I've had this kicking around for like 4 years, maybe it can be of use to some
people.
I haven't done full scale fuzzing with this because laziness. I just sometimes
run it
when I'm bored. It's not thread-safe, but it would be trivial to make it so.
It's based off my old LD_PRELOAD hack from here:
https://gist.github.com/dwbuiten/7101755
Optionally takes two env vars, MALLOC_SEED (the seed), and MALLOC_FAILPROB for
the
probability of failing.
I've been running it directly integrated inside FFmpeg's allocator because it
makes
it easier to run under gdb to find where it actually crashes, if the stack
trace of
the failure is not enough info/context.
Currently FFmpeg has a lot of unchecked allocations - just one single FATE run
with
this found:
daemon404@bbvm:~/dev/f/ffmpeg/tests/data/fate$ grep Seg *.err
adpcm-ima-amv.err:Segmentation fault
adpcm-ima-apc.err:Segmentation fault
caf.err:Segmentation fault
filter-mergeplanes.err:Segmentation fault
filter-paletteuse-bayer.err:Segmentation fault
filter-paletteuse-sierra2_4a.err:Segmentation fault
lavf-wav.err:Segmentation fault
lavf-wav_peak.err:Segmentation fault
lavf-wav_peak_only.err:Segmentation fault
vorbis-encode.err:Segmentation fault
vsynth1-msvideo1.err:Segmentation fault
Plus an infinite EAGAIN loop with av_usleep ffmpeg.c, that I'm still trying to
debug.
It prints a stack trace when it fails so that you know which allocation failed:
daemon404@bbvm:~/dev/f/ffmpeg/tests/data/fate$ cat vorbis-encode.err
[... snip ...]
FAILED. Iteration = 9789, Seed = 1511549218.
my_posix_memalign:77 in libavutil/posixmemalign.c
av_malloc:89 in libavutil/mem.c
av_mallocz:240 in libavutil/mem.c
av_frame_alloc:152 in libavutil/frame.c
av_frame_clone:499 in libavutil/frame.c
vorbis_encode_frame:1098 in libavcodec/vorbisenc.c
avcodec_encode_audio2:198 in libavcodec/encode.c
do_encode:377 in libavcodec/encode.c
avcodec_send_frame:423 in libavcodec/encode.c
do_audio_out:931 in fftools/ffmpeg.c
reap_filters:1507 in fftools/ffmpeg.c
transcode_step:4562 in fftools/ffmpeg.c
transcode:4606 in fftools/ffmpeg.c
main:4812 in fftools/ffmpeg.c
(null):0 in (null)
(null):0 in (null)
(null):0 in (null)
Segmentation fault
The (null) stuff is noise from libbacktrace, and could be skipped with a proper
callback.
And e.g. to reproduce this under gdb:
$ MALLOC_SEED=1511549218 gdb --args /home/daemon404/dev/f/ffmpeg/ffmpeg_g \
-nostdin -nostats -cpuflags all -hwaccel none -threads 1 -thread_type
frame+slice \
-i /home/daemon404/fate/audio-reference/luckynight_2ch_44kHz_s16.wav -c:a
vorbis \
-strict experimental -f ogg -y
/home/daemon404/dev/f/ffmpeg/tests/data/fate/vorbis-encode.ogg
(Obtained from 'make fate-vorbis-encode V=1'.)
Currently it's using libbacktrace from GCC, which can be build entirely
separately from
GDB (cd libbacktrace && ./configure && make && cp backtrace.h
/usr/local/include &&
cp .libs/libbacktrace.a /usr/local/lib). Add -lbacktrace to extra-libs. Hacky?
Yeah...
Derek Buitenhuis (1):
Allocation NULL check fuzzing tool
libavutil/mem.c | 4 ++-
libavutil/posixmemalign.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 89 insertions(+), 1 deletion(-)
create mode 100644 libavutil/posixmemalign.c
--
2.15.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
