| /* |
| * Copyright (c) 2018 The WebM project authors. All Rights Reserved. |
| * |
| * Use of this source code is governed by a BSD-style license |
| * that can be found in the LICENSE file in the root of the source |
| * tree. An additional intellectual property rights grant can be found |
| * in the file PATENTS. All contributing project authors may |
| * be found in the AUTHORS file in the root of the source tree. |
| */ |
| |
| /* |
| * Fuzzer for libvpx decoders |
| * ========================== |
| * Requirements |
| * -------------- |
| * Requires Clang 6.0 or above as -fsanitize=fuzzer is used as a linker |
| * option. |
| |
| * Steps to build |
| * -------------- |
| * Clone libvpx repository |
| $git clone https://chromium.googlesource.com/webm/libvpx |
| |
| * Create a directory in parallel to libvpx and change directory |
| $mkdir vpx_dec_fuzzer |
| $cd vpx_dec_fuzzer/ |
| |
| * Enable sanitizers (Supported: address integer memory thread undefined) |
| $source ../libvpx/tools/set_analyzer_env.sh address |
| |
| * Configure libvpx. |
| * Note --size-limit and VPX_MAX_ALLOCABLE_MEMORY are defined to avoid |
| * Out of memory errors when running generated fuzzer binary |
| $../libvpx/configure --disable-unit-tests --size-limit=12288x12288 \ |
| --extra-cflags="-DVPX_MAX_ALLOCABLE_MEMORY=1073741824" \ |
| --disable-webm-io --enable-debug --disable-vp8-encoder \ |
| --disable-vp9-encoder --disable-examples |
| |
| * Build libvpx |
| $make -j32 |
| |
| * Build vp9 fuzzer |
| $ $CXX $CXXFLAGS -std=c++11 -DDECODER=vp9 \ |
| -fsanitize=fuzzer -I../libvpx -I. -Wl,--start-group \ |
| ../libvpx/examples/vpx_dec_fuzzer.cc -o ./vpx_dec_fuzzer_vp9 \ |
| ./libvpx.a -Wl,--end-group |
| |
| * DECODER should be defined as vp9 or vp8 to enable vp9/vp8 |
| * |
| * create a corpus directory and copy some ivf files there. |
| * Based on which codec (vp8/vp9) is being tested, it is recommended to |
| * have corresponding ivf files in corpus directory |
| * Empty corpus directoy also is acceptable, though not recommended |
| $mkdir CORPUS && cp some-files CORPUS |
| |
| * Run fuzzing: |
| $./vpx_dec_fuzzer_vp9 CORPUS |
| |
| * References: |
| * http://llvm.org/docs/LibFuzzer.html |
| * https://github.com/google/oss-fuzz |
| */ |
| |
| #include <stddef.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <memory> |
| |
| #include "vpx/vp8dx.h" |
| #include "vpx/vpx_decoder.h" |
| #include "vpx_ports/mem_ops.h" |
| |
| #define IVF_FRAME_HDR_SZ (4 + 8) /* 4 byte size + 8 byte timestamp */ |
| #define IVF_FILE_HDR_SZ 32 |
| |
| #define VPXD_INTERFACE(name) VPXD_INTERFACE_(name) |
| #define VPXD_INTERFACE_(name) vpx_codec_##name##_dx() |
| |
| static void CloseFile(FILE *file) { fclose(file); } |
| |
| /* ReadFrame is derived from ivf_read_frame in ivfdec.c |
| * This function doesn't call warn(), but instead ignores those errors. |
| * This is done to minimize the prints on console when running fuzzer |
| * Also if fread fails to read frame_size number of bytes, instead of |
| * returning an error, this returns with partial frames. |
| * This is done to ensure that partial frames are sent to decoder. |
| */ |
| static int ReadFrame(FILE *infile, uint8_t **buffer, size_t *bytes_read, |
| size_t *buffer_size) { |
| char raw_header[IVF_FRAME_HDR_SZ] = { 0 }; |
| size_t frame_size = 0; |
| |
| if (fread(raw_header, IVF_FRAME_HDR_SZ, 1, infile) == 1) { |
| frame_size = mem_get_le32(raw_header); |
| |
| if (frame_size > 256 * 1024 * 1024) { |
| frame_size = 0; |
| } |
| |
| if (frame_size > *buffer_size) { |
| uint8_t *new_buffer = (uint8_t *)realloc(*buffer, 2 * frame_size); |
| |
| if (new_buffer) { |
| *buffer = new_buffer; |
| *buffer_size = 2 * frame_size; |
| } else { |
| frame_size = 0; |
| } |
| } |
| } |
| |
| if (!feof(infile)) { |
| *bytes_read = fread(*buffer, 1, frame_size, infile); |
| return 0; |
| } |
| |
| return 1; |
| } |
| |
| extern "C" void usage_exit(void) { exit(EXIT_FAILURE); } |
| |
| extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
| std::unique_ptr<FILE, decltype(&CloseFile)> file( |
| fmemopen((void *)data, size, "rb"), &CloseFile); |
| if (file == nullptr) { |
| return 0; |
| } |
| // Ensure input contains at least one file header and one frame header |
| if (size < IVF_FILE_HDR_SZ + IVF_FRAME_HDR_SZ) { |
| return 0; |
| } |
| char header[IVF_FILE_HDR_SZ]; |
| if (fread(header, 1, IVF_FILE_HDR_SZ, file.get()) != IVF_FILE_HDR_SZ) { |
| return 0; |
| } |
| |
| vpx_codec_ctx_t codec; |
| // Set thread count in the range [1, 64]. |
| const unsigned int threads = (data[IVF_FILE_HDR_SZ] & 0x3f) + 1; |
| vpx_codec_dec_cfg_t cfg = { threads, 0, 0 }; |
| if (vpx_codec_dec_init(&codec, VPXD_INTERFACE(DECODER), &cfg, 0)) { |
| return 0; |
| } |
| |
| uint8_t *buffer = nullptr; |
| size_t buffer_size = 0; |
| size_t frame_size = 0; |
| |
| while (!ReadFrame(file.get(), &buffer, &frame_size, &buffer_size)) { |
| const vpx_codec_err_t err = |
| vpx_codec_decode(&codec, buffer, frame_size, nullptr, 0); |
| static_cast<void>(err); |
| vpx_codec_iter_t iter = nullptr; |
| vpx_image_t *img = nullptr; |
| while ((img = vpx_codec_get_frame(&codec, &iter)) != nullptr) { |
| } |
| } |
| vpx_codec_destroy(&codec); |
| free(buffer); |
| return 0; |
| } |