1 /*
2 * This file is part of FFmpeg.
3 *
4 * FFmpeg is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * FFmpeg is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with FFmpeg; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 #include "config.h"
20 #include "libavutil/imgutils.h"
21
22 #include "libavcodec/avcodec.h"
23 #include "libavcodec/bsf_internal.h"
24 #include "libavcodec/bytestream.h"
25 #include "libavcodec/internal.h"
26
27 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
28
error(const char * err)29 static void error(const char *err)
30 {
31 fprintf(stderr, "%s", err);
32 exit(1);
33 }
34
35 static AVBitStreamFilter *f = NULL;
36
37 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
38
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)39 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
40 const uint64_t fuzz_tag = FUZZ_TAG;
41 const uint8_t *last = data;
42 const uint8_t *end = data + size;
43 AVBSFContext *bsf = NULL;
44 AVPacket in, out;
45 uint64_t keyframes = 0;
46 int res;
47
48 if (!f) {
49 #ifdef FFMPEG_BSF
50 #define BSF_SYMBOL0(BSF) ff_##BSF##_bsf
51 #define BSF_SYMBOL(BSF) BSF_SYMBOL0(BSF)
52 extern AVBitStreamFilter BSF_SYMBOL(FFMPEG_BSF);
53 f = &BSF_SYMBOL(FFMPEG_BSF);
54 #else
55 extern AVBitStreamFilter ff_null_bsf;
56 f = &ff_null_bsf;
57 #endif
58 av_log_set_level(AV_LOG_PANIC);
59 }
60
61 res = av_bsf_alloc(f, &bsf);
62 if (res < 0)
63 error("Failed memory allocation");
64
65 if (size > 1024) {
66 GetByteContext gbc;
67 int extradata_size;
68 size -= 1024;
69 bytestream2_init(&gbc, data + size, 1024);
70 bsf->par_in->width = bytestream2_get_le32(&gbc);
71 bsf->par_in->height = bytestream2_get_le32(&gbc);
72 bsf->par_in->bit_rate = bytestream2_get_le64(&gbc);
73 bsf->par_in->bits_per_coded_sample = bytestream2_get_le32(&gbc);
74
75 if (f->codec_ids) {
76 int i, id;
77 for (i = 0; f->codec_ids[i] != AV_CODEC_ID_NONE; i++);
78 id = f->codec_ids[bytestream2_get_byte(&gbc) % i];
79 bsf->par_in->codec_id = id;
80 bsf->par_in->codec_tag = bytestream2_get_le32(&gbc);
81 }
82
83 extradata_size = bytestream2_get_le32(&gbc);
84
85 bsf->par_in->sample_rate = bytestream2_get_le32(&gbc);
86 bsf->par_in->channels = (unsigned)bytestream2_get_le32(&gbc) % FF_SANE_NB_CHANNELS;
87 bsf->par_in->block_align = bytestream2_get_le32(&gbc);
88 keyframes = bytestream2_get_le64(&gbc);
89
90 if (extradata_size < size) {
91 bsf->par_in->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
92 if (bsf->par_in->extradata) {
93 bsf->par_in->extradata_size = extradata_size;
94 size -= bsf->par_in->extradata_size;
95 memcpy(bsf->par_in->extradata, data + size, bsf->par_in->extradata_size);
96 }
97 }
98 if (av_image_check_size(bsf->par_in->width, bsf->par_in->height, 0, bsf))
99 bsf->par_in->width = bsf->par_in->height = 0;
100 }
101
102 res = av_bsf_init(bsf);
103 if (res < 0) {
104 av_bsf_free(&bsf);
105 return 0; // Failure of av_bsf_init() does not imply that a issue was found
106 }
107
108 av_init_packet(&in);
109 av_init_packet(&out);
110 out.data = NULL;
111 out.size = 0;
112 while (data < end) {
113 // Search for the TAG
114 while (data + sizeof(fuzz_tag) < end) {
115 if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag)
116 break;
117 data++;
118 }
119 if (data + sizeof(fuzz_tag) > end)
120 data = end;
121
122 res = av_new_packet(&in, data - last);
123 if (res < 0)
124 error("Failed memory allocation");
125 memcpy(in.data, last, data - last);
126 in.flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;
127 keyframes = (keyframes >> 2) + (keyframes<<62);
128 data += sizeof(fuzz_tag);
129 last = data;
130
131 while (in.size) {
132 res = av_bsf_send_packet(bsf, &in);
133 if (res < 0 && res != AVERROR(EAGAIN))
134 break;
135 res = av_bsf_receive_packet(bsf, &out);
136 if (res < 0)
137 break;
138 av_packet_unref(&out);
139 }
140 av_packet_unref(&in);
141 }
142
143 res = av_bsf_send_packet(bsf, NULL);
144 while (!res) {
145 res = av_bsf_receive_packet(bsf, &out);
146 if (res < 0)
147 break;
148 av_packet_unref(&out);
149 }
150
151 av_bsf_free(&bsf);
152 return 0;
153 }
154