1 /*
2 * Copyright (c) 2018 The WebM project authors. All Rights Reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11 /*
12 * Fuzzer for libvpx decoders
13 * ==========================
14 * Requirements
15 * --------------
16 * Requires Clang 6.0 or above as -fsanitize=fuzzer is used as a linker
17 * option.
18
19 * Steps to build
20 * --------------
21 * Clone libvpx repository
22 $git clone https://chromium.googlesource.com/webm/libvpx
23
24 * Create a directory in parallel to libvpx and change directory
25 $mkdir vpx_dec_fuzzer
26 $cd vpx_dec_fuzzer/
27
28 * Enable sanitizers (Supported: address integer memory thread undefined)
29 $source ../libvpx/tools/set_analyzer_env.sh address
30
31 * Configure libvpx.
32 * Note --size-limit and VPX_MAX_ALLOCABLE_MEMORY are defined to avoid
33 * Out of memory errors when running generated fuzzer binary
34 $../libvpx/configure --disable-unit-tests --size-limit=12288x12288 \
35 --extra-cflags="-fsanitize=fuzzer-no-link \
36 -DVPX_MAX_ALLOCABLE_MEMORY=1073741824" \
37 --disable-webm-io --enable-debug --disable-vp8-encoder \
38 --disable-vp9-encoder --disable-examples
39
40 * Build libvpx
41 $make -j32
42
43 * Build vp9 fuzzer
44 $ $CXX $CXXFLAGS -std=gnu++11 -DDECODER=vp9 \
45 -fsanitize=fuzzer -I../libvpx -I. -Wl,--start-group \
46 ../libvpx/examples/vpx_dec_fuzzer.cc -o ./vpx_dec_fuzzer_vp9 \
47 ./libvpx.a -Wl,--end-group
48
49 * DECODER should be defined as vp9 or vp8 to enable vp9/vp8
50 *
51 * create a corpus directory and copy some ivf files there.
52 * Based on which codec (vp8/vp9) is being tested, it is recommended to
53 * have corresponding ivf files in corpus directory
54 * Empty corpus directoy also is acceptable, though not recommended
55 $mkdir CORPUS && cp some-files CORPUS
56
57 * Run fuzzing:
58 $./vpx_dec_fuzzer_vp9 CORPUS
59
60 * References:
61 * http://llvm.org/docs/LibFuzzer.html
62 * https://github.com/google/oss-fuzz
63 */
64
65 #include <stddef.h>
66 #include <stdint.h>
67 #include <stdio.h>
68 #include <stdlib.h>
69 #include <algorithm>
70 #include <memory>
71
72 #include "vpx/vp8dx.h"
73 #include "vpx/vpx_decoder.h"
74 #include "vpx_ports/mem_ops.h"
75
76 #define IVF_FRAME_HDR_SZ (4 + 8) /* 4 byte size + 8 byte timestamp */
77 #define IVF_FILE_HDR_SZ 32
78
79 #define VPXD_INTERFACE(name) VPXD_INTERFACE_(name)
80 #define VPXD_INTERFACE_(name) vpx_codec_##name##_dx()
81
usage_exit(void)82 extern "C" void usage_exit(void) { exit(EXIT_FAILURE); }
83
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)84 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
85 if (size <= IVF_FILE_HDR_SZ) {
86 return 0;
87 }
88
89 vpx_codec_ctx_t codec;
90 // Set thread count in the range [1, 64].
91 const unsigned int threads = (data[IVF_FILE_HDR_SZ] & 0x3f) + 1;
92 vpx_codec_dec_cfg_t cfg = { threads, 0, 0 };
93 if (vpx_codec_dec_init(&codec, VPXD_INTERFACE(DECODER), &cfg, 0)) {
94 return 0;
95 }
96
97 if (threads > 1) {
98 const int enable = (data[IVF_FILE_HDR_SZ] & 0xa0) != 0;
99 const vpx_codec_err_t err =
100 vpx_codec_control(&codec, VP9D_SET_LOOP_FILTER_OPT, enable);
101 static_cast<void>(err);
102 }
103
104 data += IVF_FILE_HDR_SZ;
105 size -= IVF_FILE_HDR_SZ;
106
107 while (size > IVF_FRAME_HDR_SZ) {
108 size_t frame_size = mem_get_le32(data);
109 size -= IVF_FRAME_HDR_SZ;
110 data += IVF_FRAME_HDR_SZ;
111 frame_size = std::min(size, frame_size);
112
113 vpx_codec_stream_info_t stream_info;
114 stream_info.sz = sizeof(stream_info);
115 vpx_codec_err_t err = vpx_codec_peek_stream_info(VPXD_INTERFACE(DECODER),
116 data, size, &stream_info);
117 static_cast<void>(err);
118
119 err = vpx_codec_decode(&codec, data, frame_size, nullptr, 0);
120 static_cast<void>(err);
121 vpx_codec_iter_t iter = nullptr;
122 vpx_image_t *img = nullptr;
123 while ((img = vpx_codec_get_frame(&codec, &iter)) != nullptr) {
124 }
125 data += frame_size;
126 size -= frame_size;
127 }
128 vpx_codec_destroy(&codec);
129 return 0;
130 }
131