FFmpeg: tools/target_bsf_fuzzer.c Source File

FFmpeg

[フレーム]

tools

target_bsf_fuzzer.c

Go to the documentation of this file.

1 /*

2 * This file is part of FFmpeg.

3 *

4 * FFmpeg is free software; you can redistribute it and/or

5 * modify it under the terms of the GNU Lesser General Public

6 * License as published by the Free Software Foundation; either

7 * version 2.1 of the License, or (at your option) any later version.

8 *

9 * FFmpeg is distributed in the hope that it will be useful,

10 * but WITHOUT ANY WARRANTY; without even the implied warranty of

11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

12 * Lesser General Public License for more details.

13 *

14 * You should have received a copy of the GNU Lesser General Public

15 * License along with FFmpeg; if not, write to the Free Software

16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

17 */

19 #include "config.h"

20 #include "libavutil/imgutils.h"

21 #include "libavutil/mem.h"

22 #include "libavutil/opt.h"

24 #include "libavcodec/avcodec.h"

25 #include "libavcodec/bsf.h"

26 #include "libavcodec/bsf_internal.h"

27 #include "libavcodec/bytestream.h"

28 #include "libavcodec/internal.h"

30 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);

32 static void error(const char *err)

33 {

34 fprintf(stderr, "%s", err);

35 exit(1);

36 }

38 static const AVBitStreamFilter *f = NULL;

40 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;

42 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {

43 const uint64_t fuzz_tag = FUZZ_TAG;

44 const uint8_t *last = data;

45 const uint8_t *end = data + size;

46 AVBSFContext *bsf = NULL;

47 AVPacket *pkt;

48 uint64_t keyframes = 0;

49 uint64_t flushpattern = -1;

50 int res;

52 if (!f) {

53 #ifdef FFMPEG_BSF

54 #define BSF_SYMBOL0(BSF) ff_##BSF##_bsf

55 #define BSF_SYMBOL(BSF) BSF_SYMBOL0(BSF)

56 extern const AVBitStreamFilter BSF_SYMBOL(FFMPEG_BSF);

57 f = &BSF_SYMBOL(FFMPEG_BSF);

58 #endif

59 av_log_set_level(AV_LOG_PANIC);

60 }

62 res = f ? av_bsf_alloc(f, &bsf) : av_bsf_get_null_filter(&bsf);

63 if (res < 0)

64 error("Failed memory allocation");

65 f = bsf->filter;

67 if (size > 1024) {

68 GetByteContext gbc;

69 int extradata_size;

70 int flags;

71 size -= 1024;

72 bytestream2_init(&gbc, data + size, 1024);

73 bsf->par_in->width = bytestream2_get_le32(&gbc);

74 bsf->par_in->height = bytestream2_get_le32(&gbc);

75 bsf->par_in->bit_rate = bytestream2_get_le64(&gbc);

76 bsf->par_in->bits_per_coded_sample = bytestream2_get_le32(&gbc);

78 if (f->codec_ids) {

79 int i, id;

80 for (i = 0; f->codec_ids[i] != AV_CODEC_ID_NONE; i++);

81 id = f->codec_ids[bytestream2_get_byte(&gbc) % i];

82 bsf->par_in->codec_id = id;

83 bsf->par_in->codec_tag = bytestream2_get_le32(&gbc);

84 }

86 extradata_size = bytestream2_get_le32(&gbc);

88 bsf->par_in->sample_rate = bytestream2_get_le32(&gbc);

89 bsf->par_in->ch_layout.nb_channels = (unsigned)bytestream2_get_le32(&gbc) % FF_SANE_NB_CHANNELS;

90 bsf->par_in->block_align = bytestream2_get_le32(&gbc);

91 keyframes = bytestream2_get_le64(&gbc);

92 flushpattern = bytestream2_get_le64(&gbc);

93 flags = bytestream2_get_byte(&gbc);

95 if (flags & 0x20) {

96 if (!strcmp(f->name, "av1_metadata"))

97 av_opt_set_int(bsf->priv_data, "td", bytestream2_get_byte(&gbc) % 3, 0);

98 else if (!strcmp(f->name, "h264_metadata") || !strcmp(f->name, "hevc_metadata") ||

99 !strcmp(f->name, "vvc_metadata"))

100 av_opt_set_int(bsf->priv_data, "aud", bytestream2_get_byte(&gbc) % 3, 0);

101 else if (!strcmp(f->name, "extract_extradata"))

102 av_opt_set_int(bsf->priv_data, "remove", bytestream2_get_byte(&gbc) & 1, 0);

103 }

104

105 if (extradata_size < size) {

106 bsf->par_in->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);

107 if (bsf->par_in->extradata) {

108 bsf->par_in->extradata_size = extradata_size;

109 size -= bsf->par_in->extradata_size;

110 memcpy(bsf->par_in->extradata, data + size, bsf->par_in->extradata_size);

111 }

112 }

113 if (av_image_check_size(bsf->par_in->width, bsf->par_in->height, 0, bsf))

114 bsf->par_in->width = bsf->par_in->height = 0;

115 }

116

117 res = av_bsf_init(bsf);

118 if (res < 0) {

119 av_bsf_free(&bsf);

120 return 0; // Failure of av_bsf_init() does not imply that a issue was found

121 }

122

123 pkt = av_packet_alloc();

124 if (!pkt)

125 error("Failed memory allocation");

126

127 while (data < end) {

128 // Search for the TAG

129 while (data + sizeof(fuzz_tag) < end) {

130 if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag)

131 break;

132 data++;

133 }

134 if (data + sizeof(fuzz_tag) > end)

135 data = end;

136

137 res = av_new_packet(pkt, data - last);

138 if (res < 0)

139 error("Failed memory allocation");

140 memcpy(pkt->data, last, data - last);

141 pkt->flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;

142 keyframes = (keyframes >> 2) + (keyframes<<62);

143 data += sizeof(fuzz_tag);

144 last = data;

145

146 if (!(flushpattern & 7))

147 av_bsf_flush(bsf);

148 flushpattern = (flushpattern >> 3) + (flushpattern << 61);

149

150 res = av_bsf_send_packet(bsf, pkt);

151 if (res < 0) {

152 av_packet_unref(pkt);

153 continue;

154 }

155 while (av_bsf_receive_packet(bsf, pkt) >= 0)

156 av_packet_unref(pkt);

157 }

158

159 av_bsf_send_packet(bsf, NULL);

160 while (av_bsf_receive_packet(bsf, pkt) >= 0)

161 av_packet_unref(pkt);

162

163 av_packet_free(&pkt);

164 av_bsf_free(&bsf);

165 return 0;

166 }

error

static void error(const char *err)

Definition: target_bsf_fuzzer.c:32

av_packet_unref

void av_packet_unref(AVPacket *pkt)

Wipe the packet.

Definition: packet.c:429

AVBSFContext::par_in

AVCodecParameters * par_in

Parameters of the input stream.

Definition: bsf.h:90

AVCodecParameters::extradata

uint8_t * extradata

Extra binary data needed for initializing the decoder, codec-dependent.

Definition: codec_par.h:69

bsf_internal.h

opt.h

GetByteContext

Definition: bytestream.h:33

AV_LOG_PANIC

#define AV_LOG_PANIC

Something went really wrong and we will crash now.

Definition: log.h:167

AV_PKT_FLAG_DISCARD

#define AV_PKT_FLAG_DISCARD

Flag is used to discard packets which are required to maintain valid decoder state but are not requir...

Definition: packet.h:601

AVBitStreamFilter::name

const char * name

Definition: bsf.h:112

AV_RN64

#define AV_RN64(p)

Definition: intreadwrite.h:364

internal.h

AVPacket::data

uint8_t * data

Definition: packet.h:539

data

const char data[16]

Definition: mxf.c:148

AVCodecParameters::codec_tag

uint32_t codec_tag

Additional information about the codec (corresponds to the AVI FOURCC).

Definition: codec_par.h:59

AVChannelLayout::nb_channels

int nb_channels

Number of channels in this layout.

Definition: channel_layout.h:321

av_bsf_free

void av_bsf_free(AVBSFContext **pctx)

Free a bitstream filter context and everything associated with it; write NULL into the supplied point...

Definition: bsf.c:52

AV_PKT_FLAG_KEY

#define AV_PKT_FLAG_KEY

The packet contains a keyframe.

Definition: packet.h:594

av_packet_free

void av_packet_free(AVPacket **pkt)

Free the packet, if the packet is reference counted, it will be unreferenced first.

Definition: packet.c:74

AVBSFContext

The bitstream filter state.

Definition: bsf.h:68

bsf.h

LLVMFuzzerTestOneInput

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)

Definition: target_bsf_fuzzer.c:42

pkt

AVPacket * pkt

Definition: movenc.c:60

av_new_packet

int av_new_packet(AVPacket *pkt, int size)

Allocate the payload of a packet and initialize its fields with default values.

Definition: packet.c:98

av_bsf_flush

void av_bsf_flush(AVBSFContext *ctx)

Reset the internal bitstream filter state.

Definition: bsf.c:190

AVCodecParameters::width

int width

Video only.

Definition: codec_par.h:134

FUZZ_TAG

static const uint64_t FUZZ_TAG

Definition: target_bsf_fuzzer.c:40

static const AVBitStreamFilter * f

Definition: target_bsf_fuzzer.c:38

av_bsf_alloc

int av_bsf_alloc(const AVBitStreamFilter *filter, AVBSFContext **pctx)

Allocate a context for a given bitstream filter.

Definition: bsf.c:104

AVBitStreamFilter::codec_ids

enum AVCodecID * codec_ids

A list of codec ids supported by the filter, terminated by AV_CODEC_ID_NONE.

Definition: bsf.h:119

av_bsf_init

int av_bsf_init(AVBSFContext *ctx)

Prepare the filter for use, after all the parameters and options have been set.

Definition: bsf.c:149

NULL

#define NULL

Definition: coverity.c:32

av_bsf_receive_packet

int av_bsf_receive_packet(AVBSFContext *ctx, AVPacket *pkt)

Retrieve a filtered packet.

Definition: bsf.c:230

AVCodecParameters::ch_layout

AVChannelLayout ch_layout

Audio only.

Definition: codec_par.h:180

AVCodecParameters::sample_rate

int sample_rate

Audio only.

Definition: codec_par.h:184

av_opt_set_int

int av_opt_set_int(void *obj, const char *name, int64_t val, int search_flags)

Definition: opt.c:800

AVCodecParameters::extradata_size

int extradata_size

Size of the extradata content in bytes.

Definition: codec_par.h:73

av_bsf_send_packet

int av_bsf_send_packet(AVBSFContext *ctx, AVPacket *pkt)

Submit a packet for filtering.

Definition: bsf.c:202

size

int size

Definition: twinvq_data.h:10344

AVPacket::flags

int flags

A combination of AV_PKT_FLAG values.

Definition: packet.h:545

av_packet_alloc

AVPacket * av_packet_alloc(void)

Allocate an AVPacket and set its fields to default values.

Definition: packet.c:63

av_log_set_level

void av_log_set_level(int level)

Set the log level.

Definition: log.c:447

AV_CODEC_ID_NONE

@ AV_CODEC_ID_NONE

Definition: codec_id.h:50

#define i(width, name, range_min, range_max)

Definition: cbs_h2645.c:256

AVCodecParameters::height

int height

Definition: codec_par.h:135

AVCodecParameters::block_align

int block_align

Audio only.

Definition: codec_par.h:191

av_mallocz

void * av_mallocz(size_t size)

Allocate a memory block with alignment suitable for all memory accesses (including vectors if availab...

Definition: mem.c:256

avcodec.h

AVBSFContext::priv_data

void * priv_data

Opaque filter-specific private data.

Definition: bsf.h:83

av_bsf_get_null_filter

int av_bsf_get_null_filter(AVBSFContext **bsf)

Get null/pass-through bitstream filter.

Definition: bsf.c:553

AV_INPUT_BUFFER_PADDING_SIZE

#define AV_INPUT_BUFFER_PADDING_SIZE

Definition: defs.h:40

enum AVCodecID id

Definition: dts2pts.c:367

AVBitStreamFilter

Definition: bsf.h:111

AVBSFContext::filter

const struct AVBitStreamFilter * filter

The bitstream filter this context is an instance of.

Definition: bsf.h:77

AVCodecParameters::bits_per_coded_sample

int bits_per_coded_sample

The number of bits per sample in the codedwords.

Definition: codec_par.h:110

mem.h

AVCodecParameters::codec_id

enum AVCodecID codec_id

Specific type of the encoded data (the codec used).

Definition: codec_par.h:55

AVPacket

This structure stores compressed data.

Definition: packet.h:516

bytestream.h

imgutils.h

bytestream2_init

static av_always_inline void bytestream2_init(GetByteContext *g, const uint8_t *buf, int buf_size)

Definition: bytestream.h:137

flags

#define flags(name, subs,...)

Definition: cbs_av1.c:482

AVCodecParameters::bit_rate

int64_t bit_rate

The average bitrate of the encoded data (in bits per second).

Definition: codec_par.h:97

av_image_check_size

int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx)

Check if the given dimension of an image is valid, meaning that all bytes of the image can be address...

Definition: imgutils.c:318

FF_SANE_NB_CHANNELS

#define FF_SANE_NB_CHANNELS

Definition: internal.h:37

Generated on Fri Aug 22 2025 13:59:47 for FFmpeg by doxygen 1.8.17