1cabdff1aSopenharmony_ci/* 2cabdff1aSopenharmony_ci * This file is part of FFmpeg. 3cabdff1aSopenharmony_ci * 4cabdff1aSopenharmony_ci * FFmpeg is free software; you can redistribute it and/or 5cabdff1aSopenharmony_ci * modify it under the terms of the GNU Lesser General Public 6cabdff1aSopenharmony_ci * License as published by the Free Software Foundation; either 7cabdff1aSopenharmony_ci * version 2.1 of the License, or (at your option) any later version. 8cabdff1aSopenharmony_ci * 9cabdff1aSopenharmony_ci * FFmpeg is distributed in the hope that it will be useful, 10cabdff1aSopenharmony_ci * but WITHOUT ANY WARRANTY; without even the implied warranty of 11cabdff1aSopenharmony_ci * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12cabdff1aSopenharmony_ci * Lesser General Public License for more details. 13cabdff1aSopenharmony_ci * 14cabdff1aSopenharmony_ci * You should have received a copy of the GNU Lesser General Public 15cabdff1aSopenharmony_ci * License along with FFmpeg; if not, write to the Free Software 16cabdff1aSopenharmony_ci * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 17cabdff1aSopenharmony_ci */ 18cabdff1aSopenharmony_ci 19cabdff1aSopenharmony_ci#include "config.h" 20cabdff1aSopenharmony_ci#include "libavutil/imgutils.h" 21cabdff1aSopenharmony_ci#include "libavutil/opt.h" 22cabdff1aSopenharmony_ci 23cabdff1aSopenharmony_ci#include "libavcodec/avcodec.h" 24cabdff1aSopenharmony_ci#include "libavcodec/bsf.h" 25cabdff1aSopenharmony_ci#include "libavcodec/bsf_internal.h" 26cabdff1aSopenharmony_ci#include "libavcodec/bytestream.h" 27cabdff1aSopenharmony_ci#include "libavcodec/internal.h" 28cabdff1aSopenharmony_ci 29cabdff1aSopenharmony_ciint LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); 30cabdff1aSopenharmony_ci 31cabdff1aSopenharmony_cistatic void error(const char *err) 32cabdff1aSopenharmony_ci{ 33cabdff1aSopenharmony_ci fprintf(stderr, "%s", err); 34cabdff1aSopenharmony_ci exit(1); 35cabdff1aSopenharmony_ci} 36cabdff1aSopenharmony_ci 37cabdff1aSopenharmony_cistatic const AVBitStreamFilter *f = NULL; 38cabdff1aSopenharmony_ci 39cabdff1aSopenharmony_cistatic const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL; 40cabdff1aSopenharmony_ci 41cabdff1aSopenharmony_ciint LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 42cabdff1aSopenharmony_ci const uint64_t fuzz_tag = FUZZ_TAG; 43cabdff1aSopenharmony_ci const uint8_t *last = data; 44cabdff1aSopenharmony_ci const uint8_t *end = data + size; 45cabdff1aSopenharmony_ci AVBSFContext *bsf = NULL; 46cabdff1aSopenharmony_ci AVPacket *pkt; 47cabdff1aSopenharmony_ci uint64_t keyframes = 0; 48cabdff1aSopenharmony_ci uint64_t flushpattern = -1; 49cabdff1aSopenharmony_ci int res; 50cabdff1aSopenharmony_ci 51cabdff1aSopenharmony_ci if (!f) { 52cabdff1aSopenharmony_ci#ifdef FFMPEG_BSF 53cabdff1aSopenharmony_ci#define BSF_SYMBOL0(BSF) ff_##BSF##_bsf 54cabdff1aSopenharmony_ci#define BSF_SYMBOL(BSF) BSF_SYMBOL0(BSF) 55cabdff1aSopenharmony_ci extern const AVBitStreamFilter BSF_SYMBOL(FFMPEG_BSF); 56cabdff1aSopenharmony_ci f = &BSF_SYMBOL(FFMPEG_BSF); 57cabdff1aSopenharmony_ci#endif 58cabdff1aSopenharmony_ci av_log_set_level(AV_LOG_PANIC); 59cabdff1aSopenharmony_ci } 60cabdff1aSopenharmony_ci 61cabdff1aSopenharmony_ci res = f ? av_bsf_alloc(f, &bsf) : av_bsf_get_null_filter(&bsf); 62cabdff1aSopenharmony_ci if (res < 0) 63cabdff1aSopenharmony_ci error("Failed memory allocation"); 64cabdff1aSopenharmony_ci f = bsf->filter; 65cabdff1aSopenharmony_ci 66cabdff1aSopenharmony_ci if (size > 1024) { 67cabdff1aSopenharmony_ci GetByteContext gbc; 68cabdff1aSopenharmony_ci int extradata_size; 69cabdff1aSopenharmony_ci int flags; 70cabdff1aSopenharmony_ci size -= 1024; 71cabdff1aSopenharmony_ci bytestream2_init(&gbc, data + size, 1024); 72cabdff1aSopenharmony_ci bsf->par_in->width = bytestream2_get_le32(&gbc); 73cabdff1aSopenharmony_ci bsf->par_in->height = bytestream2_get_le32(&gbc); 74cabdff1aSopenharmony_ci bsf->par_in->bit_rate = bytestream2_get_le64(&gbc); 75cabdff1aSopenharmony_ci bsf->par_in->bits_per_coded_sample = bytestream2_get_le32(&gbc); 76cabdff1aSopenharmony_ci 77cabdff1aSopenharmony_ci if (f->codec_ids) { 78cabdff1aSopenharmony_ci int i, id; 79cabdff1aSopenharmony_ci for (i = 0; f->codec_ids[i] != AV_CODEC_ID_NONE; i++); 80cabdff1aSopenharmony_ci id = f->codec_ids[bytestream2_get_byte(&gbc) % i]; 81cabdff1aSopenharmony_ci bsf->par_in->codec_id = id; 82cabdff1aSopenharmony_ci bsf->par_in->codec_tag = bytestream2_get_le32(&gbc); 83cabdff1aSopenharmony_ci } 84cabdff1aSopenharmony_ci 85cabdff1aSopenharmony_ci extradata_size = bytestream2_get_le32(&gbc); 86cabdff1aSopenharmony_ci 87cabdff1aSopenharmony_ci bsf->par_in->sample_rate = bytestream2_get_le32(&gbc); 88cabdff1aSopenharmony_ci bsf->par_in->ch_layout.nb_channels = (unsigned)bytestream2_get_le32(&gbc) % FF_SANE_NB_CHANNELS; 89cabdff1aSopenharmony_ci bsf->par_in->block_align = bytestream2_get_le32(&gbc); 90cabdff1aSopenharmony_ci keyframes = bytestream2_get_le64(&gbc); 91cabdff1aSopenharmony_ci flushpattern = bytestream2_get_le64(&gbc); 92cabdff1aSopenharmony_ci flags = bytestream2_get_byte(&gbc); 93cabdff1aSopenharmony_ci 94cabdff1aSopenharmony_ci if (flags & 0x20) { 95cabdff1aSopenharmony_ci if (!strcmp(f->name, "av1_metadata")) 96cabdff1aSopenharmony_ci av_opt_set_int(bsf->priv_data, "td", bytestream2_get_byte(&gbc) % 3, 0); 97cabdff1aSopenharmony_ci else if (!strcmp(f->name, "h264_metadata") || !strcmp(f->name, "h265_metadata")) 98cabdff1aSopenharmony_ci av_opt_set_int(bsf->priv_data, "aud", bytestream2_get_byte(&gbc) % 3, 0); 99cabdff1aSopenharmony_ci else if (!strcmp(f->name, "extract_extradata")) 100cabdff1aSopenharmony_ci av_opt_set_int(bsf->priv_data, "remove", bytestream2_get_byte(&gbc) & 1, 0); 101cabdff1aSopenharmony_ci } 102cabdff1aSopenharmony_ci 103cabdff1aSopenharmony_ci if (extradata_size < size) { 104cabdff1aSopenharmony_ci bsf->par_in->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); 105cabdff1aSopenharmony_ci if (bsf->par_in->extradata) { 106cabdff1aSopenharmony_ci bsf->par_in->extradata_size = extradata_size; 107cabdff1aSopenharmony_ci size -= bsf->par_in->extradata_size; 108cabdff1aSopenharmony_ci memcpy(bsf->par_in->extradata, data + size, bsf->par_in->extradata_size); 109cabdff1aSopenharmony_ci } 110cabdff1aSopenharmony_ci } 111cabdff1aSopenharmony_ci if (av_image_check_size(bsf->par_in->width, bsf->par_in->height, 0, bsf)) 112cabdff1aSopenharmony_ci bsf->par_in->width = bsf->par_in->height = 0; 113cabdff1aSopenharmony_ci } 114cabdff1aSopenharmony_ci 115cabdff1aSopenharmony_ci res = av_bsf_init(bsf); 116cabdff1aSopenharmony_ci if (res < 0) { 117cabdff1aSopenharmony_ci av_bsf_free(&bsf); 118cabdff1aSopenharmony_ci return 0; // Failure of av_bsf_init() does not imply that a issue was found 119cabdff1aSopenharmony_ci } 120cabdff1aSopenharmony_ci 121cabdff1aSopenharmony_ci pkt = av_packet_alloc(); 122cabdff1aSopenharmony_ci if (!pkt) 123cabdff1aSopenharmony_ci error("Failed memory allocation"); 124cabdff1aSopenharmony_ci 125cabdff1aSopenharmony_ci while (data < end) { 126cabdff1aSopenharmony_ci // Search for the TAG 127cabdff1aSopenharmony_ci while (data + sizeof(fuzz_tag) < end) { 128cabdff1aSopenharmony_ci if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag) 129cabdff1aSopenharmony_ci break; 130cabdff1aSopenharmony_ci data++; 131cabdff1aSopenharmony_ci } 132cabdff1aSopenharmony_ci if (data + sizeof(fuzz_tag) > end) 133cabdff1aSopenharmony_ci data = end; 134cabdff1aSopenharmony_ci 135cabdff1aSopenharmony_ci res = av_new_packet(pkt, data - last); 136cabdff1aSopenharmony_ci if (res < 0) 137cabdff1aSopenharmony_ci error("Failed memory allocation"); 138cabdff1aSopenharmony_ci memcpy(pkt->data, last, data - last); 139cabdff1aSopenharmony_ci pkt->flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY; 140cabdff1aSopenharmony_ci keyframes = (keyframes >> 2) + (keyframes<<62); 141cabdff1aSopenharmony_ci data += sizeof(fuzz_tag); 142cabdff1aSopenharmony_ci last = data; 143cabdff1aSopenharmony_ci 144cabdff1aSopenharmony_ci if (!(flushpattern & 7)) 145cabdff1aSopenharmony_ci av_bsf_flush(bsf); 146cabdff1aSopenharmony_ci flushpattern = (flushpattern >> 3) + (flushpattern << 61); 147cabdff1aSopenharmony_ci 148cabdff1aSopenharmony_ci res = av_bsf_send_packet(bsf, pkt); 149cabdff1aSopenharmony_ci if (res < 0) { 150cabdff1aSopenharmony_ci av_packet_unref(pkt); 151cabdff1aSopenharmony_ci continue; 152cabdff1aSopenharmony_ci } 153cabdff1aSopenharmony_ci while (av_bsf_receive_packet(bsf, pkt) >= 0) 154cabdff1aSopenharmony_ci av_packet_unref(pkt); 155cabdff1aSopenharmony_ci } 156cabdff1aSopenharmony_ci 157cabdff1aSopenharmony_ci av_bsf_send_packet(bsf, NULL); 158cabdff1aSopenharmony_ci while (av_bsf_receive_packet(bsf, pkt) >= 0) 159cabdff1aSopenharmony_ci av_packet_unref(pkt); 160cabdff1aSopenharmony_ci 161cabdff1aSopenharmony_ci av_packet_free(&pkt); 162cabdff1aSopenharmony_ci av_bsf_free(&bsf); 163cabdff1aSopenharmony_ci return 0; 164cabdff1aSopenharmony_ci} 165