On Fri, Dec 06, 2019 at 04:16:23PM -0300, James Almer wrote:
> This should increase coverage on some decoders by executing flushing code.
>
> Signed-off-by: James Almer <jamr...@gmail.com>
> ---
> tools/target_dec_fuzzer.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
> index dcf47b0f4d..3c2f9125bb 100644
> --- a/tools/target_dec_fuzzer.c
> +++ b/tools/target_dec_fuzzer.c
> @@ -256,6 +256,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t
> size) {
> error("Failed memory allocation");
> memcpy(parsepkt.data, last, data - last);
> parsepkt.flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD +
> (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;
> + int flush = !!(keyframes & 4);
> keyframes = (keyframes >> 2) + (keyframes<<62);
> data += sizeof(fuzz_tag);
> last = data;
> @@ -289,6 +290,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t
> size) {
> av_packet_move_ref(&avpkt, &parsepkt);
> }
>
> + if (avpkt.flags & AV_PKT_FLAG_KEY && flush)
> + avcodec_flush_buffers(ctx);
> +
> // Iterate through all data
> while (avpkt.size > 0 && it++ < maxiteration) {
> av_frame_unref(frame);
This would call flush in a pattern locked onto the keyframe and discard flags.
Not sure if that could affect coverage
An alternative would be to use a seperate pattern for flush. (see patch below)
That said, both these patches will disrupt existing test cases
commit 1a1f747a7afd181f6b763d4dca59cd848e7acb20 (HEAD -> master)
Author: Michael Niedermayer <mich...@niedermayer.cc>
Date: Fri Dec 6 23:42:28 2019 +0100
tools/target_dec_fuzzer: Call avcodec_flush_buffers() in a fuzzer choosen
pattern
This should increase coverage
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index dcf47b0f4d..c11a11514c 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -110,6 +110,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t
size) {
const AVPacket *avpkt) = NULL;
AVCodecParserContext *parser = NULL;
uint64_t keyframes = 0;
+ uint64_t flushpattern = -1;
if (!c) {
@@ -210,6 +211,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t
size) {
ctx->block_align = bytestream2_get_le32(&gbc);
ctx->codec_tag = bytestream2_get_le32(&gbc);
keyframes = bytestream2_get_le64(&gbc);
+ flushpattern = bytestream2_get_le64(&gbc);
if (extradata_size < size) {
ctx->extradata = av_mallocz(extradata_size +
AV_INPUT_BUFFER_PADDING_SIZE);
@@ -289,6 +291,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t
size) {
av_packet_move_ref(&avpkt, &parsepkt);
}
+ if (!(flushpattern & 7))
+ avcodec_flush_buffers(ctx);
+ flushpattern = (flushpattern >> 3) + (flushpattern<<61);
+
// Iterate through all data
while (avpkt.size > 0 && it++ < maxiteration) {
av_frame_unref(frame);
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Avoid a single point of failure, be that a person or equipment.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
