1*c0909341SAndroid Build Coastguard Worker /*
2*c0909341SAndroid Build Coastguard Worker * Copyright © 2018, VideoLAN and dav1d authors
3*c0909341SAndroid Build Coastguard Worker * Copyright © 2018, Janne Grunau
4*c0909341SAndroid Build Coastguard Worker * All rights reserved.
5*c0909341SAndroid Build Coastguard Worker *
6*c0909341SAndroid Build Coastguard Worker * Redistribution and use in source and binary forms, with or without
7*c0909341SAndroid Build Coastguard Worker * modification, are permitted provided that the following conditions are met:
8*c0909341SAndroid Build Coastguard Worker *
9*c0909341SAndroid Build Coastguard Worker * 1. Redistributions of source code must retain the above copyright notice, this
10*c0909341SAndroid Build Coastguard Worker * list of conditions and the following disclaimer.
11*c0909341SAndroid Build Coastguard Worker *
12*c0909341SAndroid Build Coastguard Worker * 2. Redistributions in binary form must reproduce the above copyright notice,
13*c0909341SAndroid Build Coastguard Worker * this list of conditions and the following disclaimer in the documentation
14*c0909341SAndroid Build Coastguard Worker * and/or other materials provided with the distribution.
15*c0909341SAndroid Build Coastguard Worker *
16*c0909341SAndroid Build Coastguard Worker * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
17*c0909341SAndroid Build Coastguard Worker * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18*c0909341SAndroid Build Coastguard Worker * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
19*c0909341SAndroid Build Coastguard Worker * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
20*c0909341SAndroid Build Coastguard Worker * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21*c0909341SAndroid Build Coastguard Worker * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22*c0909341SAndroid Build Coastguard Worker * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
23*c0909341SAndroid Build Coastguard Worker * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24*c0909341SAndroid Build Coastguard Worker * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
25*c0909341SAndroid Build Coastguard Worker * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26*c0909341SAndroid Build Coastguard Worker */
27*c0909341SAndroid Build Coastguard Worker
28*c0909341SAndroid Build Coastguard Worker #include "config.h"
29*c0909341SAndroid Build Coastguard Worker
30*c0909341SAndroid Build Coastguard Worker #include <errno.h>
31*c0909341SAndroid Build Coastguard Worker #include <stddef.h>
32*c0909341SAndroid Build Coastguard Worker #include <stdint.h>
33*c0909341SAndroid Build Coastguard Worker #include <string.h>
34*c0909341SAndroid Build Coastguard Worker #include <stdlib.h>
35*c0909341SAndroid Build Coastguard Worker
36*c0909341SAndroid Build Coastguard Worker #include <dav1d/dav1d.h>
37*c0909341SAndroid Build Coastguard Worker #include "src/cpu.h"
38*c0909341SAndroid Build Coastguard Worker #include "dav1d_fuzzer.h"
39*c0909341SAndroid Build Coastguard Worker
40*c0909341SAndroid Build Coastguard Worker #ifdef DAV1D_ALLOC_FAIL
41*c0909341SAndroid Build Coastguard Worker
42*c0909341SAndroid Build Coastguard Worker #include "alloc_fail.h"
43*c0909341SAndroid Build Coastguard Worker
djb_xor(const uint8_t * c,size_t len)44*c0909341SAndroid Build Coastguard Worker static unsigned djb_xor(const uint8_t * c, size_t len) {
45*c0909341SAndroid Build Coastguard Worker unsigned hash = 5381;
46*c0909341SAndroid Build Coastguard Worker for(size_t i = 0; i < len; i++)
47*c0909341SAndroid Build Coastguard Worker hash = hash * 33 ^ c[i];
48*c0909341SAndroid Build Coastguard Worker return hash;
49*c0909341SAndroid Build Coastguard Worker }
50*c0909341SAndroid Build Coastguard Worker #endif
51*c0909341SAndroid Build Coastguard Worker
r32le(const uint8_t * const p)52*c0909341SAndroid Build Coastguard Worker static unsigned r32le(const uint8_t *const p) {
53*c0909341SAndroid Build Coastguard Worker return ((uint32_t)p[3] << 24U) | (p[2] << 16U) | (p[1] << 8U) | p[0];
54*c0909341SAndroid Build Coastguard Worker }
55*c0909341SAndroid Build Coastguard Worker
56*c0909341SAndroid Build Coastguard Worker #define DAV1D_FUZZ_MAX_SIZE 4096 * 4096
57*c0909341SAndroid Build Coastguard Worker
58*c0909341SAndroid Build Coastguard Worker // search for "--cpumask xxx" in argv and remove both parameters
LLVMFuzzerInitialize(int * argc,char *** argv)59*c0909341SAndroid Build Coastguard Worker int LLVMFuzzerInitialize(int *argc, char ***argv) {
60*c0909341SAndroid Build Coastguard Worker int i = 1;
61*c0909341SAndroid Build Coastguard Worker for (; i < *argc; i++) {
62*c0909341SAndroid Build Coastguard Worker if (!strcmp((*argv)[i], "--cpumask")) {
63*c0909341SAndroid Build Coastguard Worker const char * cpumask = (*argv)[i+1];
64*c0909341SAndroid Build Coastguard Worker if (cpumask) {
65*c0909341SAndroid Build Coastguard Worker char *end;
66*c0909341SAndroid Build Coastguard Worker unsigned res;
67*c0909341SAndroid Build Coastguard Worker if (!strncmp(cpumask, "0x", 2)) {
68*c0909341SAndroid Build Coastguard Worker cpumask += 2;
69*c0909341SAndroid Build Coastguard Worker res = (unsigned) strtoul(cpumask, &end, 16);
70*c0909341SAndroid Build Coastguard Worker } else {
71*c0909341SAndroid Build Coastguard Worker res = (unsigned) strtoul(cpumask, &end, 0);
72*c0909341SAndroid Build Coastguard Worker }
73*c0909341SAndroid Build Coastguard Worker if (end != cpumask && !end[0]) {
74*c0909341SAndroid Build Coastguard Worker dav1d_set_cpu_flags_mask(res);
75*c0909341SAndroid Build Coastguard Worker }
76*c0909341SAndroid Build Coastguard Worker }
77*c0909341SAndroid Build Coastguard Worker break;
78*c0909341SAndroid Build Coastguard Worker }
79*c0909341SAndroid Build Coastguard Worker }
80*c0909341SAndroid Build Coastguard Worker
81*c0909341SAndroid Build Coastguard Worker for (; i < *argc - 2; i++) {
82*c0909341SAndroid Build Coastguard Worker (*argv)[i] = (*argv)[i + 2];
83*c0909341SAndroid Build Coastguard Worker }
84*c0909341SAndroid Build Coastguard Worker
85*c0909341SAndroid Build Coastguard Worker *argc = i;
86*c0909341SAndroid Build Coastguard Worker
87*c0909341SAndroid Build Coastguard Worker return 0;
88*c0909341SAndroid Build Coastguard Worker }
89*c0909341SAndroid Build Coastguard Worker
90*c0909341SAndroid Build Coastguard Worker
91*c0909341SAndroid Build Coastguard Worker // expects ivf input
92*c0909341SAndroid Build Coastguard Worker
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)93*c0909341SAndroid Build Coastguard Worker int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
94*c0909341SAndroid Build Coastguard Worker {
95*c0909341SAndroid Build Coastguard Worker Dav1dSettings settings = { 0 };
96*c0909341SAndroid Build Coastguard Worker Dav1dContext * ctx = NULL;
97*c0909341SAndroid Build Coastguard Worker Dav1dPicture pic;
98*c0909341SAndroid Build Coastguard Worker const uint8_t *ptr = data;
99*c0909341SAndroid Build Coastguard Worker int have_seq_hdr = 0;
100*c0909341SAndroid Build Coastguard Worker int err;
101*c0909341SAndroid Build Coastguard Worker
102*c0909341SAndroid Build Coastguard Worker dav1d_version();
103*c0909341SAndroid Build Coastguard Worker
104*c0909341SAndroid Build Coastguard Worker if (size < 32) goto end;
105*c0909341SAndroid Build Coastguard Worker #ifdef DAV1D_ALLOC_FAIL
106*c0909341SAndroid Build Coastguard Worker unsigned h = djb_xor(ptr, 32);
107*c0909341SAndroid Build Coastguard Worker unsigned seed = h;
108*c0909341SAndroid Build Coastguard Worker unsigned probability = h > (RAND_MAX >> 5) ? RAND_MAX >> 5 : h;
109*c0909341SAndroid Build Coastguard Worker int max_frame_delay = (h & 0xf) + 1;
110*c0909341SAndroid Build Coastguard Worker int n_threads = ((h >> 4) & 0x7) + 1;
111*c0909341SAndroid Build Coastguard Worker if (max_frame_delay > 5) max_frame_delay = 1;
112*c0909341SAndroid Build Coastguard Worker if (n_threads > 3) n_threads = 1;
113*c0909341SAndroid Build Coastguard Worker #endif
114*c0909341SAndroid Build Coastguard Worker ptr += 32; // skip ivf header
115*c0909341SAndroid Build Coastguard Worker
116*c0909341SAndroid Build Coastguard Worker dav1d_default_settings(&settings);
117*c0909341SAndroid Build Coastguard Worker
118*c0909341SAndroid Build Coastguard Worker #ifdef DAV1D_MT_FUZZING
119*c0909341SAndroid Build Coastguard Worker settings.max_frame_delay = settings.n_threads = 4;
120*c0909341SAndroid Build Coastguard Worker #elif defined(DAV1D_ALLOC_FAIL)
121*c0909341SAndroid Build Coastguard Worker settings.max_frame_delay = max_frame_delay;
122*c0909341SAndroid Build Coastguard Worker settings.n_threads = n_threads;
123*c0909341SAndroid Build Coastguard Worker dav1d_setup_alloc_fail(seed, probability);
124*c0909341SAndroid Build Coastguard Worker #else
125*c0909341SAndroid Build Coastguard Worker settings.max_frame_delay = settings.n_threads = 1;
126*c0909341SAndroid Build Coastguard Worker #endif
127*c0909341SAndroid Build Coastguard Worker #if defined(DAV1D_FUZZ_MAX_SIZE)
128*c0909341SAndroid Build Coastguard Worker settings.frame_size_limit = DAV1D_FUZZ_MAX_SIZE;
129*c0909341SAndroid Build Coastguard Worker #endif
130*c0909341SAndroid Build Coastguard Worker
131*c0909341SAndroid Build Coastguard Worker err = dav1d_open(&ctx, &settings);
132*c0909341SAndroid Build Coastguard Worker if (err < 0) goto end;
133*c0909341SAndroid Build Coastguard Worker
134*c0909341SAndroid Build Coastguard Worker while (ptr <= data + size - 12) {
135*c0909341SAndroid Build Coastguard Worker Dav1dData buf;
136*c0909341SAndroid Build Coastguard Worker uint8_t *p;
137*c0909341SAndroid Build Coastguard Worker
138*c0909341SAndroid Build Coastguard Worker size_t frame_size = r32le(ptr);
139*c0909341SAndroid Build Coastguard Worker ptr += 12;
140*c0909341SAndroid Build Coastguard Worker
141*c0909341SAndroid Build Coastguard Worker if (frame_size > size || ptr > data + size - frame_size)
142*c0909341SAndroid Build Coastguard Worker break;
143*c0909341SAndroid Build Coastguard Worker
144*c0909341SAndroid Build Coastguard Worker if (!frame_size) continue;
145*c0909341SAndroid Build Coastguard Worker
146*c0909341SAndroid Build Coastguard Worker if (!have_seq_hdr) {
147*c0909341SAndroid Build Coastguard Worker Dav1dSequenceHeader seq;
148*c0909341SAndroid Build Coastguard Worker int err = dav1d_parse_sequence_header(&seq, ptr, frame_size);
149*c0909341SAndroid Build Coastguard Worker // skip frames until we see a sequence header
150*c0909341SAndroid Build Coastguard Worker if (err != 0) {
151*c0909341SAndroid Build Coastguard Worker ptr += frame_size;
152*c0909341SAndroid Build Coastguard Worker continue;
153*c0909341SAndroid Build Coastguard Worker }
154*c0909341SAndroid Build Coastguard Worker have_seq_hdr = 1;
155*c0909341SAndroid Build Coastguard Worker }
156*c0909341SAndroid Build Coastguard Worker
157*c0909341SAndroid Build Coastguard Worker // copy frame data to a new buffer to catch reads past the end of input
158*c0909341SAndroid Build Coastguard Worker p = dav1d_data_create(&buf, frame_size);
159*c0909341SAndroid Build Coastguard Worker if (!p) goto cleanup;
160*c0909341SAndroid Build Coastguard Worker memcpy(p, ptr, frame_size);
161*c0909341SAndroid Build Coastguard Worker ptr += frame_size;
162*c0909341SAndroid Build Coastguard Worker
163*c0909341SAndroid Build Coastguard Worker do {
164*c0909341SAndroid Build Coastguard Worker if ((err = dav1d_send_data(ctx, &buf)) < 0) {
165*c0909341SAndroid Build Coastguard Worker if (err != DAV1D_ERR(EAGAIN))
166*c0909341SAndroid Build Coastguard Worker break;
167*c0909341SAndroid Build Coastguard Worker }
168*c0909341SAndroid Build Coastguard Worker memset(&pic, 0, sizeof(pic));
169*c0909341SAndroid Build Coastguard Worker err = dav1d_get_picture(ctx, &pic);
170*c0909341SAndroid Build Coastguard Worker if (err == 0) {
171*c0909341SAndroid Build Coastguard Worker dav1d_picture_unref(&pic);
172*c0909341SAndroid Build Coastguard Worker } else if (err != DAV1D_ERR(EAGAIN)) {
173*c0909341SAndroid Build Coastguard Worker break;
174*c0909341SAndroid Build Coastguard Worker }
175*c0909341SAndroid Build Coastguard Worker } while (buf.sz > 0);
176*c0909341SAndroid Build Coastguard Worker
177*c0909341SAndroid Build Coastguard Worker if (buf.sz > 0)
178*c0909341SAndroid Build Coastguard Worker dav1d_data_unref(&buf);
179*c0909341SAndroid Build Coastguard Worker }
180*c0909341SAndroid Build Coastguard Worker
181*c0909341SAndroid Build Coastguard Worker memset(&pic, 0, sizeof(pic));
182*c0909341SAndroid Build Coastguard Worker if ((err = dav1d_get_picture(ctx, &pic)) == 0) {
183*c0909341SAndroid Build Coastguard Worker /* Test calling dav1d_picture_unref() after dav1d_close() */
184*c0909341SAndroid Build Coastguard Worker do {
185*c0909341SAndroid Build Coastguard Worker Dav1dPicture pic2 = { 0 };
186*c0909341SAndroid Build Coastguard Worker if ((err = dav1d_get_picture(ctx, &pic2)) == 0)
187*c0909341SAndroid Build Coastguard Worker dav1d_picture_unref(&pic2);
188*c0909341SAndroid Build Coastguard Worker } while (err != DAV1D_ERR(EAGAIN));
189*c0909341SAndroid Build Coastguard Worker
190*c0909341SAndroid Build Coastguard Worker dav1d_close(&ctx);
191*c0909341SAndroid Build Coastguard Worker dav1d_picture_unref(&pic);
192*c0909341SAndroid Build Coastguard Worker return 0;
193*c0909341SAndroid Build Coastguard Worker }
194*c0909341SAndroid Build Coastguard Worker
195*c0909341SAndroid Build Coastguard Worker cleanup:
196*c0909341SAndroid Build Coastguard Worker dav1d_close(&ctx);
197*c0909341SAndroid Build Coastguard Worker end:
198*c0909341SAndroid Build Coastguard Worker return 0;
199*c0909341SAndroid Build Coastguard Worker }
200