1cabdff1aSopenharmony_ci/* 2cabdff1aSopenharmony_ci * This file is part of FFmpeg. 3cabdff1aSopenharmony_ci * 4cabdff1aSopenharmony_ci * FFmpeg is free software; you can redistribute it and/or 5cabdff1aSopenharmony_ci * modify it under the terms of the GNU Lesser General Public 6cabdff1aSopenharmony_ci * License as published by the Free Software Foundation; either 7cabdff1aSopenharmony_ci * version 2.1 of the License, or (at your option) any later version. 8cabdff1aSopenharmony_ci * 9cabdff1aSopenharmony_ci * FFmpeg is distributed in the hope that it will be useful, 10cabdff1aSopenharmony_ci * but WITHOUT ANY WARRANTY; without even the implied warranty of 11cabdff1aSopenharmony_ci * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12cabdff1aSopenharmony_ci * Lesser General Public License for more details. 13cabdff1aSopenharmony_ci * 14cabdff1aSopenharmony_ci * You should have received a copy of the GNU Lesser General Public 15cabdff1aSopenharmony_ci * License along with FFmpeg; if not, write to the Free Software 16cabdff1aSopenharmony_ci * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 17cabdff1aSopenharmony_ci */ 18cabdff1aSopenharmony_ci 19cabdff1aSopenharmony_ci/* Targeted fuzzer that targets specific codecs depending on two 20cabdff1aSopenharmony_ci compile-time flags. 21cabdff1aSopenharmony_ci INSTRUCTIONS: 22cabdff1aSopenharmony_ci 23cabdff1aSopenharmony_ci * Get the very fresh clang, e.g. see http://libfuzzer.info#versions 24cabdff1aSopenharmony_ci * Get and build libFuzzer: 25cabdff1aSopenharmony_ci svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer 26cabdff1aSopenharmony_ci ./Fuzzer/build.sh 27cabdff1aSopenharmony_ci * build ffmpeg for fuzzing: 28cabdff1aSopenharmony_ci FLAGS="-fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp -g" CC="clang $FLAGS" CXX="clang++ $FLAGS" ./configure --disable-x86asm 29cabdff1aSopenharmony_ci make clean && make -j 30cabdff1aSopenharmony_ci * build the fuzz target. 31cabdff1aSopenharmony_ci Choose the value of FFMPEG_CODEC (e.g. AV_CODEC_ID_DVD_SUBTITLE) and 32cabdff1aSopenharmony_ci choose one of FUZZ_FFMPEG_VIDEO, FUZZ_FFMPEG_AUDIO, FUZZ_FFMPEG_SUBTITLE. 33cabdff1aSopenharmony_ci clang -fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp tools/target_dec_fuzzer.c -o target_dec_fuzzer -I. -DFFMPEG_CODEC=AV_CODEC_ID_MPEG1VIDEO -DFUZZ_FFMPEG_VIDEO ../../libfuzzer/libFuzzer.a -Llibavcodec -Llibavdevice -Llibavfilter -Llibavformat -Llibavutil -Llibpostproc -Llibswscale -Llibswresample -Wl,--as-needed -Wl,-z,noexecstack -Wl,--warn-common -Wl,-rpath-link=:libpostproc:libswresample:libswscale:libavfilter:libavdevice:libavformat:libavcodec:libavutil -lavdevice -lavfilter -lavformat -lavcodec -lswresample -lswscale -lavutil -ldl -lxcb -lxcb-shm -lxcb -lxcb-xfixes -lxcb -lxcb-shape -lxcb -lX11 -lasound -lm -lbz2 -lz -pthread 34cabdff1aSopenharmony_ci * create a corpus directory and put some samples there (empty dir is ok too): 35cabdff1aSopenharmony_ci mkdir CORPUS && cp some-files CORPUS 36cabdff1aSopenharmony_ci 37cabdff1aSopenharmony_ci * Run fuzzing: 38cabdff1aSopenharmony_ci ./target_dec_fuzzer -max_len=100000 CORPUS 39cabdff1aSopenharmony_ci 40cabdff1aSopenharmony_ci More info: 41cabdff1aSopenharmony_ci http://libfuzzer.info 42cabdff1aSopenharmony_ci http://tutorial.libfuzzer.info 43cabdff1aSopenharmony_ci https://github.com/google/oss-fuzz 44cabdff1aSopenharmony_ci http://lcamtuf.coredump.cx/afl/ 45cabdff1aSopenharmony_ci https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html 46cabdff1aSopenharmony_ci*/ 47cabdff1aSopenharmony_ci 48cabdff1aSopenharmony_ci#include "config.h" 49cabdff1aSopenharmony_ci#include "libavutil/avassert.h" 50cabdff1aSopenharmony_ci#include "libavutil/avstring.h" 51cabdff1aSopenharmony_ci#include "libavutil/cpu.h" 52cabdff1aSopenharmony_ci#include "libavutil/imgutils.h" 53cabdff1aSopenharmony_ci#include "libavutil/intreadwrite.h" 54cabdff1aSopenharmony_ci 55cabdff1aSopenharmony_ci#include "libavcodec/avcodec.h" 56cabdff1aSopenharmony_ci#include "libavcodec/bytestream.h" 57cabdff1aSopenharmony_ci#include "libavcodec/codec_internal.h" 58cabdff1aSopenharmony_ci#include "libavformat/avformat.h" 59cabdff1aSopenharmony_ci 60cabdff1aSopenharmony_ci//For FF_SANE_NB_CHANNELS, so we dont waste energy testing things that will get instantly rejected 61cabdff1aSopenharmony_ci#include "libavcodec/internal.h" 62cabdff1aSopenharmony_ci 63cabdff1aSopenharmony_ciint LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); 64cabdff1aSopenharmony_ci 65cabdff1aSopenharmony_ciextern const FFCodec * codec_list[]; 66cabdff1aSopenharmony_ci 67cabdff1aSopenharmony_cistatic void error(const char *err) 68cabdff1aSopenharmony_ci{ 69cabdff1aSopenharmony_ci fprintf(stderr, "%s", err); 70cabdff1aSopenharmony_ci exit(1); 71cabdff1aSopenharmony_ci} 72cabdff1aSopenharmony_ci 73cabdff1aSopenharmony_cistatic const FFCodec *c = NULL; 74cabdff1aSopenharmony_cistatic const FFCodec *AVCodecInitialize(enum AVCodecID codec_id) 75cabdff1aSopenharmony_ci{ 76cabdff1aSopenharmony_ci const AVCodec *res; 77cabdff1aSopenharmony_ci 78cabdff1aSopenharmony_ci res = avcodec_find_decoder(codec_id); 79cabdff1aSopenharmony_ci if (!res) 80cabdff1aSopenharmony_ci error("Failed to find decoder"); 81cabdff1aSopenharmony_ci return ffcodec(res); 82cabdff1aSopenharmony_ci} 83cabdff1aSopenharmony_ci 84cabdff1aSopenharmony_cistatic int subtitle_handler(AVCodecContext *avctx, void *frame, 85cabdff1aSopenharmony_ci int *got_sub_ptr, AVPacket *avpkt) 86cabdff1aSopenharmony_ci{ 87cabdff1aSopenharmony_ci AVSubtitle sub; 88cabdff1aSopenharmony_ci int ret = avcodec_decode_subtitle2(avctx, &sub, got_sub_ptr, avpkt); 89cabdff1aSopenharmony_ci if (ret >= 0 && *got_sub_ptr) 90cabdff1aSopenharmony_ci avsubtitle_free(&sub); 91cabdff1aSopenharmony_ci return ret; 92cabdff1aSopenharmony_ci} 93cabdff1aSopenharmony_ci 94cabdff1aSopenharmony_cistatic int audio_video_handler(AVCodecContext *avctx, AVFrame *frame, 95cabdff1aSopenharmony_ci int *got_frame, const AVPacket *dummy) 96cabdff1aSopenharmony_ci{ 97cabdff1aSopenharmony_ci int ret = avcodec_receive_frame(avctx, frame); 98cabdff1aSopenharmony_ci *got_frame = ret >= 0; 99cabdff1aSopenharmony_ci return ret; 100cabdff1aSopenharmony_ci} 101cabdff1aSopenharmony_ci 102cabdff1aSopenharmony_ci// Ensure we don't loop forever 103cabdff1aSopenharmony_ciconst uint32_t maxiteration = 8096; 104cabdff1aSopenharmony_ci 105cabdff1aSopenharmony_cistatic const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL; 106cabdff1aSopenharmony_ci 107cabdff1aSopenharmony_cistatic int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame) 108cabdff1aSopenharmony_ci{ 109cabdff1aSopenharmony_ci ptrdiff_t linesize1[4]; 110cabdff1aSopenharmony_ci size_t size[4]; 111cabdff1aSopenharmony_ci int linesize_align[AV_NUM_DATA_POINTERS]; 112cabdff1aSopenharmony_ci int i, ret, w = frame->width, h = frame->height; 113cabdff1aSopenharmony_ci 114cabdff1aSopenharmony_ci avcodec_align_dimensions2(ctx, &w, &h, linesize_align); 115cabdff1aSopenharmony_ci ret = av_image_fill_linesizes(frame->linesize, ctx->pix_fmt, w); 116cabdff1aSopenharmony_ci if (ret < 0) 117cabdff1aSopenharmony_ci return ret; 118cabdff1aSopenharmony_ci 119cabdff1aSopenharmony_ci for (i = 0; i < 4 && frame->linesize[i]; i++) 120cabdff1aSopenharmony_ci linesize1[i] = frame->linesize[i] = 121cabdff1aSopenharmony_ci FFALIGN(frame->linesize[i], linesize_align[i]); 122cabdff1aSopenharmony_ci for (; i < 4; i++) 123cabdff1aSopenharmony_ci linesize1[i] = 0; 124cabdff1aSopenharmony_ci 125cabdff1aSopenharmony_ci ret = av_image_fill_plane_sizes(size, ctx->pix_fmt, h, linesize1); 126cabdff1aSopenharmony_ci if (ret < 0) 127cabdff1aSopenharmony_ci return ret; 128cabdff1aSopenharmony_ci 129cabdff1aSopenharmony_ci frame->extended_data = frame->data; 130cabdff1aSopenharmony_ci for (i = 0; i < 4 && size[i]; i++) { 131cabdff1aSopenharmony_ci frame->buf[i] = av_buffer_alloc(size[i]); 132cabdff1aSopenharmony_ci if (!frame->buf[i]) 133cabdff1aSopenharmony_ci goto fail; 134cabdff1aSopenharmony_ci frame->data[i] = frame->buf[i]->data; 135cabdff1aSopenharmony_ci } 136cabdff1aSopenharmony_ci for (; i < AV_NUM_DATA_POINTERS; i++) { 137cabdff1aSopenharmony_ci frame->data[i] = NULL; 138cabdff1aSopenharmony_ci frame->linesize[i] = 0; 139cabdff1aSopenharmony_ci } 140cabdff1aSopenharmony_ci 141cabdff1aSopenharmony_ci return 0; 142cabdff1aSopenharmony_cifail: 143cabdff1aSopenharmony_ci av_frame_unref(frame); 144cabdff1aSopenharmony_ci return AVERROR(ENOMEM); 145cabdff1aSopenharmony_ci} 146cabdff1aSopenharmony_ci 147cabdff1aSopenharmony_cistatic int fuzz_get_buffer2(AVCodecContext *ctx, AVFrame *frame, int flags) 148cabdff1aSopenharmony_ci{ 149cabdff1aSopenharmony_ci switch (ctx->codec_type) { 150cabdff1aSopenharmony_ci case AVMEDIA_TYPE_VIDEO: 151cabdff1aSopenharmony_ci return (ctx->codec->capabilities & AV_CODEC_CAP_DR1) 152cabdff1aSopenharmony_ci ? fuzz_video_get_buffer(ctx, frame) 153cabdff1aSopenharmony_ci : avcodec_default_get_buffer2(ctx, frame, flags); 154cabdff1aSopenharmony_ci case AVMEDIA_TYPE_AUDIO: 155cabdff1aSopenharmony_ci return avcodec_default_get_buffer2(ctx, frame, flags); 156cabdff1aSopenharmony_ci default: 157cabdff1aSopenharmony_ci return AVERROR(EINVAL); 158cabdff1aSopenharmony_ci } 159cabdff1aSopenharmony_ci} 160cabdff1aSopenharmony_ci 161cabdff1aSopenharmony_ciint LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 162cabdff1aSopenharmony_ci uint64_t maxpixels_per_frame = 4096 * 4096; 163cabdff1aSopenharmony_ci uint64_t maxpixels; 164cabdff1aSopenharmony_ci 165cabdff1aSopenharmony_ci uint64_t maxsamples_per_frame = 256*1024*32; 166cabdff1aSopenharmony_ci uint64_t maxsamples; 167cabdff1aSopenharmony_ci const uint64_t fuzz_tag = FUZZ_TAG; 168cabdff1aSopenharmony_ci const uint8_t *last = data; 169cabdff1aSopenharmony_ci const uint8_t *end = data + size; 170cabdff1aSopenharmony_ci uint32_t it = 0; 171cabdff1aSopenharmony_ci uint64_t ec_pixels = 0; 172cabdff1aSopenharmony_ci uint64_t nb_samples = 0; 173cabdff1aSopenharmony_ci int (*decode_handler)(AVCodecContext *avctx, AVFrame *picture, 174cabdff1aSopenharmony_ci int *got_picture_ptr, 175cabdff1aSopenharmony_ci const AVPacket *avpkt) = NULL; 176cabdff1aSopenharmony_ci AVCodecParserContext *parser = NULL; 177cabdff1aSopenharmony_ci uint64_t keyframes = 0; 178cabdff1aSopenharmony_ci uint64_t flushpattern = -1; 179cabdff1aSopenharmony_ci AVDictionary *opts = NULL; 180cabdff1aSopenharmony_ci 181cabdff1aSopenharmony_ci if (!c) { 182cabdff1aSopenharmony_ci#ifdef FFMPEG_DECODER 183cabdff1aSopenharmony_ci#define DECODER_SYMBOL0(CODEC) ff_##CODEC##_decoder 184cabdff1aSopenharmony_ci#define DECODER_SYMBOL(CODEC) DECODER_SYMBOL0(CODEC) 185cabdff1aSopenharmony_ci extern FFCodec DECODER_SYMBOL(FFMPEG_DECODER); 186cabdff1aSopenharmony_ci codec_list[0] = &DECODER_SYMBOL(FFMPEG_DECODER); 187cabdff1aSopenharmony_ci 188cabdff1aSopenharmony_ci#if FFMPEG_DECODER == tiff || FFMPEG_DECODER == tdsc 189cabdff1aSopenharmony_ci extern FFCodec DECODER_SYMBOL(mjpeg); 190cabdff1aSopenharmony_ci codec_list[1] = &DECODER_SYMBOL(mjpeg); 191cabdff1aSopenharmony_ci#endif 192cabdff1aSopenharmony_ci 193cabdff1aSopenharmony_ci c = &DECODER_SYMBOL(FFMPEG_DECODER); 194cabdff1aSopenharmony_ci#else 195cabdff1aSopenharmony_ci c = AVCodecInitialize(FFMPEG_CODEC); // Done once. 196cabdff1aSopenharmony_ci#endif 197cabdff1aSopenharmony_ci av_log_set_level(AV_LOG_PANIC); 198cabdff1aSopenharmony_ci } 199cabdff1aSopenharmony_ci 200cabdff1aSopenharmony_ci switch (c->p.type) { 201cabdff1aSopenharmony_ci case AVMEDIA_TYPE_AUDIO : 202cabdff1aSopenharmony_ci case AVMEDIA_TYPE_VIDEO : decode_handler = audio_video_handler ; break; 203cabdff1aSopenharmony_ci case AVMEDIA_TYPE_SUBTITLE: decode_handler = subtitle_handler ; break; 204cabdff1aSopenharmony_ci } 205cabdff1aSopenharmony_ci switch (c->p.id) { 206cabdff1aSopenharmony_ci case AV_CODEC_ID_APE: maxsamples_per_frame /= 256; break; 207cabdff1aSopenharmony_ci } 208cabdff1aSopenharmony_ci maxpixels = maxpixels_per_frame * maxiteration; 209cabdff1aSopenharmony_ci maxsamples = maxsamples_per_frame * maxiteration; 210cabdff1aSopenharmony_ci switch (c->p.id) { 211cabdff1aSopenharmony_ci case AV_CODEC_ID_AASC: maxpixels /= 1024; break; 212cabdff1aSopenharmony_ci case AV_CODEC_ID_AGM: maxpixels /= 1024; break; 213cabdff1aSopenharmony_ci case AV_CODEC_ID_ANM: maxpixels /= 1024; break; 214cabdff1aSopenharmony_ci case AV_CODEC_ID_ARBC: maxpixels /= 1024; break; 215cabdff1aSopenharmony_ci case AV_CODEC_ID_ARGO: maxpixels /= 1024; break; 216cabdff1aSopenharmony_ci case AV_CODEC_ID_BINKVIDEO: maxpixels /= 32; break; 217cabdff1aSopenharmony_ci case AV_CODEC_ID_CDTOONS: maxpixels /= 1024; break; 218cabdff1aSopenharmony_ci case AV_CODEC_ID_CFHD: maxpixels /= 16384; break; 219cabdff1aSopenharmony_ci case AV_CODEC_ID_CINEPAK: maxpixels /= 128; break; 220cabdff1aSopenharmony_ci case AV_CODEC_ID_COOK: maxsamples /= 1<<20; break; 221cabdff1aSopenharmony_ci case AV_CODEC_ID_CSCD: maxpixels /= 1024; break; 222cabdff1aSopenharmony_ci case AV_CODEC_ID_DFA: maxpixels /= 1024; break; 223cabdff1aSopenharmony_ci case AV_CODEC_ID_DIRAC: maxpixels /= 8192; break; 224cabdff1aSopenharmony_ci case AV_CODEC_ID_DSICINVIDEO: maxpixels /= 1024; break; 225cabdff1aSopenharmony_ci case AV_CODEC_ID_DST: maxsamples /= 1<<20; break; 226cabdff1aSopenharmony_ci case AV_CODEC_ID_DVB_SUBTITLE: av_dict_set_int(&opts, "compute_clut", -2, 0); break; 227cabdff1aSopenharmony_ci case AV_CODEC_ID_DXA: maxpixels /= 32; break; 228cabdff1aSopenharmony_ci case AV_CODEC_ID_DXV: maxpixels /= 32; break; 229cabdff1aSopenharmony_ci case AV_CODEC_ID_FFWAVESYNTH: maxsamples /= 16384; break; 230cabdff1aSopenharmony_ci case AV_CODEC_ID_FLAC: maxsamples /= 1024; break; 231cabdff1aSopenharmony_ci case AV_CODEC_ID_FLIC: maxpixels /= 1024; break; 232cabdff1aSopenharmony_ci case AV_CODEC_ID_FLV1: maxpixels /= 1024; break; 233cabdff1aSopenharmony_ci case AV_CODEC_ID_G2M: maxpixels /= 1024; break; 234cabdff1aSopenharmony_ci case AV_CODEC_ID_GEM: maxpixels /= 512; break; 235cabdff1aSopenharmony_ci case AV_CODEC_ID_GDV: maxpixels /= 512; break; 236cabdff1aSopenharmony_ci case AV_CODEC_ID_GIF: maxpixels /= 16; break; 237cabdff1aSopenharmony_ci case AV_CODEC_ID_H264: maxpixels /= 256; break; 238cabdff1aSopenharmony_ci case AV_CODEC_ID_HAP: maxpixels /= 128; break; 239cabdff1aSopenharmony_ci case AV_CODEC_ID_HEVC: maxpixels /= 16384; break; 240cabdff1aSopenharmony_ci case AV_CODEC_ID_HNM4_VIDEO: maxpixels /= 128; break; 241cabdff1aSopenharmony_ci case AV_CODEC_ID_HQ_HQA: maxpixels /= 128; break; 242cabdff1aSopenharmony_ci case AV_CODEC_ID_IFF_ILBM: maxpixels /= 128; break; 243cabdff1aSopenharmony_ci case AV_CODEC_ID_INDEO4: maxpixels /= 128; break; 244cabdff1aSopenharmony_ci case AV_CODEC_ID_INTERPLAY_ACM: maxsamples /= 16384; break; 245cabdff1aSopenharmony_ci case AV_CODEC_ID_JPEG2000: maxpixels /= 16; break; 246cabdff1aSopenharmony_ci case AV_CODEC_ID_LAGARITH: maxpixels /= 1024; break; 247cabdff1aSopenharmony_ci case AV_CODEC_ID_LOCO: maxpixels /= 1024; break; 248cabdff1aSopenharmony_ci case AV_CODEC_ID_VORBIS: maxsamples /= 1024; break; 249cabdff1aSopenharmony_ci case AV_CODEC_ID_LSCR: maxpixels /= 16; break; 250cabdff1aSopenharmony_ci case AV_CODEC_ID_MMVIDEO: maxpixels /= 256; break; 251cabdff1aSopenharmony_ci case AV_CODEC_ID_MOTIONPIXELS:maxpixels /= 256; break; 252cabdff1aSopenharmony_ci case AV_CODEC_ID_MP4ALS: maxsamples /= 65536; break; 253cabdff1aSopenharmony_ci case AV_CODEC_ID_MSA1: maxpixels /= 16384; break; 254cabdff1aSopenharmony_ci case AV_CODEC_ID_MSRLE: maxpixels /= 16; break; 255cabdff1aSopenharmony_ci case AV_CODEC_ID_MSS2: maxpixels /= 16384; break; 256cabdff1aSopenharmony_ci case AV_CODEC_ID_MSZH: maxpixels /= 128; break; 257cabdff1aSopenharmony_ci case AV_CODEC_ID_MVC2: maxpixels /= 128; break; 258cabdff1aSopenharmony_ci case AV_CODEC_ID_MXPEG: maxpixels /= 128; break; 259cabdff1aSopenharmony_ci case AV_CODEC_ID_OPUS: maxsamples /= 16384; break; 260cabdff1aSopenharmony_ci case AV_CODEC_ID_PNG: maxpixels /= 128; break; 261cabdff1aSopenharmony_ci case AV_CODEC_ID_APNG: maxpixels /= 128; break; 262cabdff1aSopenharmony_ci case AV_CODEC_ID_QTRLE: maxpixels /= 16; break; 263cabdff1aSopenharmony_ci case AV_CODEC_ID_PAF_VIDEO: maxpixels /= 16; break; 264cabdff1aSopenharmony_ci case AV_CODEC_ID_PRORES: maxpixels /= 256; break; 265cabdff1aSopenharmony_ci case AV_CODEC_ID_RASC: maxpixels /= 16; break; 266cabdff1aSopenharmony_ci case AV_CODEC_ID_RTV1: maxpixels /= 16; break; 267cabdff1aSopenharmony_ci case AV_CODEC_ID_SANM: maxpixels /= 16; break; 268cabdff1aSopenharmony_ci case AV_CODEC_ID_SCPR: maxpixels /= 32; break; 269cabdff1aSopenharmony_ci case AV_CODEC_ID_SCREENPRESSO:maxpixels /= 64; break; 270cabdff1aSopenharmony_ci case AV_CODEC_ID_SIMBIOSIS_IMX:maxpixels /= 16384; break; 271cabdff1aSopenharmony_ci case AV_CODEC_ID_SPEEX: maxsamples /= 128; break; 272cabdff1aSopenharmony_ci case AV_CODEC_ID_SMACKAUDIO: maxsamples /= 4096; break; 273cabdff1aSopenharmony_ci case AV_CODEC_ID_SMACKVIDEO: maxpixels /= 64; break; 274cabdff1aSopenharmony_ci case AV_CODEC_ID_SNOW: maxpixels /= 128; break; 275cabdff1aSopenharmony_ci case AV_CODEC_ID_TARGA: maxpixels /= 128; break; 276cabdff1aSopenharmony_ci case AV_CODEC_ID_TAK: maxsamples /= 1024; break; 277cabdff1aSopenharmony_ci case AV_CODEC_ID_TGV: maxpixels /= 32; break; 278cabdff1aSopenharmony_ci case AV_CODEC_ID_THEORA: maxpixels /= 16384; break; 279cabdff1aSopenharmony_ci case AV_CODEC_ID_TQI: maxpixels /= 1024; break; 280cabdff1aSopenharmony_ci case AV_CODEC_ID_TRUEMOTION2: maxpixels /= 1024; break; 281cabdff1aSopenharmony_ci case AV_CODEC_ID_TSCC: maxpixels /= 1024; break; 282cabdff1aSopenharmony_ci case AV_CODEC_ID_VC1: maxpixels /= 8192; break; 283cabdff1aSopenharmony_ci case AV_CODEC_ID_VC1IMAGE: maxpixels /= 8192; break; 284cabdff1aSopenharmony_ci case AV_CODEC_ID_VMNC: maxpixels /= 8192; break; 285cabdff1aSopenharmony_ci case AV_CODEC_ID_VP3: maxpixels /= 4096; break; 286cabdff1aSopenharmony_ci case AV_CODEC_ID_VP4: maxpixels /= 4096; break; 287cabdff1aSopenharmony_ci case AV_CODEC_ID_VP5: maxpixels /= 256; break; 288cabdff1aSopenharmony_ci case AV_CODEC_ID_VP6F: maxpixels /= 4096; break; 289cabdff1aSopenharmony_ci case AV_CODEC_ID_VP7: maxpixels /= 256; break; 290cabdff1aSopenharmony_ci case AV_CODEC_ID_VP9: maxpixels /= 4096; break; 291cabdff1aSopenharmony_ci case AV_CODEC_ID_WAVPACK: maxsamples /= 1024; break; 292cabdff1aSopenharmony_ci case AV_CODEC_ID_WCMV: maxpixels /= 1024; break; 293cabdff1aSopenharmony_ci case AV_CODEC_ID_WMV3IMAGE: maxpixels /= 8192; break; 294cabdff1aSopenharmony_ci case AV_CODEC_ID_WMV2: maxpixels /= 1024; break; 295cabdff1aSopenharmony_ci case AV_CODEC_ID_WMV3: maxpixels /= 1024; break; 296cabdff1aSopenharmony_ci case AV_CODEC_ID_WS_VQA: maxpixels /= 16384; break; 297cabdff1aSopenharmony_ci case AV_CODEC_ID_WMALOSSLESS: maxsamples /= 1024; break; 298cabdff1aSopenharmony_ci case AV_CODEC_ID_WMAPRO: maxsamples /= 16384; break; 299cabdff1aSopenharmony_ci case AV_CODEC_ID_YLC: maxpixels /= 1024; break; 300cabdff1aSopenharmony_ci case AV_CODEC_ID_ZEROCODEC: maxpixels /= 128; break; 301cabdff1aSopenharmony_ci } 302cabdff1aSopenharmony_ci 303cabdff1aSopenharmony_ci maxsamples_per_frame = FFMIN(maxsamples_per_frame, maxsamples); 304cabdff1aSopenharmony_ci maxpixels_per_frame = FFMIN(maxpixels_per_frame , maxpixels); 305cabdff1aSopenharmony_ci 306cabdff1aSopenharmony_ci AVCodecContext* ctx = avcodec_alloc_context3(&c->p); 307cabdff1aSopenharmony_ci AVCodecContext* parser_avctx = avcodec_alloc_context3(NULL); 308cabdff1aSopenharmony_ci if (!ctx || !parser_avctx) 309cabdff1aSopenharmony_ci error("Failed memory allocation"); 310cabdff1aSopenharmony_ci 311cabdff1aSopenharmony_ci if (ctx->max_pixels == 0 || ctx->max_pixels > maxpixels_per_frame) 312cabdff1aSopenharmony_ci ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs 313cabdff1aSopenharmony_ci 314cabdff1aSopenharmony_ci ctx->max_samples = maxsamples_per_frame; 315cabdff1aSopenharmony_ci ctx->get_buffer2 = fuzz_get_buffer2; 316cabdff1aSopenharmony_ci 317cabdff1aSopenharmony_ci if (size > 1024) { 318cabdff1aSopenharmony_ci GetByteContext gbc; 319cabdff1aSopenharmony_ci int extradata_size; 320cabdff1aSopenharmony_ci int flags; 321cabdff1aSopenharmony_ci uint64_t request_channel_layout; 322cabdff1aSopenharmony_ci int64_t flags64; 323cabdff1aSopenharmony_ci 324cabdff1aSopenharmony_ci size -= 1024; 325cabdff1aSopenharmony_ci bytestream2_init(&gbc, data + size, 1024); 326cabdff1aSopenharmony_ci ctx->width = bytestream2_get_le32(&gbc); 327cabdff1aSopenharmony_ci ctx->height = bytestream2_get_le32(&gbc); 328cabdff1aSopenharmony_ci ctx->bit_rate = bytestream2_get_le64(&gbc); 329cabdff1aSopenharmony_ci ctx->bits_per_coded_sample = bytestream2_get_le32(&gbc); 330cabdff1aSopenharmony_ci // Try to initialize a parser for this codec, note, this may fail which just means we test without one 331cabdff1aSopenharmony_ci flags = bytestream2_get_byte(&gbc); 332cabdff1aSopenharmony_ci if (flags & 1) 333cabdff1aSopenharmony_ci parser = av_parser_init(c->p.id); 334cabdff1aSopenharmony_ci if (flags & 2) 335cabdff1aSopenharmony_ci ctx->strict_std_compliance = FF_COMPLIANCE_EXPERIMENTAL; 336cabdff1aSopenharmony_ci if (flags & 4) { 337cabdff1aSopenharmony_ci ctx->err_recognition = AV_EF_AGGRESSIVE | AV_EF_COMPLIANT | AV_EF_CAREFUL; 338cabdff1aSopenharmony_ci if (flags & 8) 339cabdff1aSopenharmony_ci ctx->err_recognition |= AV_EF_EXPLODE; 340cabdff1aSopenharmony_ci } 341cabdff1aSopenharmony_ci if ((flags & 0x10) && c->p.id != AV_CODEC_ID_H264) 342cabdff1aSopenharmony_ci ctx->flags2 |= AV_CODEC_FLAG2_FAST; 343cabdff1aSopenharmony_ci if (flags & 0x80) 344cabdff1aSopenharmony_ci ctx->flags2 |= AV_CODEC_FLAG2_EXPORT_MVS; 345cabdff1aSopenharmony_ci 346cabdff1aSopenharmony_ci if (flags & 0x40) 347cabdff1aSopenharmony_ci av_force_cpu_flags(0); 348cabdff1aSopenharmony_ci 349cabdff1aSopenharmony_ci extradata_size = bytestream2_get_le32(&gbc); 350cabdff1aSopenharmony_ci 351cabdff1aSopenharmony_ci ctx->sample_rate = bytestream2_get_le32(&gbc) & 0x7FFFFFFF; 352cabdff1aSopenharmony_ci ctx->ch_layout.nb_channels = (unsigned)bytestream2_get_le32(&gbc) % FF_SANE_NB_CHANNELS; 353cabdff1aSopenharmony_ci ctx->block_align = bytestream2_get_le32(&gbc) & 0x7FFFFFFF; 354cabdff1aSopenharmony_ci ctx->codec_tag = bytestream2_get_le32(&gbc); 355cabdff1aSopenharmony_ci if (c->codec_tags) { 356cabdff1aSopenharmony_ci int n; 357cabdff1aSopenharmony_ci for (n = 0; c->codec_tags[n] != FF_CODEC_TAGS_END; n++); 358cabdff1aSopenharmony_ci ctx->codec_tag = c->codec_tags[ctx->codec_tag % n]; 359cabdff1aSopenharmony_ci } 360cabdff1aSopenharmony_ci keyframes = bytestream2_get_le64(&gbc); 361cabdff1aSopenharmony_ci request_channel_layout = bytestream2_get_le64(&gbc); 362cabdff1aSopenharmony_ci 363cabdff1aSopenharmony_ci ctx->idct_algo = bytestream2_get_byte(&gbc) % 25; 364cabdff1aSopenharmony_ci flushpattern = bytestream2_get_le64(&gbc); 365cabdff1aSopenharmony_ci ctx->skip_frame = bytestream2_get_byte(&gbc) - 254 + AVDISCARD_ALL; 366cabdff1aSopenharmony_ci 367cabdff1aSopenharmony_ci 368cabdff1aSopenharmony_ci if (flags & 0x20) { 369cabdff1aSopenharmony_ci switch (ctx->codec_id) { 370cabdff1aSopenharmony_ci case AV_CODEC_ID_AC3: 371cabdff1aSopenharmony_ci case AV_CODEC_ID_EAC3: 372cabdff1aSopenharmony_ci av_dict_set_int(&opts, "cons_noisegen", bytestream2_get_byte(&gbc) & 1, 0); 373cabdff1aSopenharmony_ci av_dict_set_int(&opts, "heavy_compr", bytestream2_get_byte(&gbc) & 1, 0); 374cabdff1aSopenharmony_ci av_dict_set_int(&opts, "target_level", (int)(bytestream2_get_byte(&gbc) % 32) - 31, 0); 375cabdff1aSopenharmony_ci av_dict_set_int(&opts, "dmix_mode", (int)(bytestream2_get_byte(&gbc) % 4) - 1, 0); 376cabdff1aSopenharmony_ci break; 377cabdff1aSopenharmony_ci } 378cabdff1aSopenharmony_ci } 379cabdff1aSopenharmony_ci 380cabdff1aSopenharmony_ci // Keep the deprecated request_channel_layout behavior to ensure old fuzzing failures 381cabdff1aSopenharmony_ci // remain reproducible. 382cabdff1aSopenharmony_ci if (request_channel_layout) { 383cabdff1aSopenharmony_ci switch (ctx->codec_id) { 384cabdff1aSopenharmony_ci case AV_CODEC_ID_AC3: 385cabdff1aSopenharmony_ci case AV_CODEC_ID_EAC3: 386cabdff1aSopenharmony_ci case AV_CODEC_ID_MLP: 387cabdff1aSopenharmony_ci case AV_CODEC_ID_TRUEHD: 388cabdff1aSopenharmony_ci case AV_CODEC_ID_DTS: 389cabdff1aSopenharmony_ci if (request_channel_layout & ~INT64_MIN) { 390cabdff1aSopenharmony_ci char *downmix_layout = av_mallocz(19); 391cabdff1aSopenharmony_ci if (!downmix_layout) 392cabdff1aSopenharmony_ci error("Failed memory allocation"); 393cabdff1aSopenharmony_ci av_strlcatf(downmix_layout, 19, "0x%"PRIx64, request_channel_layout & ~INT64_MIN); 394cabdff1aSopenharmony_ci av_dict_set(&opts, "downmix", downmix_layout, AV_DICT_DONT_STRDUP_VAL); 395cabdff1aSopenharmony_ci } 396cabdff1aSopenharmony_ci if (ctx->codec_id != AV_CODEC_ID_DTS) 397cabdff1aSopenharmony_ci break; 398cabdff1aSopenharmony_ci // fall-through 399cabdff1aSopenharmony_ci case AV_CODEC_ID_DOLBY_E: 400cabdff1aSopenharmony_ci av_dict_set_int(&opts, "channel_order", !!(request_channel_layout & INT64_MIN), 0); 401cabdff1aSopenharmony_ci break; 402cabdff1aSopenharmony_ci } 403cabdff1aSopenharmony_ci } 404cabdff1aSopenharmony_ci 405cabdff1aSopenharmony_ci flags64 = bytestream2_get_le64(&gbc); 406cabdff1aSopenharmony_ci if (flags64 &1) 407cabdff1aSopenharmony_ci ctx->debug |= FF_DEBUG_SKIP; 408cabdff1aSopenharmony_ci if (flags64 &2) 409cabdff1aSopenharmony_ci ctx->debug |= FF_DEBUG_QP; 410cabdff1aSopenharmony_ci if (flags64 &4) 411cabdff1aSopenharmony_ci ctx->debug |= FF_DEBUG_MB_TYPE; 412cabdff1aSopenharmony_ci 413cabdff1aSopenharmony_ci if (extradata_size < size) { 414cabdff1aSopenharmony_ci ctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); 415cabdff1aSopenharmony_ci if (ctx->extradata) { 416cabdff1aSopenharmony_ci ctx->extradata_size = extradata_size; 417cabdff1aSopenharmony_ci size -= ctx->extradata_size; 418cabdff1aSopenharmony_ci memcpy(ctx->extradata, data + size, ctx->extradata_size); 419cabdff1aSopenharmony_ci } 420cabdff1aSopenharmony_ci } 421cabdff1aSopenharmony_ci if (av_image_check_size(ctx->width, ctx->height, 0, ctx)) 422cabdff1aSopenharmony_ci ctx->width = ctx->height = 0; 423cabdff1aSopenharmony_ci } 424cabdff1aSopenharmony_ci 425cabdff1aSopenharmony_ci int res = avcodec_open2(ctx, &c->p, &opts); 426cabdff1aSopenharmony_ci if (res < 0) { 427cabdff1aSopenharmony_ci avcodec_free_context(&ctx); 428cabdff1aSopenharmony_ci av_free(parser_avctx); 429cabdff1aSopenharmony_ci av_parser_close(parser); 430cabdff1aSopenharmony_ci av_dict_free(&opts); 431cabdff1aSopenharmony_ci return 0; // Failure of avcodec_open2() does not imply that a issue was found 432cabdff1aSopenharmony_ci } 433cabdff1aSopenharmony_ci parser_avctx->codec_id = ctx->codec_id; 434cabdff1aSopenharmony_ci parser_avctx->extradata_size = ctx->extradata_size; 435cabdff1aSopenharmony_ci parser_avctx->extradata = ctx->extradata ? av_memdup(ctx->extradata, ctx->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE) : NULL; 436cabdff1aSopenharmony_ci 437cabdff1aSopenharmony_ci 438cabdff1aSopenharmony_ci int got_frame; 439cabdff1aSopenharmony_ci AVFrame *frame = av_frame_alloc(); 440cabdff1aSopenharmony_ci AVPacket *avpkt = av_packet_alloc(); 441cabdff1aSopenharmony_ci AVPacket *parsepkt = av_packet_alloc(); 442cabdff1aSopenharmony_ci if (!frame || !avpkt || !parsepkt) 443cabdff1aSopenharmony_ci error("Failed memory allocation"); 444cabdff1aSopenharmony_ci 445cabdff1aSopenharmony_ci // Read very simple container 446cabdff1aSopenharmony_ci while (data < end && it < maxiteration) { 447cabdff1aSopenharmony_ci // Search for the TAG 448cabdff1aSopenharmony_ci while (data + sizeof(fuzz_tag) < end) { 449cabdff1aSopenharmony_ci if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag) 450cabdff1aSopenharmony_ci break; 451cabdff1aSopenharmony_ci data++; 452cabdff1aSopenharmony_ci } 453cabdff1aSopenharmony_ci if (data + sizeof(fuzz_tag) > end) 454cabdff1aSopenharmony_ci data = end; 455cabdff1aSopenharmony_ci 456cabdff1aSopenharmony_ci res = av_new_packet(parsepkt, data - last); 457cabdff1aSopenharmony_ci if (res < 0) 458cabdff1aSopenharmony_ci error("Failed memory allocation"); 459cabdff1aSopenharmony_ci memcpy(parsepkt->data, last, data - last); 460cabdff1aSopenharmony_ci parsepkt->flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY; 461cabdff1aSopenharmony_ci keyframes = (keyframes >> 2) + (keyframes<<62); 462cabdff1aSopenharmony_ci data += sizeof(fuzz_tag); 463cabdff1aSopenharmony_ci last = data; 464cabdff1aSopenharmony_ci 465cabdff1aSopenharmony_ci while (parsepkt->size > 0) { 466cabdff1aSopenharmony_ci int decode_more; 467cabdff1aSopenharmony_ci 468cabdff1aSopenharmony_ci if (parser) { 469cabdff1aSopenharmony_ci int ret = av_parser_parse2(parser, parser_avctx, &avpkt->data, &avpkt->size, 470cabdff1aSopenharmony_ci parsepkt->data, parsepkt->size, 471cabdff1aSopenharmony_ci parsepkt->pts, parsepkt->dts, parsepkt->pos); 472cabdff1aSopenharmony_ci if (avpkt->data == parsepkt->data) { 473cabdff1aSopenharmony_ci avpkt->buf = av_buffer_ref(parsepkt->buf); 474cabdff1aSopenharmony_ci if (!avpkt->buf) 475cabdff1aSopenharmony_ci error("Failed memory allocation"); 476cabdff1aSopenharmony_ci } else { 477cabdff1aSopenharmony_ci if (av_packet_make_refcounted(avpkt) < 0) 478cabdff1aSopenharmony_ci error("Failed memory allocation"); 479cabdff1aSopenharmony_ci } 480cabdff1aSopenharmony_ci parsepkt->data += ret; 481cabdff1aSopenharmony_ci parsepkt->size -= ret; 482cabdff1aSopenharmony_ci parsepkt->pos += ret; 483cabdff1aSopenharmony_ci avpkt->pts = parser->pts; 484cabdff1aSopenharmony_ci avpkt->dts = parser->dts; 485cabdff1aSopenharmony_ci avpkt->pos = parser->pos; 486cabdff1aSopenharmony_ci if ( parser->key_frame == 1 || 487cabdff1aSopenharmony_ci (parser->key_frame == -1 && parser->pict_type == AV_PICTURE_TYPE_I)) 488cabdff1aSopenharmony_ci avpkt->flags |= AV_PKT_FLAG_KEY; 489cabdff1aSopenharmony_ci avpkt->flags |= parsepkt->flags & AV_PKT_FLAG_DISCARD; 490cabdff1aSopenharmony_ci } else { 491cabdff1aSopenharmony_ci av_packet_move_ref(avpkt, parsepkt); 492cabdff1aSopenharmony_ci } 493cabdff1aSopenharmony_ci 494cabdff1aSopenharmony_ci if (!(flushpattern & 7)) 495cabdff1aSopenharmony_ci avcodec_flush_buffers(ctx); 496cabdff1aSopenharmony_ci flushpattern = (flushpattern >> 3) + (flushpattern << 61); 497cabdff1aSopenharmony_ci 498cabdff1aSopenharmony_ci if (ctx->codec_type != AVMEDIA_TYPE_SUBTITLE) { 499cabdff1aSopenharmony_ci int ret = avcodec_send_packet(ctx, avpkt); 500cabdff1aSopenharmony_ci decode_more = ret >= 0; 501cabdff1aSopenharmony_ci if(!decode_more) { 502cabdff1aSopenharmony_ci ec_pixels += (ctx->width + 32LL) * (ctx->height + 32LL); 503cabdff1aSopenharmony_ci if (it > 20 || ec_pixels > 4 * ctx->max_pixels) { 504cabdff1aSopenharmony_ci ctx->error_concealment = 0; 505cabdff1aSopenharmony_ci ctx->debug &= ~(FF_DEBUG_SKIP | FF_DEBUG_QP | FF_DEBUG_MB_TYPE); 506cabdff1aSopenharmony_ci } 507cabdff1aSopenharmony_ci if (ec_pixels > maxpixels) 508cabdff1aSopenharmony_ci goto maximums_reached; 509cabdff1aSopenharmony_ci } 510cabdff1aSopenharmony_ci } else 511cabdff1aSopenharmony_ci decode_more = 1; 512cabdff1aSopenharmony_ci 513cabdff1aSopenharmony_ci // Iterate through all data 514cabdff1aSopenharmony_ci while (decode_more && it++ < maxiteration) { 515cabdff1aSopenharmony_ci av_frame_unref(frame); 516cabdff1aSopenharmony_ci int ret = decode_handler(ctx, frame, &got_frame, avpkt); 517cabdff1aSopenharmony_ci 518cabdff1aSopenharmony_ci ec_pixels += (ctx->width + 32LL) * (ctx->height + 32LL); 519cabdff1aSopenharmony_ci if (it > 20 || ec_pixels > 4 * ctx->max_pixels) { 520cabdff1aSopenharmony_ci ctx->error_concealment = 0; 521cabdff1aSopenharmony_ci ctx->debug &= ~(FF_DEBUG_SKIP | FF_DEBUG_QP | FF_DEBUG_MB_TYPE); 522cabdff1aSopenharmony_ci } 523cabdff1aSopenharmony_ci if (ec_pixels > maxpixels) 524cabdff1aSopenharmony_ci goto maximums_reached; 525cabdff1aSopenharmony_ci 526cabdff1aSopenharmony_ci if (ctx->codec_type == AVMEDIA_TYPE_AUDIO && 527cabdff1aSopenharmony_ci frame->nb_samples == 0 && !got_frame && 528cabdff1aSopenharmony_ci (avpkt->flags & AV_PKT_FLAG_DISCARD)) 529cabdff1aSopenharmony_ci nb_samples += ctx->max_samples; 530cabdff1aSopenharmony_ci 531cabdff1aSopenharmony_ci nb_samples += frame->nb_samples; 532cabdff1aSopenharmony_ci if (nb_samples > maxsamples) 533cabdff1aSopenharmony_ci goto maximums_reached; 534cabdff1aSopenharmony_ci 535cabdff1aSopenharmony_ci if (ret <= 0 || ret > avpkt->size) 536cabdff1aSopenharmony_ci break; 537cabdff1aSopenharmony_ci 538cabdff1aSopenharmony_ci if (ctx->codec_type == AVMEDIA_TYPE_SUBTITLE) { 539cabdff1aSopenharmony_ci avpkt->data += ret; 540cabdff1aSopenharmony_ci avpkt->size -= ret; 541cabdff1aSopenharmony_ci decode_more = avpkt->size > 0; 542cabdff1aSopenharmony_ci } else 543cabdff1aSopenharmony_ci decode_more = ret >= 0; 544cabdff1aSopenharmony_ci } 545cabdff1aSopenharmony_ci av_packet_unref(avpkt); 546cabdff1aSopenharmony_ci } 547cabdff1aSopenharmony_ci av_packet_unref(parsepkt); 548cabdff1aSopenharmony_ci } 549cabdff1aSopenharmony_cimaximums_reached: 550cabdff1aSopenharmony_ci 551cabdff1aSopenharmony_ci av_packet_unref(avpkt); 552cabdff1aSopenharmony_ci 553cabdff1aSopenharmony_ci if (ctx->codec_type != AVMEDIA_TYPE_SUBTITLE) 554cabdff1aSopenharmony_ci avcodec_send_packet(ctx, NULL); 555cabdff1aSopenharmony_ci 556cabdff1aSopenharmony_ci do { 557cabdff1aSopenharmony_ci got_frame = 0; 558cabdff1aSopenharmony_ci av_frame_unref(frame); 559cabdff1aSopenharmony_ci decode_handler(ctx, frame, &got_frame, avpkt); 560cabdff1aSopenharmony_ci 561cabdff1aSopenharmony_ci nb_samples += frame->nb_samples; 562cabdff1aSopenharmony_ci if (nb_samples > maxsamples) 563cabdff1aSopenharmony_ci break; 564cabdff1aSopenharmony_ci } while (got_frame == 1 && it++ < maxiteration); 565cabdff1aSopenharmony_ci 566cabdff1aSopenharmony_ci fprintf(stderr, "pixels decoded: %"PRId64", samples decoded: %"PRId64", iterations: %d\n", ec_pixels, nb_samples, it); 567cabdff1aSopenharmony_ci 568cabdff1aSopenharmony_ci av_frame_free(&frame); 569cabdff1aSopenharmony_ci avcodec_free_context(&ctx); 570cabdff1aSopenharmony_ci avcodec_free_context(&parser_avctx); 571cabdff1aSopenharmony_ci av_parser_close(parser); 572cabdff1aSopenharmony_ci av_packet_free(&avpkt); 573cabdff1aSopenharmony_ci av_packet_free(&parsepkt); 574cabdff1aSopenharmony_ci av_dict_free(&opts); 575cabdff1aSopenharmony_ci return 0; 576cabdff1aSopenharmony_ci} 577