[FFmpeg-devel] [PATCH] tools: Add target_sws_fuzzer.c
James Almer
jamrial at gmail.com
Sun Feb 18 03:47:13 EET 2024
On 2/17/2024 10:03 PM, Michael Niedermayer wrote:
> On Sat, Feb 17, 2024 at 09:13:21PM -0300, James Almer wrote:
>>
>>
>> On 2/17/2024 8:48 PM, Michael Niedermayer wrote:
>>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>>> ---
>>> Makefile | 3 +
>>> tools/Makefile | 3 +
>>> tools/target_sws_fuzzer.c | 168 ++++++++++++++++++++++++++++++++++++++
>>> 3 files changed, 174 insertions(+)
>>> create mode 100644 tools/target_sws_fuzzer.c
>>>
>>> diff --git a/Makefile b/Makefile
>>> index dbc930270b3..b309dbc4db9 100644
>>> --- a/Makefile
>>> +++ b/Makefile
>>> @@ -64,6 +64,9 @@ tools/target_dem_fuzzer$(EXESUF): tools/target_dem_fuzzer.o $(FF_DEP_LIBS)
>>> tools/target_io_dem_fuzzer$(EXESUF): tools/target_io_dem_fuzzer.o $(FF_DEP_LIBS)
>>> $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>>> +tools/target_sws_fuzzer$(EXESUF): tools/target_sws_fuzzer.o $(FF_DEP_LIBS)
>>> + $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>>> +
>>> tools/enum_options$(EXESUF): ELIBS = $(FF_EXTRALIBS)
>>> tools/enum_options$(EXESUF): $(FF_DEP_LIBS)
>>> diff --git a/tools/Makefile b/tools/Makefile
>>> index dee6a416688..72e8e709a8d 100644
>>> --- a/tools/Makefile
>>> +++ b/tools/Makefile
>>> @@ -17,6 +17,9 @@ tools/target_dem_fuzzer.o: tools/target_dem_fuzzer.c
>>> tools/target_io_dem_fuzzer.o: tools/target_dem_fuzzer.c
>>> $(COMPILE_C) -DIO_FLAT=0
>>> +tools/target_sws_fuzzer.o: tools/target_sws_fuzzer.c
>>> + $(COMPILE_C)
>>> +
>>> tools/enc_recon_frame_test$(EXESUF): tools/decode_simple.o
>>> tools/venc_data_dump$(EXESUF): tools/decode_simple.o
>>> tools/scale_slice_test$(EXESUF): tools/decode_simple.o
>>> diff --git a/tools/target_sws_fuzzer.c b/tools/target_sws_fuzzer.c
>>> new file mode 100644
>>> index 00000000000..babb6e81629
>>> --- /dev/null
>>> +++ b/tools/target_sws_fuzzer.c
>>> @@ -0,0 +1,168 @@
>>> +/*
>>> + * Copyright (c) 2024 Michael Niedermayer <michael-ffmpeg at niedermayer.cc>
>>> + *
>>> + * This file is part of FFmpeg.
>>> + *
>>> + * FFmpeg is free software; you can redistribute it and/or
>>> + * modify it under the terms of the GNU Lesser General Public
>>> + * License as published by the Free Software Foundation; either
>>> + * version 2.1 of the License, or (at your option) any later version.
>>> + *
>>> + * FFmpeg is distributed in the hope that it will be useful,
>>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
>>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>>> + * Lesser General Public License for more details.
>>> + *
>>> + * You should have received a copy of the GNU Lesser General Public
>>> + * License along with FFmpeg; if not, write to the Free Software
>>> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>>> + */
>>> +
>>> +#include "config.h"
>>> +#include "libavutil/avassert.h"
>>> +#include "libavutil/avstring.h"
>>> +#include "libavutil/cpu.h"
>>> +#include "libavutil/imgutils.h"
>>> +#include "libavutil/intreadwrite.h"
>>> +#include "libavutil/opt.h"
>>> +
>>> +#include "libavcodec/bytestream.h"
>>> +
>>> +#include "libswscale/swscale.h"
>>> +
>>> +
>>> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
>>> +
>>> +static void error(const char *err)
>>> +{
>>> + fprintf(stderr, "%s", err);
>>> + exit(1);
>>> +}
>>> +
>>> +static int alloc_plane(uint8_t *data[AV_VIDEO_MAX_PLANES], int stride[AV_VIDEO_MAX_PLANES], int w, int h, int format, int *hshift, int *vshift)
>>> +{
>>> + int ret = av_image_fill_linesizes(stride, format, w);
>>> + if (ret < 0)
>>> + return -1;
>>> +
>>> + av_pix_fmt_get_chroma_sub_sample(format, hshift, vshift);
>>> +
>>> + for(int p=0; p<AV_VIDEO_MAX_PLANES; p++) {
>>> + if (stride[p]) {
>>> + stride[p] = FFALIGN(stride[p], 32);
>>> + int ph = AV_CEIL_RSHIFT(h, (p == 1 || p == 2) ? *vshift : 0);
>>> + av_log(0,0, "P:%d St %d ph %d\n", p, stride[p], ph);
>>> + data[p] = av_mallocz(stride[p] * ph + 32);
>>> + if (!data[p])
>>> + return -1;
>>> + }
>>> + }
>>> + if (format == AV_PIX_FMT_PAL8) {
>>> + data[1] = av_mallocz(256*4);
>>> + if (!data[1])
>>> + return -1;
>>> + }
>>> + return 0;
>>
>> av_image_alloc()? Would be better to actually test sws with buffers created
>> by our own public helpers.
>
> av_image_alloc() allocates the planes in one continous piece
> so teh fuzzer would not be able to detect accesses over the end of the first
> or accesses prior the 2nd.
>
> So this is not possible
Then use av_image_fill_plane_sizes() after av_image_fill_linesizes() and
then allocate the buffers with its output. See fuzz_video_get_buffer()
in test_dec_fuzzer.c
It's best if we don't rewrite basic buffer allocation and size
calculation functions every time we add new code.
>
>
>>
>>> +}
>>> +
>>> +static void free_plane(uint8_t *data[AV_VIDEO_MAX_PLANES])
>>> +{
>>> + for(int p=0; p<AV_VIDEO_MAX_PLANES; p++)
>>> + av_freep(&data[p]);
>>> +}
>>> +
>>> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
>>> + int srcW= 48, srcH = 48;
>>> + int dstW= 48, dstH = 48;
>>> + int srcHShift, srcVShift;
>>> + int dstHShift, dstVShift;
>>> + unsigned flags = 1;
>>> + int srcStride[AV_VIDEO_MAX_PLANES] = {0};
>>> + int dstStride[AV_VIDEO_MAX_PLANES] = {0};
>>> + int ret;
>>> + const uint8_t *end = data + size;
>>> + enum AVPixelFormat srcFormat = AV_PIX_FMT_YUV420P;
>>> + enum AVPixelFormat dstFormat = AV_PIX_FMT_YUV420P;
>>> + uint8_t *src[4] = { 0 };
>>> + uint8_t *dst[4] = { 0 };
>>
>> AV_VIDEO_MAX_PLANES.
>
> will change
>
>
>>
>>> + struct SwsContext *sws = NULL;
>>> + const AVPixFmtDescriptor *desc_src, *desc_dst;
>>> +
>>> + if (size > 128) {
>>> + GetByteContext gbc;
>>> + int64_t flags64;
>>> +
>>> + size -= 128;
>>> + bytestream2_init(&gbc, data + size, 128);
>>> + srcW = bytestream2_get_le32(&gbc) % 256;
>>> + srcH = bytestream2_get_le32(&gbc) % 256;
>>> + dstW = bytestream2_get_le32(&gbc) % 256;
>>> + dstH = bytestream2_get_le32(&gbc) % 256;
>>> + flags = bytestream2_get_le32(&gbc);
>>> +
>>> + srcFormat = bytestream2_get_le32(&gbc) % AV_PIX_FMT_NB;
>>> + dstFormat = bytestream2_get_le32(&gbc) % AV_PIX_FMT_NB;
>>
>> nit: Maybe sanitize the choices with sws_isSupportedInput() and
>> sws_isSupportedOutput()? Unless having sws_init_context() fail with invalid
>> arguments is also intended.
>
> Honestly i do not know which way is best
Leave it as is, it's not important.
>
>
>>
>>> +
>>> + flags64 = bytestream2_get_le64(&gbc);
>>> + if (flags64 & 0x10)
>>> + av_force_cpu_flags(0);
>>> +
>>> + if (av_image_check_size(srcW, srcH, srcFormat, NULL))
>>> + srcW = srcH = 123;
>>> + if (av_image_check_size(dstW, dstH, dstFormat, NULL))
>>> + dstW = dstH = 123;
>>
>> Is there a format where this could fail, knowing the dimensions are at most
>> 255x255?
>
> The 255 is temporary, a less restrictive size should be choosen as there may
> be bugs with huge sizes. Its just that these really slow it down
>
>
>>
>>> + //TODO alphablend
>>> + }
>>> +
>>> + desc_src = av_pix_fmt_desc_get(srcFormat);
>>> + desc_dst = av_pix_fmt_desc_get(dstFormat);
>>> +
>>> + ret = alloc_plane(src, srcStride, srcW, srcH, srcFormat, &srcHShift, &srcVShift);
>>> + if (ret < 0)
>>> + goto end;
>>> +
>>> + ret = alloc_plane(dst, dstStride, dstW, dstH, dstFormat, &dstHShift, &dstVShift);
>>> + if (ret < 0)
>>> + goto end;
>>> +
>>> +
>>> + for(int p=0; p<AV_VIDEO_MAX_PLANES; p++) {
>>> + int psize = srcStride[p] * AV_CEIL_RSHIFT(srcH, (p == 1 || p == 2) ? srcVShift : 0);
>>> + if (psize > size)
>>> + psize = size;
>>> + if (psize) {
>>> + memcpy(src[p], data, psize);
>>> + data += psize;
>>> + size -= psize;
>>> + }
>>> + }
>>
>> av_image_copy(). Or av_image_copy_plane() in a loop if you prefer.
>
> these dont seem to have a input size so ill leave it for now
Ok.
>
> thx
>
> [...]
>
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
More information about the ffmpeg-devel
mailing list