mirror of
https://code.videolan.org/videolan/dav1d
synced 2024-09-27 11:50:24 +02:00
8ddb28e5a7
It's not required by the API and would only risk masking potential bugs.
200 lines
5.7 KiB
C
200 lines
5.7 KiB
C
/*
|
|
* Copyright © 2018, VideoLAN and dav1d authors
|
|
* Copyright © 2018, Janne Grunau
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright notice, this
|
|
* list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
* and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
|
|
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include "config.h"
|
|
|
|
#include <errno.h>
|
|
#include <stddef.h>
|
|
#include <stdint.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
|
|
#include <dav1d/dav1d.h>
|
|
#include "src/cpu.h"
|
|
#include "dav1d_fuzzer.h"
|
|
|
|
#ifdef DAV1D_ALLOC_FAIL
|
|
|
|
#include "alloc_fail.h"
|
|
|
|
static unsigned djb_xor(const uint8_t * c, size_t len) {
|
|
unsigned hash = 5381;
|
|
for(size_t i = 0; i < len; i++)
|
|
hash = hash * 33 ^ c[i];
|
|
return hash;
|
|
}
|
|
#endif
|
|
|
|
static unsigned r32le(const uint8_t *const p) {
|
|
return ((uint32_t)p[3] << 24U) | (p[2] << 16U) | (p[1] << 8U) | p[0];
|
|
}
|
|
|
|
#define DAV1D_FUZZ_MAX_SIZE 4096 * 4096
|
|
|
|
// search for "--cpumask xxx" in argv and remove both parameters
|
|
int LLVMFuzzerInitialize(int *argc, char ***argv) {
|
|
int i = 1;
|
|
for (; i < *argc; i++) {
|
|
if (!strcmp((*argv)[i], "--cpumask")) {
|
|
const char * cpumask = (*argv)[i+1];
|
|
if (cpumask) {
|
|
char *end;
|
|
unsigned res;
|
|
if (!strncmp(cpumask, "0x", 2)) {
|
|
cpumask += 2;
|
|
res = (unsigned) strtoul(cpumask, &end, 16);
|
|
} else {
|
|
res = (unsigned) strtoul(cpumask, &end, 0);
|
|
}
|
|
if (end != cpumask && !end[0]) {
|
|
dav1d_set_cpu_flags_mask(res);
|
|
}
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
for (; i < *argc - 2; i++) {
|
|
(*argv)[i] = (*argv)[i + 2];
|
|
}
|
|
|
|
*argc = i;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
// expects ivf input
|
|
|
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
|
{
|
|
Dav1dSettings settings = { 0 };
|
|
Dav1dContext * ctx = NULL;
|
|
Dav1dPicture pic;
|
|
const uint8_t *ptr = data;
|
|
int have_seq_hdr = 0;
|
|
int err;
|
|
|
|
dav1d_version();
|
|
|
|
if (size < 32) goto end;
|
|
#ifdef DAV1D_ALLOC_FAIL
|
|
unsigned h = djb_xor(ptr, 32);
|
|
unsigned seed = h;
|
|
unsigned probability = h > (RAND_MAX >> 5) ? RAND_MAX >> 5 : h;
|
|
int max_frame_delay = (h & 0xf) + 1;
|
|
int n_threads = ((h >> 4) & 0x7) + 1;
|
|
if (max_frame_delay > 5) max_frame_delay = 1;
|
|
if (n_threads > 3) n_threads = 1;
|
|
#endif
|
|
ptr += 32; // skip ivf header
|
|
|
|
dav1d_default_settings(&settings);
|
|
|
|
#ifdef DAV1D_MT_FUZZING
|
|
settings.max_frame_delay = settings.n_threads = 4;
|
|
#elif defined(DAV1D_ALLOC_FAIL)
|
|
settings.max_frame_delay = max_frame_delay;
|
|
settings.n_threads = n_threads;
|
|
dav1d_setup_alloc_fail(seed, probability);
|
|
#else
|
|
settings.max_frame_delay = settings.n_threads = 1;
|
|
#endif
|
|
#if defined(DAV1D_FUZZ_MAX_SIZE)
|
|
settings.frame_size_limit = DAV1D_FUZZ_MAX_SIZE;
|
|
#endif
|
|
|
|
err = dav1d_open(&ctx, &settings);
|
|
if (err < 0) goto end;
|
|
|
|
while (ptr <= data + size - 12) {
|
|
Dav1dData buf;
|
|
uint8_t *p;
|
|
|
|
size_t frame_size = r32le(ptr);
|
|
ptr += 12;
|
|
|
|
if (frame_size > size || ptr > data + size - frame_size)
|
|
break;
|
|
|
|
if (!frame_size) continue;
|
|
|
|
if (!have_seq_hdr) {
|
|
Dav1dSequenceHeader seq;
|
|
int err = dav1d_parse_sequence_header(&seq, ptr, frame_size);
|
|
// skip frames until we see a sequence header
|
|
if (err != 0) {
|
|
ptr += frame_size;
|
|
continue;
|
|
}
|
|
have_seq_hdr = 1;
|
|
}
|
|
|
|
// copy frame data to a new buffer to catch reads past the end of input
|
|
p = dav1d_data_create(&buf, frame_size);
|
|
if (!p) goto cleanup;
|
|
memcpy(p, ptr, frame_size);
|
|
ptr += frame_size;
|
|
|
|
do {
|
|
if ((err = dav1d_send_data(ctx, &buf)) < 0) {
|
|
if (err != DAV1D_ERR(EAGAIN))
|
|
break;
|
|
}
|
|
memset(&pic, 0, sizeof(pic));
|
|
err = dav1d_get_picture(ctx, &pic);
|
|
if (err == 0) {
|
|
dav1d_picture_unref(&pic);
|
|
} else if (err != DAV1D_ERR(EAGAIN)) {
|
|
break;
|
|
}
|
|
} while (buf.sz > 0);
|
|
|
|
if (buf.sz > 0)
|
|
dav1d_data_unref(&buf);
|
|
}
|
|
|
|
memset(&pic, 0, sizeof(pic));
|
|
if ((err = dav1d_get_picture(ctx, &pic)) == 0) {
|
|
/* Test calling dav1d_picture_unref() after dav1d_close() */
|
|
do {
|
|
Dav1dPicture pic2 = { 0 };
|
|
if ((err = dav1d_get_picture(ctx, &pic2)) == 0)
|
|
dav1d_picture_unref(&pic2);
|
|
} while (err != DAV1D_ERR(EAGAIN));
|
|
|
|
dav1d_close(&ctx);
|
|
dav1d_picture_unref(&pic);
|
|
return 0;
|
|
}
|
|
|
|
cleanup:
|
|
dav1d_close(&ctx);
|
|
end:
|
|
return 0;
|
|
}
|