On 4/19/2024 10:10 PM, Michael Niedermayer wrote:
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
  Makefile                  |   3 +
  tools/Makefile            |   3 +
  tools/target_enc_fuzzer.c | 213 ++++++++++++++++++++++++++++++++++++++
  3 files changed, 219 insertions(+)
  create mode 100644 tools/target_enc_fuzzer.c

diff --git a/Makefile b/Makefile
index b309dbc4db9..de727cbe00e 100644
--- a/Makefile
+++ b/Makefile
@@ -52,6 +52,9 @@ $(TOOLS): %$(EXESUF): %.o
  target_dec_%_fuzzer$(EXESUF): target_dec_%_fuzzer.o $(FF_DEP_LIBS)
        $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) 
$(LIBFUZZER_PATH)
+target_enc_%_fuzzer$(EXESUF): target_enc_%_fuzzer.o $(FF_DEP_LIBS)
+       $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) 
$(LIBFUZZER_PATH)
+
  tools/target_bsf_%_fuzzer$(EXESUF): tools/target_bsf_%_fuzzer.o $(FF_DEP_LIBS)
        $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) 
$(LIBFUZZER_PATH)
diff --git a/tools/Makefile b/tools/Makefile
index 72e8e709a8d..2a11fa0ae62 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -5,6 +5,9 @@ TOOLS-$(CONFIG_ZLIB) += cws2fws
  tools/target_dec_%_fuzzer.o: tools/target_dec_fuzzer.c
        $(COMPILE_C) -DFFMPEG_DECODER=$*
+tools/target_enc_%_fuzzer.o: tools/target_enc_fuzzer.c
+       $(COMPILE_C) -DFFMPEG_ENCODER=$*
+
  tools/target_bsf_%_fuzzer.o: tools/target_bsf_fuzzer.c
        $(COMPILE_C) -DFFMPEG_BSF=$*
diff --git a/tools/target_enc_fuzzer.c b/tools/target_enc_fuzzer.c
new file mode 100644
index 00000000000..bc9f98c1443
--- /dev/null
+++ b/tools/target_enc_fuzzer.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (c) 2024 Michael Niedermayer <michael-ffm...@niedermayer.cc>
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ * Based on target_dec_fuzzer
+ */
+
+#include "config.h"
+#include "libavutil/avassert.h"
+#include "libavutil/avstring.h"
+#include "libavutil/cpu.h"
+#include "libavutil/imgutils.h"
+#include "libavutil/intreadwrite.h"
+#include "libavutil/mem.h"
+
+#include "libavcodec/avcodec.h"
+#include "libavcodec/bytestream.h"
+#include "libavcodec/codec_internal.h"
+#include "libavformat/avformat.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+extern const FFCodec * codec_list[];
+
+static void error(const char *err)
+{
+    fprintf(stderr, "%s", err);
+    exit(1);
+}
+
+static const FFCodec *c = NULL;
+static const FFCodec *AVCodecInitialize(enum AVCodecID codec_id)
+{
+    const AVCodec *res;
+
+    res = avcodec_find_decoder(codec_id);
+    if (!res)
+        error("Failed to find decoder");
+    return ffcodec(res);
+}
+
+// Ensure we don't loop forever
+const uint32_t maxiteration = 8096;
+
+
+static int encode(AVCodecContext *enc_ctx, AVFrame *frame, AVPacket *pkt)
+{
+    int ret;
+
+    ret = avcodec_send_frame(enc_ctx, frame);
+    if (ret < 0)
+        return ret;
+
+    while (ret >= 0) {
+        ret = avcodec_receive_packet(enc_ctx, pkt);
+        if (ret == AVERROR(EAGAIN)) {
+            return 0;
+        } else if (ret < 0) {
+            return ret;
+        }
+
+        av_packet_unref(pkt);
+    }
+    av_assert0(0);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    uint64_t maxpixels_per_frame = 512 * 512;
+    uint64_t maxpixels;
+
+    uint64_t maxsamples;
+    const uint8_t *end = data + size;
+    uint32_t it = 0;
+    uint64_t nb_samples = 0;
+    AVDictionary *opts = NULL;
+
+    if (!c) {
+#ifdef FFMPEG_ENCODER
+#define ENCODER_SYMBOL0(CODEC) ff_##CODEC##_encoder
+#define ENCODER_SYMBOL(CODEC) ENCODER_SYMBOL0(CODEC)
+        extern FFCodec ENCODER_SYMBOL(FFMPEG_ENCODER);
+        codec_list[0] = &ENCODER_SYMBOL(FFMPEG_ENCODER);
+
+        c = &ENCODER_SYMBOL(FFMPEG_ENCODER);
+#else
+        c = AVCodecInitialize(FFMPEG_CODEC);  // Done once.
+#endif
+        av_log_set_level(AV_LOG_PANIC);
+    }
+
+    av_assert0(c->p.type == AVMEDIA_TYPE_VIDEO);
+
+    maxpixels = maxpixels_per_frame * maxiteration;
+
+    maxpixels_per_frame  = FFMIN(maxpixels_per_frame , maxpixels);
+
+    AVCodecContext* ctx = avcodec_alloc_context3(&c->p);
+    if (!ctx)
+        error("Failed memory allocation");
+
+    if (ctx->max_pixels == 0 || ctx->max_pixels > maxpixels_per_frame)
+        ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM 
and hangs
+
+    ctx->pix_fmt = AV_PIX_FMT_YUV420P;
+    if (size > 1024) {
+        GetByteContext gbc;
+        int flags;
+        int64_t flags64;
+
+        size -= 1024;
+        bytestream2_init(&gbc, data + size, 1024);
+        ctx->width                              = bytestream2_get_le32(&gbc) & 
0xFFFF;
+        ctx->height                             = bytestream2_get_le32(&gbc) & 
0xFFFF;
+        ctx->bit_rate                           = bytestream2_get_le64(&gbc);
+        ctx->gop_size                           = bytestream2_get_le32(&gbc) & 
0x7FFFFFFF;
+        ctx->max_b_frames                       = bytestream2_get_le32(&gbc) & 
0x7FFFFFFF;
+        ctx->time_base.num                      = bytestream2_get_le32(&gbc) & 
0x7FFFFFFF;
+        ctx->time_base.den                      = bytestream2_get_le32(&gbc) & 
0x7FFFFFFF;
+        ctx->framerate.num                      = bytestream2_get_le32(&gbc) & 
0x7FFFFFFF;
+        ctx->framerate.den                      = bytestream2_get_le32(&gbc) & 
0x7FFFFFFF;
+
+        flags = bytestream2_get_byte(&gbc);
+        if (flags & 2)
+            ctx->strict_std_compliance = FF_COMPLIANCE_EXPERIMENTAL;
+
+        if (flags & 0x40)
+            av_force_cpu_flags(0);
+
+        flags64 = bytestream2_get_le64(&gbc);
+
+        int npixfmts = 0;
+        while (c->p.pix_fmts[npixfmts++] != AV_PIX_FMT_NONE)
+            ;
+        ctx->pix_fmt = c->p.pix_fmts[bytestream2_get_byte(&gbc) % npixfmts];
+
+        switch (c->p.id) {
+        case AV_CODEC_ID_FFV1:{
+            int coder = bytestream2_get_byte(&gbc)&3;
+            if (coder == 3) coder = -2;
+            av_dict_set_int(&opts, "coder", coder, 0);
+            av_dict_set_int(&opts, "context", bytestream2_get_byte(&gbc)&1, 0);
+            av_dict_set_int(&opts, "slicecrc", bytestream2_get_byte(&gbc)&1, 
0);
+            break;}
+        }
+    }
+    if (ctx->width == 0 || av_image_check_size(ctx->width, ctx->height, 0, 
ctx))
+        ctx->width = ctx->height = 64;
+
+    int res = avcodec_open2(ctx, &c->p, &opts);
+    if (res < 0) {
+        avcodec_free_context(&ctx);
+        av_dict_free(&opts);
+        return 0; // Failure of avcodec_open2() does not imply that a issue 
was found
+    }
+
+
+    AVFrame *frame = av_frame_alloc();
+    AVPacket *avpkt = av_packet_alloc();
+    if (!frame || !avpkt)
+        error("Failed memory allocation");
+
+    frame->format = ctx->pix_fmt;
+    frame->width  = ctx->width;
+    frame->height = ctx->height;
+
+    res = av_frame_get_buffer(frame, 0);
+    if (res < 0)
+        error("Failed av_frame_get_buffer");
+    int frame_size = frame->buf[0]->size;
+
+    while (data < end && it < maxiteration) {
+        res = av_frame_make_writable(frame);

This will result in potential copy of data that ultimately will be overwritten by the memcpy below.

Call av_buffer_unref() in a loop for all AV_NUM_DATA_POINTERS buffers in frame->buf (Don't bother with frame->extended_buf since this is for video only), then alloc new ones with av_frame_get_buffer().

+        if (res < 0)
+            error("Failed av_frame_make_writable\n");
+
+        int buf_size = FFMIN(end-data, frame_size);

I guess av_frame_make_writable() might be ok only if buf_size ends up being smaller than frame_size, otherwise there will be uninitialized bytes.

+        memcpy(frame->buf[0]->data, data, buf_size);

This will waste bytes from the input by writing into all the padding and space between lines. You could use av_image_copy_plane() or av_image_copy() instead.

+        data += buf_size;
+
+        frame->pts = nb_samples;
+
+        encode(ctx, frame, avpkt);

If avcodec_receive_packet() returns a legitimate error, you should not ignore it here, and break the loop instead.

+        it++;
+
+        av_packet_unref(avpkt);
+    }
+
+    encode(ctx, NULL, avpkt);
+    av_packet_unref(avpkt);
+
+//     fprintf(stderr, "frames encoded: %"PRId64",  iterations: %d\n", 
nb_samples  , it);
+
+    av_frame_free(&frame);
+    avcodec_free_context(&ctx);
+    av_packet_free(&avpkt);
+    av_dict_free(&opts);
+    return 0;
+}
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to