FFmpeg: tools/target_dem_fuzzer.c Source File

FFmpeg

[フレーム]

tools

target_dem_fuzzer.c

Go to the documentation of this file.

1 /*

2 * This file is part of FFmpeg.

3 *

4 * FFmpeg is free software; you can redistribute it and/or

5 * modify it under the terms of the GNU Lesser General Public

6 * License as published by the Free Software Foundation; either

7 * version 2.1 of the License, or (at your option) any later version.

8 *

9 * FFmpeg is distributed in the hope that it will be useful,

10 * but WITHOUT ANY WARRANTY; without even the implied warranty of

11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

12 * Lesser General Public License for more details.

13 *

14 * You should have received a copy of the GNU Lesser General Public

15 * License along with FFmpeg; if not, write to the Free Software

16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

17 */

19 #include "config.h"

20 #include "libavutil/avassert.h"

21 #include "libavutil/avstring.h"

23 #include "libavcodec/avcodec.h"

24 #include "libavcodec/bytestream.h"

25 #include "libavformat/avformat.h"

28 typedef struct IOContext {

29 int64_t pos;

30 int64_t filesize;

31 uint8_t *fuzz;

32 int fuzz_size;

33 } IOContext;

35 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);

37 int64_t interrupt_counter;

38 static int interrupt_cb(void *ctx)

39 {

40 interrupt_counter --;

41 return interrupt_counter < 0;

42 }

44 static void error(const char *err)

45 {

46 fprintf(stderr, "%s", err);

47 exit(1);

48 }

50 static int io_read(void *opaque, uint8_t *buf, int buf_size)

51 {

52 IOContext *c = opaque;

53 int size = FFMIN(buf_size, c->fuzz_size);

55 if (!c->fuzz_size) {

56 c->filesize = FFMIN(c->pos, c->filesize);

57 return AVERROR_EOF;

58 }

59 if (c->pos > INT64_MAX - size)

60 return AVERROR(EIO);

62 memcpy(buf, c->fuzz, size);

63 c->fuzz += size;

64 c->fuzz_size -= size;

65 c->pos += size;

66 c->filesize = FFMAX(c->filesize, c->pos);

68 return size;

69 }

71 static int64_t io_seek(void *opaque, int64_t offset, int whence)

72 {

73 IOContext *c = opaque;

75 if (whence == SEEK_CUR) {

76 if (offset > INT64_MAX - c->pos)

77 return -1;

78 offset += c->pos;

79 } else if (whence == SEEK_END) {

80 if (offset > INT64_MAX - c->filesize)

81 return -1;

82 offset += c->filesize;

83 } else if (whence == AVSEEK_SIZE) {

84 return c->filesize;

85 }

86 if (offset < 0 || offset > c->filesize)

87 return -1;

88 if (IO_FLAT) {

89 c->fuzz += offset - c->pos;

90 c->fuzz_size -= offset - c->pos;

91 }

92 c->pos = offset;

93 return 0;

94 }

96 // Ensure we don't loop forever

97 const uint32_t maxiteration = 8096;

98 const int maxblocks= 50000;

100 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;

101

102 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {

103 const uint64_t fuzz_tag = FUZZ_TAG;

104 uint32_t it = 0;

105 AVFormatContext *avfmt = avformat_alloc_context();

106 AVPacket *pkt;

107 char filename[1025] = {0};

108 AVIOContext *fuzzed_pb = NULL;

109 uint8_t *io_buffer;

110 int io_buffer_size = 32768;

111 int64_t filesize = size;

112 IOContext opaque;

113 static int c;

114 int seekable = 0;

115 int ret;

116 AVInputFormat *fmt = NULL;

117 #ifdef FFMPEG_DEMUXER

118 #define DEMUXER_SYMBOL0(DEMUXER) ff_##DEMUXER##_demuxer

119 #define DEMUXER_SYMBOL(DEMUXER) DEMUXER_SYMBOL0(DEMUXER)

120 extern AVInputFormat DEMUXER_SYMBOL(FFMPEG_DEMUXER);

121 fmt = &DEMUXER_SYMBOL(FFMPEG_DEMUXER);

122 #endif

123

124 if (!c) {

125 av_log_set_level(AV_LOG_PANIC);

126 c=1;

127 }

128

129 if (!avfmt)

130 error("Failed avformat_alloc_context()");

131

132 if (IO_FLAT) {

133 seekable = 1;

134 io_buffer_size = size;

135 } else if (size > 2048) {

136 int flags;

137 char extension[64];

138

139 GetByteContext gbc;

140 memcpy (filename, data + size - 1024, 1024);

141 bytestream2_init(&gbc, data + size - 2048, 1024);

142 size -= 2048;

143

144 io_buffer_size = bytestream2_get_le32(&gbc) & 0xFFFFFFF;

145 flags = bytestream2_get_byte(&gbc);

146 seekable = flags & 1;

147 filesize = bytestream2_get_le64(&gbc) & 0x7FFFFFFFFFFFFFFF;

148

149 if ((flags & 2) && strlen(filename) < sizeof(filename) / 2) {

150 const AVInputFormat *avif = NULL;

151 void *avif_iter = NULL;

152 int avif_count = 0;

153 while ((avif = av_demuxer_iterate(&avif_iter))) {

154 if (avif->extensions)

155 avif_count ++;

156 }

157 avif_count = bytestream2_get_le32(&gbc) % avif_count;

158

159 avif_iter = NULL;

160 while ((avif = av_demuxer_iterate(&avif_iter))) {

161 if (avif->extensions)

162 if (!avif_count--)

163 break;

164 }

165 av_strlcpy(extension, avif->extensions, sizeof(extension));

166 if (strchr(extension, ','))

167 *strchr(extension, ',') = 0;

168 av_strlcatf(filename, sizeof(filename), ".%s", extension);

169 }

170

171 interrupt_counter = bytestream2_get_le32(&gbc);

172 avfmt->interrupt_callback.callback = interrupt_cb;

173 }

174

175 // HLS uses a loop with sleep, we thus must breakout or we timeout

176 if (fmt && !strcmp(fmt->name, "hls"))

177 interrupt_counter &= 31;

178

179 if (!io_buffer_size || size / io_buffer_size > maxblocks)

180 io_buffer_size = size;

181

182 pkt = av_packet_alloc();

183 if (!pkt)

184 error("Failed to allocate pkt");

185

186 io_buffer = av_malloc(io_buffer_size);

187 if (!io_buffer)

188 error("Failed to allocate io_buffer");

189

190 opaque.filesize = filesize;

191 opaque.pos = 0;

192 opaque.fuzz = data;

193 opaque.fuzz_size= size;

194 fuzzed_pb = avio_alloc_context(io_buffer, io_buffer_size, 0, &opaque,

195 io_read, NULL, seekable ? io_seek : NULL);

196 if (!fuzzed_pb)

197 error("avio_alloc_context failed");

198

199 avfmt->pb = fuzzed_pb;

200

201 ret = avformat_open_input(&avfmt, filename, fmt, NULL);

202 if (ret < 0) {

203 goto fail;

204 }

205

206 ret = avformat_find_stream_info(avfmt, NULL);

207

208 //TODO, test seeking

209

210 for(it = 0; it < maxiteration; it++) {

211 ret = av_read_frame(avfmt, pkt);

212 if (ret < 0)

213 break;

214 av_packet_unref(pkt);

215 }

216

217 fail:

218 av_packet_free(&pkt);

219 av_freep(&fuzzed_pb->buffer);

220 avio_context_free(&fuzzed_pb);

221 avformat_close_input(&avfmt);

222

223 return 0;

224

225 }

av_packet_unref

void av_packet_unref(AVPacket *pkt)

Wipe the packet.

Definition: avpacket.c:422

IOContext::filesize

int64_t filesize

Definition: target_dem_fuzzer.c:30

AVERROR

Filter the word "frame" indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later. That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another. Frame references ownership and permissions

GetByteContext

Definition: bytestream.h:33

AVERROR_EOF

#define AVERROR_EOF

End of file.

Definition: error.h:57

AV_LOG_PANIC

#define AV_LOG_PANIC

Something went really wrong and we will crash now.

Definition: log.h:167

avio_context_free

void avio_context_free(AVIOContext **s)

Free the supplied IO context and everything associated with it.

Definition: aviobuf.c:147

IOContext::fuzz

uint8_t * fuzz

Definition: target_dem_fuzzer.c:31

AVSEEK_SIZE

#define AVSEEK_SIZE

ORing this as the "whence" parameter to a seek function causes it to return the filesize without seek...

Definition: avio.h:474

data

const char data[16]

Definition: mxf.c:146

io_seek

static int64_t io_seek(void *opaque, int64_t offset, int whence)

Definition: target_dem_fuzzer.c:71

FFMAX

#define FFMAX(a, b)

Definition: macros.h:47

av_read_frame

int av_read_frame(AVFormatContext *s, AVPacket *pkt)

Return the next frame of a stream.

Definition: demux.c:1439

IOContext::pos

int64_t pos

Definition: target_dem_fuzzer.c:29

av_strlcatf

size_t av_strlcatf(char *dst, size_t size, const char *fmt,...)

Definition: avstring.c:104

av_packet_free

void av_packet_free(AVPacket **pkt)

Free the packet, if the packet is reference counted, it will be unreferenced first.

Definition: avpacket.c:73

av_malloc

#define av_malloc(s)

Definition: tableprint_vlc.h:30

avformat_close_input

void avformat_close_input(AVFormatContext **s)

Close an opened input AVFormatContext.

Definition: demux.c:369

AVFormatContext::interrupt_callback

AVIOInterruptCB interrupt_callback

Custom interrupt callbacks for the I/O layer.

Definition: avformat.h:1368

io_read

static int io_read(void *opaque, uint8_t *buf, int buf_size)

Definition: target_dem_fuzzer.c:50

fail

#define fail()

Definition: checkasm.h:134

avassert.h

pkt

AVPacket * pkt

Definition: movenc.c:59

AVInputFormat

Definition: avformat.h:546

AVInputFormat::extensions

const char * extensions

If extensions are defined, then no probe is done.

Definition: avformat.h:572

avformat_open_input

int avformat_open_input(AVFormatContext **ps, const char *url, const AVInputFormat *fmt, AVDictionary **options)

Open an input stream and read the header.

Definition: demux.c:221

AVInputFormat::name

const char * name

A comma separated list of short names for the format.

Definition: avformat.h:551

ctx

AVFormatContext * ctx

Definition: movenc.c:48

IOContext::fuzz_size

int fuzz_size

Definition: target_dem_fuzzer.c:32

AVFormatContext

Format I/O context.

Definition: avformat.h:1104

NULL

#define NULL

Definition: coverity.c:32

FUZZ_TAG

static const uint64_t FUZZ_TAG

Definition: target_dem_fuzzer.c:100

AVFormatContext::pb

AVIOContext * pb

I/O context.

Definition: avformat.h:1146

interrupt_cb

static int interrupt_cb(void *ctx)

Definition: target_dem_fuzzer.c:38

Undefined Behavior In the C some operations are like signed integer dereferencing freed accessing outside allocated Undefined Behavior must not occur in a C it is not safe even if the output of undefined operations is unused The unsafety may seem nit picking but Optimizing compilers have in fact optimized code on the assumption that no undefined Behavior occurs Optimizing code based on wrong assumptions can and has in some cases lead to effects beyond the output of computations The signed integer overflow problem in speed critical code Code which is highly optimized and works with signed integers sometimes has the problem that often the output of the computation does not c

Definition: undefined.txt:32

avformat_find_stream_info

int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)

Read packets of a media file to get stream information.

Definition: demux.c:2425

AVIOContext

Bytestream IO Context.

Definition: avio.h:166

avformat_alloc_context

AVFormatContext * avformat_alloc_context(void)

Allocate an AVFormatContext.

Definition: options.c:166

size

int size

Definition: twinvq_data.h:10344

av_demuxer_iterate

const AVInputFormat * av_demuxer_iterate(void **opaque)

Iterate over all registered demuxers.

Definition: allformats.c:587

offset

it s the only field you need to keep assuming you have a context There is some magic you don t need to care about around this just let it vf offset

Definition: writing_filters.txt:86

av_packet_alloc

AVPacket * av_packet_alloc(void)

Allocate an AVPacket and set its fields to default values.

Definition: avpacket.c:62

filesize

static int64_t filesize(AVIOContext *pb)

Definition: ffmpeg_mux.c:48

av_log_set_level

void av_log_set_level(int level)

Set the log level.

Definition: log.c:442

FFMIN

#define FFMIN(a, b)

Definition: macros.h:49

avio_alloc_context

AVIOContext * avio_alloc_context(unsigned char *buffer, int buffer_size, int write_flag, void *opaque, int(*read_packet)(void *opaque, uint8_t *buf, int buf_size), int(*write_packet)(void *opaque, uint8_t *buf, int buf_size), int64_t(*seek)(void *opaque, int64_t offset, int whence))

Allocate and initialize an AVIOContext for buffered I/O.

Definition: aviobuf.c:130

error

static void error(const char *err)

Definition: target_dem_fuzzer.c:44

avcodec.h

ret

Definition: filter_design.txt:187

avformat.h

LLVMFuzzerTestOneInput

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)

Definition: target_dem_fuzzer.c:102

interrupt_counter

int64_t interrupt_counter

Definition: target_dem_fuzzer.c:37

s EdgeDetect Foobar g libavfilter vf_edgedetect c libavfilter vf_foobar c edit libavfilter and add an entry for foobar following the pattern of the other filters edit libavfilter allfilters and add an entry for foobar following the pattern of the other filters configure make j< whatever > ffmpeg ffmpeg i you should get a foobar png with Lena edge detected That s it

Definition: writing_filters.txt:31

IOContext

Definition: target_dem_fuzzer.c:28

AVIOInterruptCB::callback

int(* callback)(void *)

Definition: avio.h:60

AVIOContext::buffer

unsigned char * buffer

Start of the buffer.

Definition: avio.h:231

AVPacket

This structure stores compressed data.