FFmpeg
target_dem_fuzzer.c
Go to the documentation of this file.
1 /*
2  * This file is part of FFmpeg.
3  *
4  * FFmpeg is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU Lesser General Public
6  * License as published by the Free Software Foundation; either
7  * version 2.1 of the License, or (at your option) any later version.
8  *
9  * FFmpeg is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * Lesser General Public License for more details.
13  *
14  * You should have received a copy of the GNU Lesser General Public
15  * License along with FFmpeg; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17  */
18 
19 #include "config.h"
20 #include "libavutil/avassert.h"
21 #include "libavutil/avstring.h"
22 
23 #include "libavcodec/avcodec.h"
24 #include "libavcodec/bytestream.h"
25 #include "libavformat/avformat.h"
26 
27 
28 typedef struct IOContext {
29  int64_t pos;
30  int64_t filesize;
31  uint8_t *fuzz;
32  int fuzz_size;
33 } IOContext;
34 
35 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
36 
37 static void error(const char *err)
38 {
39  fprintf(stderr, "%s", err);
40  exit(1);
41 }
42 
43 static int io_read(void *opaque, uint8_t *buf, int buf_size)
44 {
45  IOContext *c = opaque;
46  int size = FFMIN(buf_size, c->fuzz_size);
47 
48  if (!c->fuzz_size) {
49  c->filesize = FFMIN(c->pos, c->filesize);
50  return AVERROR_EOF;
51  }
52 
53  memcpy(buf, c->fuzz, size);
54  c->fuzz += size;
55  c->fuzz_size -= size;
56  c->pos += size;
57  c->filesize = FFMAX(c->filesize, c->pos);
58 
59  return size;
60 }
61 
62 static int64_t io_seek(void *opaque, int64_t offset, int whence)
63 {
64  IOContext *c = opaque;
65 
66  if (whence == SEEK_CUR) {
67  if (offset > INT64_MAX - c->pos)
68  return -1;
69  offset += c->pos;
70  } else if (whence == SEEK_END) {
71  if (offset > INT64_MAX - c->filesize)
72  return -1;
73  offset += c->filesize;
74  } else if (whence == AVSEEK_SIZE) {
75  return c->filesize;
76  }
77  if (offset < 0 || offset > c->filesize)
78  return -1;
79  if (IO_FLAT) {
80  c->fuzz += offset - c->pos;
81  c->fuzz_size -= offset - c->pos;
82  }
83  c->pos = offset;
84  return 0;
85 }
86 
87 // Ensure we don't loop forever
88 const uint32_t maxiteration = 8096;
89 
90 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
91 
92 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
93  const uint64_t fuzz_tag = FUZZ_TAG;
94  uint32_t it = 0;
95  AVFormatContext *avfmt = avformat_alloc_context();
96  AVPacket pkt;
97  char filename[1025] = {0};
98  AVIOContext *fuzzed_pb = NULL;
99  uint8_t *io_buffer;
100  int io_buffer_size = 32768;
101  int64_t filesize = size;
102  IOContext opaque;
103  static int c;
104  int seekable = 0;
105  int ret;
106 
107  if (!c) {
108  av_register_all();
109  avcodec_register_all();
110  av_log_set_level(AV_LOG_PANIC);
111  c=1;
112  }
113 
114  if (!avfmt)
115  error("Failed avformat_alloc_context()");
116 
117  if (IO_FLAT) {
118  seekable = 1;
119  io_buffer_size = size;
120  } else if (size > 2048) {
121  int flags;
122  char extension[64];
123 
124  GetByteContext gbc;
125  memcpy (filename, data + size - 1024, 1024);
126  bytestream2_init(&gbc, data + size - 2048, 1024);
127  size -= 2048;
128 
129  io_buffer_size = bytestream2_get_le32(&gbc) & 0xFFFFFFF;
130  flags = bytestream2_get_byte(&gbc);
131  seekable = flags & 1;
132  filesize = bytestream2_get_le64(&gbc) & 0x7FFFFFFFFFFFFFFF;
133 
134  if ((flags & 2) && strlen(filename) < sizeof(filename) / 2) {
135  AVInputFormat *avif = NULL;
136  int avif_count = 0;
137  while ((avif = av_iformat_next(avif))) {
138  if (avif->extensions)
139  avif_count ++;
140  }
141  avif_count = bytestream2_get_le32(&gbc) % avif_count;
142 
143  while ((avif = av_iformat_next(avif))) {
144  if (avif->extensions)
145  if (!avif_count--)
146  break;
147  }
148  av_strlcpy(extension, avif->extensions, sizeof(extension));
149  if (strchr(extension, ','))
150  *strchr(extension, ',') = 0;
151  av_strlcatf(filename, sizeof(filename), ".%s", extension);
152  }
153  }
154  io_buffer = av_malloc(io_buffer_size);
155  if (!io_buffer)
156  error("Failed to allocate io_buffer");
157 
158  opaque.filesize = filesize;
159  opaque.pos = 0;
160  opaque.fuzz = data;
161  opaque.fuzz_size= size;
162  fuzzed_pb = avio_alloc_context(io_buffer, io_buffer_size, 0, &opaque,
163  io_read, NULL, seekable ? io_seek : NULL);
164  if (!fuzzed_pb)
165  error("avio_alloc_context failed");
166 
167  avfmt->pb = fuzzed_pb;
168 
169  ret = avformat_open_input(&avfmt, filename, NULL, NULL);
170  if (ret < 0) {
171  av_freep(&fuzzed_pb->buffer);
172  av_freep(&fuzzed_pb);
173  avformat_free_context(avfmt);
174  return 0;
175  }
176 
177  ret = avformat_find_stream_info(avfmt, NULL);
178 
179  av_init_packet(&pkt);
180 
181  //TODO, test seeking
182 
183  for(it = 0; it < maxiteration; it++) {
184  ret = av_read_frame(avfmt, &pkt);
185  if (ret < 0)
186  break;
187  av_packet_unref(&pkt);
188  }
189 end:
190  av_freep(&fuzzed_pb->buffer);
191  av_freep(&fuzzed_pb);
192  avformat_close_input(&avfmt);
193 
194  return 0;
195 }
NULL
#define NULL
Definition: coverity.c:32
AVIOContext
Bytestream IO Context.
Definition: avio.h:161
data
ptrdiff_t const GLvoid * data
Definition: opengl_enc.c:100
ret
ret
Definition: filter_design.txt:187
av_log_set_level
void av_log_set_level(int level)
Set the log level.
Definition: log.c:440
maxiteration
const uint32_t maxiteration
Definition: target_dem_fuzzer.c:88
AVIOContext::buffer
unsigned char * buffer
Start of the buffer.
Definition: avio.h:226
bytestream2_init
static av_always_inline void bytestream2_init(GetByteContext *g, const uint8_t *buf, int buf_size)
Definition: bytestream.h:133
avformat_open_input
int avformat_open_input(AVFormatContext **ps, const char *url, ff_const59 AVInputFormat *fmt, AVDictionary **options)
Open an input stream and read the header.
Definition: utils.c:500
pkt
static AVPacket pkt
Definition: demuxing_decoding.c:54
io_read
static int io_read(void *opaque, uint8_t *buf, int buf_size)
Definition: target_dem_fuzzer.c:43
AVFormatContext
Format I/O context.
Definition: avformat.h:1351
uint8_t
uint8_t
Definition: audio_convert.c:194
av_malloc
#define av_malloc(s)
Definition: tableprint_vlc.h:31
AV_LOG_PANIC
#define AV_LOG_PANIC
Something went really wrong and we will crash now.
Definition: log.h:181
offset
it s the only field you need to keep assuming you have a context There is some magic you don t need to care about around this just let it vf offset
Definition: writing_filters.txt:84
end
static av_cold int end(AVCodecContext *avctx)
Definition: avrndec.c:92
c
Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c
Definition: undefined.txt:32
FUZZ_TAG
static const uint64_t FUZZ_TAG
Definition: target_dem_fuzzer.c:90
avformat_alloc_context
AVFormatContext * avformat_alloc_context(void)
Allocate an AVFormatContext.
Definition: options.c:208
it
s EdgeDetect Foobar g libavfilter vf_edgedetect c libavfilter vf_foobar c edit libavfilter and add an entry for foobar following the pattern of the other filters edit libavfilter allfilters and add an entry for foobar following the pattern of the other filters configure make j< whatever > ffmpeg ffmpeg i you should get a foobar png with Lena edge detected That s it
Definition: writing_filters.txt:20
AVERROR_EOF
#define AVERROR_EOF
End of file.
Definition: error.h:55
size
ptrdiff_t size
Definition: opengl_enc.c:100
avcodec_register_all
void avcodec_register_all(void)
Register all the codecs, parsers and bitstream filters which were enabled at configuration time...
Definition: allcodecs.c:889
avio_alloc_context
AVIOContext * avio_alloc_context(unsigned char *buffer, int buffer_size, int write_flag, void *opaque, int(*read_packet)(void *opaque, uint8_t *buf, int buf_size), int(*write_packet)(void *opaque, uint8_t *buf, int buf_size), int64_t(*seek)(void *opaque, int64_t offset, int whence))
Allocate and initialize an AVIOContext for buffered I/O.
Definition: aviobuf.c:138
avassert.h
simple assert() macros that are a bit more flexible than ISO C assert().
FFMAX
#define FFMAX(a, b)
Definition: common.h:94
av_strlcpy
size_t av_strlcpy(char *dst, const char *src, size_t size)
Copy the string src to dst, but no more than size - 1 bytes, and null-terminate dst.
Definition: avstring.c:83
FFMIN
#define FFMIN(a, b)
Definition: common.h:96
IOContext::filesize
int64_t filesize
Definition: target_dem_fuzzer.c:30
IOContext::fuzz
uint8_t * fuzz
Definition: target_dem_fuzzer.c:31
avcodec.h
Libavcodec external API header.
AVFormatContext::pb
AVIOContext * pb
I/O context.
Definition: avformat.h:1393
av_packet_unref
void av_packet_unref(AVPacket *pkt)
Wipe the packet.
Definition: avpacket.c:606
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition: target_dem_fuzzer.c:92
av_strlcatf
size_t av_strlcatf(char *dst, size_t size, const char *fmt,...)
Definition: avstring.c:101
avformat_free_context
void avformat_free_context(AVFormatContext *s)
Free an AVFormatContext and all its streams.
Definition: utils.c:4379
av_read_frame
int av_read_frame(AVFormatContext *s, AVPacket *pkt)
Return the next frame of a stream.
Definition: utils.c:1711
flags
#define flags(name, subs,...)
Definition: cbs_av1.c:560
AVInputFormat::extensions
const char * extensions
If extensions are defined, then no probe is done.
Definition: avformat.h:671
avformat.h
Main libavformat public API header.
avformat_find_stream_info
int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)
Read packets of a media file to get stream information.
Definition: utils.c:3546
av_init_packet
void av_init_packet(AVPacket *pkt)
Initialize optional fields of a packet with default values.
Definition: avpacket.c:35
AVSEEK_SIZE
#define AVSEEK_SIZE
ORing this as the "whence" parameter to a seek function causes it to return the filesize without seek...
Definition: avio.h:531
avformat_close_input
void avformat_close_input(AVFormatContext **s)
Close an opened input AVFormatContext.
Definition: utils.c:4422
error
static void error(const char *err)
Definition: target_dem_fuzzer.c:37
av_freep
#define av_freep(p)
Definition: tableprint_vlc.h:35
AVPacket
This structure stores compressed data.
Definition: packet.h:340
io_seek
static int64_t io_seek(void *opaque, int64_t offset, int whence)
Definition: target_dem_fuzzer.c:62
Generated on Sat Sep 19 2020 19:22:13 for FFmpeg by   doxygen 1.8.11