_get(dstFormat); >>> + >>> + ret = alloc_plane(src, srcStride, srcW, srcH, srcFormat, &srcHShift, &srcVShift); >>> + if (ret < 0) >>> + goto end; >>> + >>> + ret = alloc_plane(dst, dstStride, dstW, dstH, dstFormat, &dstHShift, &dstVShift); >>> + if (ret < 0) >>> + goto end; >>> + >>> + >>> + for(int p=0; p>> + int psize = srcStride[p] * AV_CEIL_RSHIFT(srcH, (p == 1 || p == 2) ? srcVShift : 0); >>> + if (psize > size) >>> + psize = size; >>> + if (psize) { >>> + memcpy(src[p], data, psize); >>> + data += psize; >>> + size -= psize; >>> + } >>> + } >> >> av_image_copy(). Or av_image_copy_plane() in a loop if you prefer. > > these dont seem to have a input size so ill leave it for now Ok. > > thx > > [...] > > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".