tests: add libfuzzer test target

Disabled by default, enabble with `meson -Dbuild_libfuzzer=true -Db_lundef=false ...`.
Fuzz target improved by the paralell work by Thierry Foucu in !138.

meson.build

@@ -64,6 +64,9 @@ is_asm_enabled = (get_option('build_asm') == true and
      host_machine.cpu_family().startswith('arm'))
 cdata.set10('HAVE_ASM', is_asm_enabled)
 
+# libFuzzer target
+is_libfuzzer_enabled = (get_option('build_libfuzzer'))
+
 
 
 #
@@ -156,6 +159,14 @@ endif
 
 add_project_arguments(cc.get_supported_arguments(optional_arguments), language : 'c')
 
+# libFuzzer related things
+if is_libfuzzer_enabled
+    if not cc.has_argument('-fsanitize=fuzzer')
+        error('build_libfuzzer requires "-fsanitize=fuzzer"')
+    endif
+    fuzzer_args = ['-fsanitize=fuzzer-no-link', '-fsanitize=fuzzer']
+    add_project_arguments(cc.first_supported_argument(fuzzer_args), language : 'c')
+endif
 
 # Stack alignments flags
 

meson_options.txt

@@ -19,3 +19,8 @@ option('build_tests',
     type: 'boolean',
     value: true,
     description: 'Build dav1d tests')
+
+option('build_libfuzzer',
+    type: 'boolean',
+    value: false,
+    description: 'Build dav1d libFuzzer target')

tests/libfuzzer/dav1d_fuzzer.c

@@ -0,0 +1,98 @@
+/*
+ * Copyright © 2018, VideoLAN and dav1d authors
+ * Copyright © 2018, Janne Grunau
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice, this
+ *    list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <errno.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include <dav1d.h>
+
+#include "common/intops.h"
+
+// expects ivf input
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    Dav1dSettings settings = { 0 };
+    Dav1dContext * ctx = NULL;
+    Dav1dPicture pic;
+    const uint8_t *ptr = data;
+    int err;
+
+    if (size < 32) goto end;
+    ptr += 32; // skip ivf header
+
+    dav1d_default_settings(&settings);
+
+    err = dav1d_open(&ctx, &settings);
+    if (err < 0) goto end;
+
+    while (ptr <= data + size - 4) {
+        Dav1dData buf;
+
+        size_t frame_size = rl32(ptr);
+        ptr += 4;
+
+        if (frame_size > size || ptr > data + size - frame_size)
+            break;
+
+        // copy frame data to a new buffer to catch reads past the end of input
+        err = dav1d_data_create(&buf, frame_size);
+        if (err) goto cleanup;
+        memcpy(buf.data, ptr, frame_size);
+        ptr += frame_size;
+
+        do {
+            memset(&pic, 0, sizeof(pic));
+            err = dav1d_decode(ctx, &buf, &pic);
+            if (err == 0) {
+                dav1d_picture_unref(&pic);
+            } else {
+                if (!buf.sz) dav1d_data_unref(&buf);
+                if (err != -EAGAIN) {
+                    break;
+                }
+            }
+        } while (buf.sz > 0);
+
+        if (buf.sz > 0 || frame_size == 0)
+            dav1d_data_unref(&buf);
+    }
+
+    do {
+        memset(&pic, 0, sizeof(pic));
+        err = dav1d_decode(ctx, NULL, &pic);
+        if (err == 0)
+            dav1d_picture_unref(&pic);
+    } while (err == 0);
+
+cleanup:
+    dav1d_close(&ctx);
+end:
+    return 0;
+}

tests/meson.build

@@ -81,3 +81,17 @@ if is_asm_enabled
 
     test('checkasm test', checkasm)
 endif
+
+if is_libfuzzer_enabled
+    dav1d_fuzzer_sources =  files('libfuzzer/dav1d_fuzzer.c')
+
+    dav1d_fuzzer = executable('dav1d_fuzzer',
+        dav1d_fuzzer_sources,
+        include_directories: dav1d_inc_dirs,
+        c_args: [stackalign_flag, stackrealign_flag, '-fsanitize=fuzzer'],
+        link_args: ['-fsanitize=fuzzer'],
+        link_with : libdav1d,
+        build_by_default: true,
+        dependencies : [thread_dependency],
+        )
+endif