From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 70CD4428D0 for ; Sun, 5 Jun 2022 12:17:13 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0ABE168B647; Sun, 5 Jun 2022 15:17:11 +0300 (EEST) Received: from mail-oa1-f46.google.com (mail-oa1-f46.google.com [209.85.160.46]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id BCCDF68B5DF for ; Sun, 5 Jun 2022 15:17:04 +0300 (EEST) Received: by mail-oa1-f46.google.com with SMTP id 586e51a60fabf-f3381207a5so16168645fac.4 for ; Sun, 05 Jun 2022 05:17:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language :from:to:references:in-reply-to:content-transfer-encoding; bh=jMrn1gDjoyqnRAX1ynYqeLSaJeKHT25p2BOlLMG0SYA=; b=l0hSUC983c/MZXC9tZL/3mzBKFBVEIik5da8P682w16XUalOD6fJdCQSIu37Np6MkJ T9NuRwZ6zZ7SMbPZ4eUthy8Sk08u9a1lLPJtu8U+Dc0VWFf6BBLyP6x4m8StgkPZ2nVK TtT1FVBBNwm/GIezVUoppK/ZPaYsybv8mspa93X7NUoDUY/6z7wY790J50CuTfwVJWvc C+/3gnWcapo2YtEpvzwGPMgTxquitRRFPCfiumnaU6MhHRGVXqu8X6nM9uoH8l8Ga/dm U2CQGR7ejlSRcX74MD1QxZQ5leUrLaL81f3x1fEoU4fzfMzE8GbvSl1su7eBldPDKmD3 u48w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:from:to:references:in-reply-to :content-transfer-encoding; bh=jMrn1gDjoyqnRAX1ynYqeLSaJeKHT25p2BOlLMG0SYA=; b=TJJV8jpxtoRc8JeHugRVT89ehBfo2BUhYbdx9XzdH70w65CcDSKWepJceK2YgHURli BN5VplI9+XNwkotf7zuG+umLosxEe3qPKgIrnO8/GjfpDDEISs2l0687gnrVofrjeIQQ cNNaOgNz0m7V91edE/E7dT9RTs3WDpLJBRAtHHOfkmNgsn2n9Zi3aJqqlyjXfWsqYnkv 1KkvhKm53ybWsErEKqUvyScvdnkI3HBmXDFnrq9groR2NCB3yhZx9iurqdpO9TFmnj50 ciSYrAGEvs1MJU3H+/x5j904kOCxBi1VJ4L5Ha65Dqx+avXNU8K5UGxG4HOvIttpWRuc aaaA== X-Gm-Message-State: AOAM5327r/Y2q5T5Hqp/MLTHtGuRI2C9Y6mSgcCGuNFIKKBE/r7ns2wO VjFbSEzf8n/vX287vGw0cbe4APCpRKc= X-Google-Smtp-Source: ABdhPJxsCnYLOMA8GzjPLcvLPb8E+2ly8rLrCHQYMskygG+D0hVPfn+hzg10JERJcO6I2ivlh74ovg== X-Received: by 2002:a05:6870:d79d:b0:f1:ca01:eeea with SMTP id bd29-20020a056870d79d00b000f1ca01eeeamr11222567oab.296.1654431422849; Sun, 05 Jun 2022 05:17:02 -0700 (PDT) Received: from [192.168.0.13] ([186.136.131.204]) by smtp.gmail.com with ESMTPSA id k16-20020a056808069000b00325cda1ffa6sm6655049oig.37.2022.06.05.05.17.01 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 05 Jun 2022 05:17:02 -0700 (PDT) Message-ID: <66cdfc17-f77c-0767-7279-0587ed4f40e5@gmail.com> Date: Sun, 5 Jun 2022 09:17:01 -0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 Content-Language: en-US From: James Almer To: ffmpeg-devel@ffmpeg.org References: <20220531201223.422-1-jamrial@gmail.com> <20220531204210.454-1-jamrial@gmail.com> In-Reply-To: <20220531204210.454-1-jamrial@gmail.com> Subject: Re: [FFmpeg-devel] [PATCH v2] tools/target_dec_fuzzer: add a custom get_buffer2() implementation X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 5/31/2022 5:42 PM, James Almer wrote: > Unlike avcodec_default_get_buffer2(), this version does not allocate more than > what the normal image helper functions consider should be allocated for a given > frame. > Since the get_buffer2() documentation does not require any kind of buffer > overallocation for any of the planes, this should help detect bugs in our DR1 > decoders if they overread beyond the end of the buffer, simulating what some > library users might experience when they use their own custom get_buffer2() > implementations. > > Signed-off-by: James Almer > --- > Now making sure to not allocate more plane buffers than needed. > > tools/target_dec_fuzzer.c | 52 +++++++++++++++++++++++++++++++++++++++ > 1 file changed, 52 insertions(+) > > diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c > index 288aa63313..2e43ed3d88 100644 > --- a/tools/target_dec_fuzzer.c > +++ b/tools/target_dec_fuzzer.c > @@ -104,6 +104,57 @@ const uint32_t maxiteration = 8096; > > static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL; > > +static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame) > +{ > + ptrdiff_t linesize1[4]; > + size_t size[4]; > + int linesize_align[AV_NUM_DATA_POINTERS]; > + int ret, w = frame->width, h = frame->height; > + > + avcodec_align_dimensions2(ctx, &w, &h, linesize_align); > + ret = av_image_fill_linesizes(frame->linesize, ctx->pix_fmt, w); > + if (ret < 0) > + return ret; > + > + for (int i = 0; i < 4; i++) > + linesize1[i] = frame->linesize[i] = > + FFALIGN(frame->linesize[i], linesize_align[i]); > + > + ret = av_image_fill_plane_sizes(size, ctx->pix_fmt, h, linesize1); > + if (ret < 0) > + goto fail; > + > + for (int i = 0; i < 4; i++) { > + if (!size[i]) > + break; > + frame->buf[i] = av_buffer_alloc(size[i]); > + if (!frame->buf[i]) { > + ret = AVERROR(ENOMEM); > + goto fail; > + } > + frame->data[i] = frame->buf[i]->data; > + } > + > +fail: > + if (ret < 0) > + av_frame_unref(frame); > + return ret; > +} > + > +static int fuzz_get_buffer2(AVCodecContext *ctx, AVFrame *frame, int flags) > +{ > + switch (ctx->codec_type) { > + case AVMEDIA_TYPE_VIDEO: > + return (ctx->codec->capabilities & AV_CODEC_CAP_DR1) > + ? fuzz_video_get_buffer(ctx, frame) > + : avcodec_default_get_buffer2(ctx, frame, flags); > + case AVMEDIA_TYPE_AUDIO: > + return avcodec_default_get_buffer2(ctx, frame, flags); > + default: > + return AVERROR(EINVAL); > + } > +} > + > int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { > uint64_t maxpixels_per_frame = 4096 * 4096; > uint64_t maxpixels; > @@ -241,6 +292,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { > ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs > > ctx->max_samples = maxsamples_per_frame; > + ctx->get_buffer2 = fuzz_get_buffer2; > > if (size > 1024) { > GetByteContext gbc; Will push soon if nobody objects. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".