FFmpeg
target_dem_fuzzer.c
Go to the documentation of this file.
1 /*
2  * This file is part of FFmpeg.
3  *
4  * FFmpeg is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU Lesser General Public
6  * License as published by the Free Software Foundation; either
7  * version 2.1 of the License, or (at your option) any later version.
8  *
9  * FFmpeg is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * Lesser General Public License for more details.
13  *
14  * You should have received a copy of the GNU Lesser General Public
15  * License along with FFmpeg; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17  */
18 
19 #include "config.h"
20 #include "libavutil/avassert.h"
21 #include "libavutil/avstring.h"
22 
23 #include "libavcodec/avcodec.h"
24 #include "libavcodec/bytestream.h"
25 #include "libavformat/avformat.h"
26 
27 
28 typedef struct IOContext {
29  int64_t pos;
30  int64_t filesize;
31  uint8_t *fuzz;
32  int fuzz_size;
33 } IOContext;
34 
35 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
36 
37 static void error(const char *err)
38 {
39  fprintf(stderr, "%s", err);
40  exit(1);
41 }
42 
43 static int io_read(void *opaque, uint8_t *buf, int buf_size)
44 {
45  IOContext *c = opaque;
46  int size = FFMIN(buf_size, c->fuzz_size);
47 
48  if (!c->fuzz_size) {
49  c->filesize = FFMIN(c->pos, c->filesize);
50  return AVERROR_EOF;
51  }
52  if (c->pos > INT64_MAX - size)
53  return AVERROR(EIO);
54 
55  memcpy(buf, c->fuzz, size);
56  c->fuzz += size;
57  c->fuzz_size -= size;
58  c->pos += size;
59  c->filesize = FFMAX(c->filesize, c->pos);
60 
61  return size;
62 }
63 
64 static int64_t io_seek(void *opaque, int64_t offset, int whence)
65 {
66  IOContext *c = opaque;
67 
68  if (whence == SEEK_CUR) {
69  if (offset > INT64_MAX - c->pos)
70  return -1;
71  offset += c->pos;
72  } else if (whence == SEEK_END) {
73  if (offset > INT64_MAX - c->filesize)
74  return -1;
75  offset += c->filesize;
76  } else if (whence == AVSEEK_SIZE) {
77  return c->filesize;
78  }
79  if (offset < 0 || offset > c->filesize)
80  return -1;
81  if (IO_FLAT) {
82  c->fuzz += offset - c->pos;
83  c->fuzz_size -= offset - c->pos;
84  }
85  c->pos = offset;
86  return 0;
87 }
88 
89 // Ensure we don't loop forever
90 const uint32_t maxiteration = 8096;
91 const int maxblocks= 50000;
92 
93 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
94 
95 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
96  const uint64_t fuzz_tag = FUZZ_TAG;
97  uint32_t it = 0;
99  AVPacket *pkt;
100  char filename[1025] = {0};
101  AVIOContext *fuzzed_pb = NULL;
102  uint8_t *io_buffer;
103  int io_buffer_size = 32768;
104  int64_t filesize = size;
105  IOContext opaque;
106  static int c;
107  int seekable = 0;
108  int ret;
109  AVInputFormat *fmt = NULL;
110 #ifdef FFMPEG_DEMUXER
111 #define DEMUXER_SYMBOL0(DEMUXER) ff_##DEMUXER##_demuxer
112 #define DEMUXER_SYMBOL(DEMUXER) DEMUXER_SYMBOL0(DEMUXER)
113  extern AVInputFormat DEMUXER_SYMBOL(FFMPEG_DEMUXER);
114  fmt = &DEMUXER_SYMBOL(FFMPEG_DEMUXER);
115 #endif
116 
117  if (!c) {
119  c=1;
120  }
121 
122  if (!avfmt)
123  error("Failed avformat_alloc_context()");
124 
125  if (IO_FLAT) {
126  seekable = 1;
127  io_buffer_size = size;
128  } else if (size > 2048) {
129  int flags;
130  char extension[64];
131 
132  GetByteContext gbc;
133  memcpy (filename, data + size - 1024, 1024);
134  bytestream2_init(&gbc, data + size - 2048, 1024);
135  size -= 2048;
136 
137  io_buffer_size = bytestream2_get_le32(&gbc) & 0xFFFFFFF;
138  flags = bytestream2_get_byte(&gbc);
139  seekable = flags & 1;
140  filesize = bytestream2_get_le64(&gbc) & 0x7FFFFFFFFFFFFFFF;
141 
142  if ((flags & 2) && strlen(filename) < sizeof(filename) / 2) {
143  const AVInputFormat *avif = NULL;
144  void *avif_iter = NULL;
145  int avif_count = 0;
146  while ((avif = av_demuxer_iterate(&avif_iter))) {
147  if (avif->extensions)
148  avif_count ++;
149  }
150  avif_count = bytestream2_get_le32(&gbc) % avif_count;
151 
152  avif_iter = NULL;
153  while ((avif = av_demuxer_iterate(&avif_iter))) {
154  if (avif->extensions)
155  if (!avif_count--)
156  break;
157  }
158  av_strlcpy(extension, avif->extensions, sizeof(extension));
159  if (strchr(extension, ','))
160  *strchr(extension, ',') = 0;
161  av_strlcatf(filename, sizeof(filename), ".%s", extension);
162  }
163  }
164 
165  if (!io_buffer_size || size / io_buffer_size > maxblocks)
166  io_buffer_size = size;
167 
168  pkt = av_packet_alloc();
169  if (!pkt)
170  error("Failed to allocate pkt");
171 
172  io_buffer = av_malloc(io_buffer_size);
173  if (!io_buffer)
174  error("Failed to allocate io_buffer");
175 
176  opaque.filesize = filesize;
177  opaque.pos = 0;
178  opaque.fuzz = data;
179  opaque.fuzz_size= size;
180  fuzzed_pb = avio_alloc_context(io_buffer, io_buffer_size, 0, &opaque,
181  io_read, NULL, seekable ? io_seek : NULL);
182  if (!fuzzed_pb)
183  error("avio_alloc_context failed");
184 
185  avfmt->pb = fuzzed_pb;
186 
187  ret = avformat_open_input(&avfmt, filename, fmt, NULL);
188  if (ret < 0) {
189  goto fail;
190  }
191 
193 
194  //TODO, test seeking
195 
196  for(it = 0; it < maxiteration; it++) {
197  ret = av_read_frame(avfmt, pkt);
198  if (ret < 0)
199  break;
201  }
202 
203 fail:
205  av_freep(&fuzzed_pb->buffer);
206  avio_context_free(&fuzzed_pb);
207  avformat_close_input(&avfmt);
208 
209  return 0;
210 
211 }
av_packet_unref
void av_packet_unref(AVPacket *pkt)
Wipe the packet.
Definition: avpacket.c:417
IOContext::filesize
int64_t filesize
Definition: target_dem_fuzzer.c:30
AVERROR
Filter the word “frame” indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later. That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another. Frame references ownership and permissions
GetByteContext
Definition: bytestream.h:33
AVERROR_EOF
#define AVERROR_EOF
End of file.
Definition: error.h:57
AV_LOG_PANIC
#define AV_LOG_PANIC
Something went really wrong and we will crash now.
Definition: log.h:167
avio_context_free
void avio_context_free(AVIOContext **s)
Free the supplied IO context and everything associated with it.
Definition: aviobuf.c:145
IOContext::fuzz
uint8_t * fuzz
Definition: target_dem_fuzzer.c:31
AVSEEK_SIZE
#define AVSEEK_SIZE
ORing this as the "whence" parameter to a seek function causes it to return the filesize without seek...
Definition: avio.h:512
data
const char data[16]
Definition: mxf.c:143
io_seek
static int64_t io_seek(void *opaque, int64_t offset, int whence)
Definition: target_dem_fuzzer.c:64
FFMAX
#define FFMAX(a, b)
Definition: macros.h:47
av_read_frame
int av_read_frame(AVFormatContext *s, AVPacket *pkt)
Return the next frame of a stream.
Definition: utils.c:1669
IOContext::pos
int64_t pos
Definition: target_dem_fuzzer.c:29
av_strlcatf
size_t av_strlcatf(char *dst, size_t size, const char *fmt,...)
Definition: avstring.c:101
av_packet_free
void av_packet_free(AVPacket **pkt)
Free the packet, if the packet is reference counted, it will be unreferenced first.
Definition: avpacket.c:75
av_malloc
#define av_malloc(s)
Definition: tableprint_vlc.h:31
avformat_close_input
void avformat_close_input(AVFormatContext **s)
Close an opened input AVFormatContext.
Definition: utils.c:4347
io_read
static int io_read(void *opaque, uint8_t *buf, int buf_size)
Definition: target_dem_fuzzer.c:43
fail
#define fail()
Definition: checkasm.h:136
avassert.h
pkt
AVPacket * pkt
Definition: movenc.c:59
AVInputFormat
Definition: avformat.h:626
AVInputFormat::extensions
const char * extensions
If extensions are defined, then no probe is done.
Definition: avformat.h:652
avformat_open_input
int avformat_open_input(AVFormatContext **ps, const char *url, const AVInputFormat *fmt, AVDictionary **options)
Open an input stream and read the header.
Definition: utils.c:483
IOContext::fuzz_size
int fuzz_size
Definition: target_dem_fuzzer.c:32
AVFormatContext
Format I/O context.
Definition: avformat.h:1107
NULL
#define NULL
Definition: coverity.c:32
FUZZ_TAG
static const uint64_t FUZZ_TAG
Definition: target_dem_fuzzer.c:93
AVFormatContext::pb
AVIOContext * pb
I/O context.
Definition: avformat.h:1149
c
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
Definition: undefined.txt:32
avformat_find_stream_info
int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)
Read packets of a media file to get stream information.
Definition: utils.c:3547
AVIOContext
Bytestream IO Context.
Definition: avio.h:161
avformat_alloc_context
AVFormatContext * avformat_alloc_context(void)
Allocate an AVFormatContext.
Definition: options.c:166
size
int size
Definition: twinvq_data.h:10344
av_demuxer_iterate
const AVInputFormat * av_demuxer_iterate(void **opaque)
Iterate over all registered demuxers.
Definition: allformats.c:556
offset
it s the only field you need to keep assuming you have a context There is some magic you don t need to care about around this just let it vf offset
Definition: writing_filters.txt:86
av_packet_alloc
AVPacket * av_packet_alloc(void)
Allocate an AVPacket and set its fields to default values.
Definition: avpacket.c:64
av_log_set_level
void av_log_set_level(int level)
Set the log level.
Definition: log.c:440
FFMIN
#define FFMIN(a, b)
Definition: macros.h:49
avio_alloc_context
AVIOContext * avio_alloc_context(unsigned char *buffer, int buffer_size, int write_flag, void *opaque, int(*read_packet)(void *opaque, uint8_t *buf, int buf_size), int(*write_packet)(void *opaque, uint8_t *buf, int buf_size), int64_t(*seek)(void *opaque, int64_t offset, int whence))
Allocate and initialize an AVIOContext for buffered I/O.
Definition: aviobuf.c:128
error
static void error(const char *err)
Definition: target_dem_fuzzer.c:37
avcodec.h
ret
ret
Definition: filter_design.txt:187
avformat.h
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition: target_dem_fuzzer.c:95
it
s EdgeDetect Foobar g libavfilter vf_edgedetect c libavfilter vf_foobar c edit libavfilter and add an entry for foobar following the pattern of the other filters edit libavfilter allfilters and add an entry for foobar following the pattern of the other filters configure make j< whatever > ffmpeg ffmpeg i you should get a foobar png with Lena edge detected That s it
Definition: writing_filters.txt:31
IOContext
Definition: target_dem_fuzzer.c:28
AVIOContext::buffer
unsigned char * buffer
Start of the buffer.
Definition: avio.h:226
AVPacket
This structure stores compressed data.
Definition: packet.h:350
av_freep
#define av_freep(p)
Definition: tableprint_vlc.h:35
bytestream.h
bytestream2_init
static av_always_inline void bytestream2_init(GetByteContext *g, const uint8_t *buf, int buf_size)
Definition: bytestream.h:137
flags
#define flags(name, subs,...)
Definition: cbs_av1.c:561
av_strlcpy
size_t av_strlcpy(char *dst, const char *src, size_t size)
Copy the string src to dst, but no more than size - 1 bytes, and null-terminate dst.
Definition: avstring.c:83
maxblocks
const int maxblocks
Definition: target_dem_fuzzer.c:91
avstring.h
maxiteration
const uint32_t maxiteration
Definition: target_dem_fuzzer.c:90