1 /*
2 * Copyright © 2018, VideoLAN and dav1d authors
3 * Copyright © 2018, Janne Grunau
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright notice, this
10 * list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright notice,
13 * this list of conditions and the following disclaimer in the documentation
14 * and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
19 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
20 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
23 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
25 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 #include "config.h"
29
30 #include <errno.h>
31 #include <stddef.h>
32 #include <stdint.h>
33 #include <string.h>
34 #include <stdlib.h>
35
36 #include <dav1d/dav1d.h>
37 #include "src/cpu.h"
38 #include "dav1d_fuzzer.h"
39
40 #ifdef DAV1D_ALLOC_FAIL
41
42 #include "alloc_fail.h"
43
djb_xor(const uint8_t * c,size_t len)44 static unsigned djb_xor(const uint8_t * c, size_t len) {
45 unsigned hash = 5381;
46 for(size_t i = 0; i < len; i++)
47 hash = hash * 33 ^ c[i];
48 return hash;
49 }
50 #endif
51
r32le(const uint8_t * const p)52 static unsigned r32le(const uint8_t *const p) {
53 return ((uint32_t)p[3] << 24U) | (p[2] << 16U) | (p[1] << 8U) | p[0];
54 }
55
56 #define DAV1D_FUZZ_MAX_SIZE 4096 * 4096
57
58 // search for "--cpumask xxx" in argv and remove both parameters
LLVMFuzzerInitialize(int * argc,char *** argv)59 int LLVMFuzzerInitialize(int *argc, char ***argv) {
60 int i = 1;
61 for (; i < *argc; i++) {
62 if (!strcmp((*argv)[i], "--cpumask")) {
63 const char * cpumask = (*argv)[i+1];
64 if (cpumask) {
65 char *end;
66 unsigned res;
67 if (!strncmp(cpumask, "0x", 2)) {
68 cpumask += 2;
69 res = (unsigned) strtoul(cpumask, &end, 16);
70 } else {
71 res = (unsigned) strtoul(cpumask, &end, 0);
72 }
73 if (end != cpumask && !end[0]) {
74 dav1d_set_cpu_flags_mask(res);
75 }
76 }
77 break;
78 }
79 }
80
81 for (; i < *argc - 2; i++) {
82 (*argv)[i] = (*argv)[i + 2];
83 }
84
85 *argc = i;
86
87 return 0;
88 }
89
90
91 // expects ivf input
92
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)93 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
94 {
95 Dav1dSettings settings = { 0 };
96 Dav1dContext * ctx = NULL;
97 Dav1dPicture pic;
98 const uint8_t *ptr = data;
99 int have_seq_hdr = 0;
100 int err;
101
102 dav1d_version();
103
104 if (size < 32) goto end;
105 #ifdef DAV1D_ALLOC_FAIL
106 unsigned h = djb_xor(ptr, 32);
107 unsigned seed = h;
108 unsigned probability = h > (RAND_MAX >> 5) ? RAND_MAX >> 5 : h;
109 int max_frame_delay = (h & 0xf) + 1;
110 int n_threads = ((h >> 4) & 0x7) + 1;
111 if (max_frame_delay > 5) max_frame_delay = 1;
112 if (n_threads > 3) n_threads = 1;
113 #endif
114 ptr += 32; // skip ivf header
115
116 dav1d_default_settings(&settings);
117
118 #ifdef DAV1D_MT_FUZZING
119 settings.max_frame_delay = settings.n_threads = 4;
120 #elif defined(DAV1D_ALLOC_FAIL)
121 settings.max_frame_delay = max_frame_delay;
122 settings.n_threads = n_threads;
123 dav1d_setup_alloc_fail(seed, probability);
124 #else
125 settings.max_frame_delay = settings.n_threads = 1;
126 #endif
127 #if defined(DAV1D_FUZZ_MAX_SIZE)
128 settings.frame_size_limit = DAV1D_FUZZ_MAX_SIZE;
129 #endif
130
131 err = dav1d_open(&ctx, &settings);
132 if (err < 0) goto end;
133
134 while (ptr <= data + size - 12) {
135 Dav1dData buf;
136 uint8_t *p;
137
138 size_t frame_size = r32le(ptr);
139 ptr += 12;
140
141 if (frame_size > size || ptr > data + size - frame_size)
142 break;
143
144 if (!frame_size) continue;
145
146 if (!have_seq_hdr) {
147 Dav1dSequenceHeader seq;
148 int err = dav1d_parse_sequence_header(&seq, ptr, frame_size);
149 // skip frames until we see a sequence header
150 if (err != 0) {
151 ptr += frame_size;
152 continue;
153 }
154 have_seq_hdr = 1;
155 }
156
157 // copy frame data to a new buffer to catch reads past the end of input
158 p = dav1d_data_create(&buf, frame_size);
159 if (!p) goto cleanup;
160 memcpy(p, ptr, frame_size);
161 ptr += frame_size;
162
163 do {
164 if ((err = dav1d_send_data(ctx, &buf)) < 0) {
165 if (err != DAV1D_ERR(EAGAIN))
166 break;
167 }
168 memset(&pic, 0, sizeof(pic));
169 err = dav1d_get_picture(ctx, &pic);
170 if (err == 0) {
171 dav1d_picture_unref(&pic);
172 } else if (err != DAV1D_ERR(EAGAIN)) {
173 break;
174 }
175 } while (buf.sz > 0);
176
177 if (buf.sz > 0)
178 dav1d_data_unref(&buf);
179 }
180
181 memset(&pic, 0, sizeof(pic));
182 if ((err = dav1d_get_picture(ctx, &pic)) == 0) {
183 /* Test calling dav1d_picture_unref() after dav1d_close() */
184 do {
185 Dav1dPicture pic2 = { 0 };
186 if ((err = dav1d_get_picture(ctx, &pic2)) == 0)
187 dav1d_picture_unref(&pic2);
188 } while (err != DAV1D_ERR(EAGAIN));
189
190 dav1d_close(&ctx);
191 dav1d_picture_unref(&pic);
192 return 0;
193 }
194
195 cleanup:
196 dav1d_close(&ctx);
197 end:
198 return 0;
199 }
200