FFmpeg
target_bsf_fuzzer.c
Go to the documentation of this file.
1 /*
2  * This file is part of FFmpeg.
3  *
4  * FFmpeg is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU Lesser General Public
6  * License as published by the Free Software Foundation; either
7  * version 2.1 of the License, or (at your option) any later version.
8  *
9  * FFmpeg is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * Lesser General Public License for more details.
13  *
14  * You should have received a copy of the GNU Lesser General Public
15  * License along with FFmpeg; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17  */
18 
19 #include "config.h"
20 #include "libavutil/imgutils.h"
21 #include "libavutil/mem.h"
22 #include "libavutil/opt.h"
23 
24 #include "libavcodec/avcodec.h"
25 #include "libavcodec/bsf.h"
26 #include "libavcodec/bsf_internal.h"
27 #include "libavcodec/bytestream.h"
28 #include "libavcodec/internal.h"
29 
30 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
31 
32 static void error(const char *err)
33 {
34  fprintf(stderr, "%s", err);
35  exit(1);
36 }
37 
38 static const AVBitStreamFilter *f = NULL;
39 
40 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
41 
42 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
43  const uint64_t fuzz_tag = FUZZ_TAG;
44  const uint8_t *last = data;
45  const uint8_t *end = data + size;
46  AVBSFContext *bsf = NULL;
47  AVPacket *pkt;
48  uint64_t keyframes = 0;
49  uint64_t flushpattern = -1;
50  int res;
51 
52  if (!f) {
53 #ifdef FFMPEG_BSF
54 #define BSF_SYMBOL0(BSF) ff_##BSF##_bsf
55 #define BSF_SYMBOL(BSF) BSF_SYMBOL0(BSF)
56  extern const AVBitStreamFilter BSF_SYMBOL(FFMPEG_BSF);
57  f = &BSF_SYMBOL(FFMPEG_BSF);
58 #endif
59  av_log_set_level(AV_LOG_PANIC);
60  }
61 
62  res = f ? av_bsf_alloc(f, &bsf) : av_bsf_get_null_filter(&bsf);
63  if (res < 0)
64  error("Failed memory allocation");
65  f = bsf->filter;
66 
67  if (size > 1024) {
68  GetByteContext gbc;
69  int extradata_size;
70  int flags;
71  size -= 1024;
72  bytestream2_init(&gbc, data + size, 1024);
73  bsf->par_in->width = bytestream2_get_le32(&gbc);
74  bsf->par_in->height = bytestream2_get_le32(&gbc);
75  bsf->par_in->bit_rate = bytestream2_get_le64(&gbc);
76  bsf->par_in->bits_per_coded_sample = bytestream2_get_le32(&gbc);
77 
78  if (f->codec_ids) {
79  int i, id;
80  for (i = 0; f->codec_ids[i] != AV_CODEC_ID_NONE; i++);
81  id = f->codec_ids[bytestream2_get_byte(&gbc) % i];
82  bsf->par_in->codec_id = id;
83  bsf->par_in->codec_tag = bytestream2_get_le32(&gbc);
84  }
85 
86  extradata_size = bytestream2_get_le32(&gbc);
87 
88  bsf->par_in->sample_rate = bytestream2_get_le32(&gbc);
89  bsf->par_in->ch_layout.nb_channels = (unsigned)bytestream2_get_le32(&gbc) % FF_SANE_NB_CHANNELS;
90  bsf->par_in->block_align = bytestream2_get_le32(&gbc);
91  keyframes = bytestream2_get_le64(&gbc);
92  flushpattern = bytestream2_get_le64(&gbc);
93  flags = bytestream2_get_byte(&gbc);
94 
95  if (flags & 0x20) {
96  if (!strcmp(f->name, "av1_metadata"))
97  av_opt_set_int(bsf->priv_data, "td", bytestream2_get_byte(&gbc) % 3, 0);
98  else if (!strcmp(f->name, "h264_metadata") || !strcmp(f->name, "hevc_metadata") ||
99  !strcmp(f->name, "vvc_metadata"))
100  av_opt_set_int(bsf->priv_data, "aud", bytestream2_get_byte(&gbc) % 3, 0);
101  else if (!strcmp(f->name, "extract_extradata"))
102  av_opt_set_int(bsf->priv_data, "remove", bytestream2_get_byte(&gbc) & 1, 0);
103  }
104 
105  if (extradata_size < size) {
106  bsf->par_in->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
107  if (bsf->par_in->extradata) {
108  bsf->par_in->extradata_size = extradata_size;
109  size -= bsf->par_in->extradata_size;
110  memcpy(bsf->par_in->extradata, data + size, bsf->par_in->extradata_size);
111  }
112  }
113  if (av_image_check_size(bsf->par_in->width, bsf->par_in->height, 0, bsf))
114  bsf->par_in->width = bsf->par_in->height = 0;
115  }
116 
117  res = av_bsf_init(bsf);
118  if (res < 0) {
119  av_bsf_free(&bsf);
120  return 0; // Failure of av_bsf_init() does not imply that a issue was found
121  }
122 
123  pkt = av_packet_alloc();
124  if (!pkt)
125  error("Failed memory allocation");
126 
127  while (data < end) {
128  // Search for the TAG
129  while (data + sizeof(fuzz_tag) < end) {
130  if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag)
131  break;
132  data++;
133  }
134  if (data + sizeof(fuzz_tag) > end)
135  data = end;
136 
137  res = av_new_packet(pkt, data - last);
138  if (res < 0)
139  error("Failed memory allocation");
140  memcpy(pkt->data, last, data - last);
141  pkt->flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;
142  keyframes = (keyframes >> 2) + (keyframes<<62);
143  data += sizeof(fuzz_tag);
144  last = data;
145 
146  if (!(flushpattern & 7))
147  av_bsf_flush(bsf);
148  flushpattern = (flushpattern >> 3) + (flushpattern << 61);
149 
150  res = av_bsf_send_packet(bsf, pkt);
151  if (res < 0) {
152  av_packet_unref(pkt);
153  continue;
154  }
155  while (av_bsf_receive_packet(bsf, pkt) >= 0)
156  av_packet_unref(pkt);
157  }
158 
159  av_bsf_send_packet(bsf, NULL);
160  while (av_bsf_receive_packet(bsf, pkt) >= 0)
161  av_packet_unref(pkt);
162 
163  av_packet_free(&pkt);
164  av_bsf_free(&bsf);
165  return 0;
166 }
error
static void error(const char *err)
Definition: target_bsf_fuzzer.c:32
flags
const SwsFlags flags[]
Definition: swscale.c:61
av_packet_unref
void av_packet_unref(AVPacket *pkt)
Wipe the packet.
Definition: packet.c:433
AVBSFContext::par_in
AVCodecParameters * par_in
Parameters of the input stream.
Definition: bsf.h:90
AVCodecParameters::extradata
uint8_t * extradata
Extra binary data needed for initializing the decoder, codec-dependent.
Definition: codec_par.h:69
bsf_internal.h
opt.h
GetByteContext
Definition: bytestream.h:33
AV_LOG_PANIC
#define AV_LOG_PANIC
Something went really wrong and we will crash now.
Definition: log.h:197
AV_PKT_FLAG_DISCARD
#define AV_PKT_FLAG_DISCARD
Flag is used to discard packets which are required to maintain valid decoder state but are not requir...
Definition: packet.h:620
AVBitStreamFilter::name
const char * name
Definition: bsf.h:112
AV_RN64
#define AV_RN64(p)
Definition: intreadwrite.h:364
internal.h
AVPacket::data
uint8_t * data
Definition: packet.h:558
data
const char data[16]
Definition: mxf.c:149
AVCodecParameters::codec_tag
uint32_t codec_tag
Additional information about the codec (corresponds to the AVI FOURCC).
Definition: codec_par.h:59
AVChannelLayout::nb_channels
int nb_channels
Number of channels in this layout.
Definition: channel_layout.h:329
av_bsf_free
void av_bsf_free(AVBSFContext **pctx)
Free a bitstream filter context and everything associated with it; write NULL into the supplied point...
Definition: bsf.c:52
AV_PKT_FLAG_KEY
#define AV_PKT_FLAG_KEY
The packet contains a keyframe.
Definition: packet.h:613
av_packet_free
void av_packet_free(AVPacket **pkt)
Free the packet, if the packet is reference counted, it will be unreferenced first.
Definition: packet.c:75
AVBSFContext
The bitstream filter state.
Definition: bsf.h:68
bsf.h
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition: target_bsf_fuzzer.c:42
pkt
AVPacket * pkt
Definition: movenc.c:60
av_new_packet
int av_new_packet(AVPacket *pkt, int size)
Allocate the payload of a packet and initialize its fields with default values.
Definition: packet.c:99
av_bsf_flush
void av_bsf_flush(AVBSFContext *ctx)
Reset the internal bitstream filter state.
Definition: bsf.c:190
AVCodecParameters::width
int width
Video only.
Definition: codec_par.h:134
FUZZ_TAG
static const uint64_t FUZZ_TAG
Definition: target_bsf_fuzzer.c:40
f
static const AVBitStreamFilter * f
Definition: target_bsf_fuzzer.c:38
av_bsf_alloc
int av_bsf_alloc(const AVBitStreamFilter *filter, AVBSFContext **pctx)
Allocate a context for a given bitstream filter.
Definition: bsf.c:104
AVBitStreamFilter::codec_ids
enum AVCodecID * codec_ids
A list of codec ids supported by the filter, terminated by AV_CODEC_ID_NONE.
Definition: bsf.h:119
av_bsf_init
int av_bsf_init(AVBSFContext *ctx)
Prepare the filter for use, after all the parameters and options have been set.
Definition: bsf.c:149
NULL
#define NULL
Definition: coverity.c:32
https
FFmpeg hosted at Telepoint in bulgaria ns2 avcodec org Replica Name hosted at Prometeus Cdlan in italy instead several VMs run on it ffmpeg org and public facing also website git fftrac this part is build by a cronjob So is the doxygen stuff as well as the FFmpeg git snapshot These scripts are under the ffcron user https
Definition: infra.txt:80
av_bsf_receive_packet
int av_bsf_receive_packet(AVBSFContext *ctx, AVPacket *pkt)
Retrieve a filtered packet.
Definition: bsf.c:230
AVCodecParameters::ch_layout
AVChannelLayout ch_layout
Audio only.
Definition: codec_par.h:180
AVCodecParameters::sample_rate
int sample_rate
Audio only.
Definition: codec_par.h:184
av_opt_set_int
int av_opt_set_int(void *obj, const char *name, int64_t val, int search_flags)
Definition: opt.c:880
AVCodecParameters::extradata_size
int extradata_size
Size of the extradata content in bytes.
Definition: codec_par.h:73
av_bsf_send_packet
int av_bsf_send_packet(AVBSFContext *ctx, AVPacket *pkt)
Submit a packet for filtering.
Definition: bsf.c:202
size
int size
Definition: twinvq_data.h:10344
AVPacket::flags
int flags
A combination of AV_PKT_FLAG values.
Definition: packet.h:564
av_packet_alloc
AVPacket * av_packet_alloc(void)
Allocate an AVPacket and set its fields to default values.
Definition: packet.c:64
av_log_set_level
void av_log_set_level(int level)
Set the log level.
Definition: log.c:475
AV_CODEC_ID_NONE
@ AV_CODEC_ID_NONE
Definition: codec_id.h:50
i
#define i(width, name, range_min, range_max)
Definition: cbs_h2645.c:256
AVCodecParameters::height
int height
Definition: codec_par.h:135
AVCodecParameters::block_align
int block_align
Audio only.
Definition: codec_par.h:191
av_mallocz
void * av_mallocz(size_t size)
Allocate a memory block with alignment suitable for all memory accesses (including vectors if availab...
Definition: mem.c:256
avcodec.h
AVBSFContext::priv_data
void * priv_data
Opaque filter-specific private data.
Definition: bsf.h:83
av_bsf_get_null_filter
int av_bsf_get_null_filter(AVBSFContext **bsf)
Get null/pass-through bitstream filter.
Definition: bsf.c:553
AV_INPUT_BUFFER_PADDING_SIZE
#define AV_INPUT_BUFFER_PADDING_SIZE
Definition: defs.h:40
id
enum AVCodecID id
Definition: dts2pts.c:367
AVBitStreamFilter
Definition: bsf.h:111
AVBSFContext::filter
const struct AVBitStreamFilter * filter
The bitstream filter this context is an instance of.
Definition: bsf.h:77
AVCodecParameters::bits_per_coded_sample
int bits_per_coded_sample
The number of bits per sample in the codedwords.
Definition: codec_par.h:110
mem.h
AVCodecParameters::codec_id
enum AVCodecID codec_id
Specific type of the encoded data (the codec used).
Definition: codec_par.h:55
AVPacket
This structure stores compressed data.
Definition: packet.h:535
bytestream.h
imgutils.h
bytestream2_init
static av_always_inline void bytestream2_init(GetByteContext *g, const uint8_t *buf, int buf_size)
Definition: bytestream.h:137
AVCodecParameters::bit_rate
int64_t bit_rate
The average bitrate of the encoded data (in bits per second).
Definition: codec_par.h:97
av_image_check_size
int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx)
Check if the given dimension of an image is valid, meaning that all bytes of the image can be address...
Definition: imgutils.c:318
FF_SANE_NB_CHANNELS
#define FF_SANE_NB_CHANNELS
Definition: internal.h:37
Generated on Thu Sep 11 2025 19:26:37 for FFmpeg by   doxygen 1.8.17