1 /******************************************************************************
2 *
3 * Copyright (C) 2022 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 *****************************************************************************
18 * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
19 */
20 /**
21 *******************************************************************************
22 * @file
23 * svc_dec_fuzzer.cpp
24 *
25 * @brief
26 * Contains functions required for fuzzer tests
27 *
28 * @author
29 * Kishore
30 *
31 * @remarks
32 * None
33 *
34 *******************************************************************************
35 */
36
37 #include <stddef.h>
38 #include <stdint.h>
39 #include <stdio.h>
40 #include <stdlib.h>
41 #include <string.h>
42
43 #include <algorithm>
44 #include <memory>
45
46 #include "ih264_typedefs.h"
47 #include "ithread.h"
48 #include "iv.h"
49 #include "ivd.h"
50
51 #include "ih264d.h"
52 #include "isvcd.h"
53
54 #define NELEMENTS(x) (sizeof(x) / sizeof(x[0]))
55 #define ivd_api_function isvcd_api_function
56 const IV_COLOR_FORMAT_T supportedColorFormats[] = {IV_YUV_420P, IV_YUV_420SP_UV, IV_YUV_420SP_VU,
57 IV_YUV_422ILE, IV_RGB_565, IV_RGBA_8888};
58
59 /* Decoder ignores invalid arch, i.e. for arm build, if SSSE3 is requested,
60 * decoder defaults to a supported configuration. So same set of supported
61 * architectures can be used in arm/arm64/x86 builds */
62 const IVD_ARCH_T supportedArchitectures[] = {
63 ARCH_ARM_NONEON, ARCH_ARM_A9Q, ARCH_ARM_NEONINTR, ARCH_ARMV8_GENERIC,
64 ARCH_X86_GENERIC, ARCH_X86_SSSE3, ARCH_X86_SSE42};
65
66 enum
67 {
68 OFFSET_COLOR_FORMAT = 6,
69 OFFSET_NUM_CORES,
70 OFFSET_ARCH,
71 OFFSET_TGT_LAYER,
72 /* Should be the last entry */
73 OFFSET_MAX,
74 };
75
76 const static int kMaxNumDecodeCalls = 100;
77 const static int kSupportedColorFormats = NELEMENTS(supportedColorFormats);
78 const static int kSupportedArchitectures = NELEMENTS(supportedArchitectures);
79 const static int kMaxCores = 4;
80 const static int kMaxTgtLayer = 2;
iv_aligned_malloc(void * ctxt,WORD32 alignment,WORD32 size)81 void *iv_aligned_malloc(void *ctxt, WORD32 alignment, WORD32 size)
82 {
83 void *buf = NULL;
84 (void) ctxt;
85 if(0 != posix_memalign(&buf, alignment, size))
86 {
87 return NULL;
88 }
89 return buf;
90 }
91
iv_aligned_free(void * ctxt,void * buf)92 void iv_aligned_free(void *ctxt, void *buf)
93 {
94 (void) ctxt;
95 free(buf);
96 }
97
98 class Codec
99 {
100 public:
101 Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores);
102 ~Codec();
103
104 void createCodec();
105 void deleteCodec();
106 void resetCodec();
107 void setCores();
108 void allocFrame();
109 void freeFrame();
110 void decodeHeader(const uint8_t *data, size_t size);
111 IV_API_CALL_STATUS_T decodeFrame(const uint8_t *data, size_t size, size_t *bytesConsumed);
112 void setParams(IVD_VIDEO_DECODE_MODE_T mode);
113 void setArchitecture(IVD_ARCH_T arch);
114 void setTgtLayer(size_t tgtLayer);
115
116 private:
117 IV_COLOR_FORMAT_T mColorFormat;
118 size_t mNumCores;
119 iv_obj_t *mCodec;
120 ivd_out_bufdesc_t mOutBufHandle;
121 uint32_t mWidth;
122 uint32_t mHeight;
123 };
124
Codec(IV_COLOR_FORMAT_T colorFormat,size_t numCores)125 Codec::Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores)
126 {
127 mColorFormat = colorFormat;
128 mNumCores = numCores;
129 mCodec = nullptr;
130 mWidth = 0;
131 mHeight = 0;
132
133 memset(&mOutBufHandle, 0, sizeof(mOutBufHandle));
134 }
135
~Codec()136 Codec::~Codec() {}
createCodec()137 void Codec::createCodec()
138 {
139 IV_API_CALL_STATUS_T ret;
140 ih264d_create_ip_t create_ip{};
141 ih264d_create_op_t create_op{};
142 void *fxns = (void *) &ivd_api_function;
143
144 create_ip.s_ivd_create_ip_t.e_cmd = IVD_CMD_CREATE;
145 create_ip.s_ivd_create_ip_t.u4_share_disp_buf = 0;
146 create_ip.s_ivd_create_ip_t.e_output_format = mColorFormat;
147 create_ip.s_ivd_create_ip_t.pf_aligned_alloc = iv_aligned_malloc;
148 create_ip.s_ivd_create_ip_t.pf_aligned_free = iv_aligned_free;
149 create_ip.s_ivd_create_ip_t.pv_mem_ctxt = NULL;
150 create_ip.s_ivd_create_ip_t.u4_size = sizeof(ih264d_create_ip_t);
151 create_op.s_ivd_create_op_t.u4_size = sizeof(ih264d_create_op_t);
152
153 ret = ivd_api_function(NULL, (void *) &create_ip, (void *) &create_op);
154 if(ret != IV_SUCCESS)
155 {
156 return;
157 }
158 mCodec = (iv_obj_t *) create_op.s_ivd_create_op_t.pv_handle;
159 mCodec->pv_fxns = fxns;
160 mCodec->u4_size = sizeof(iv_obj_t);
161 }
162
deleteCodec()163 void Codec::deleteCodec()
164 {
165 ivd_delete_ip_t delete_ip{};
166 ivd_delete_op_t delete_op{};
167
168 delete_ip.e_cmd = IVD_CMD_DELETE;
169 delete_ip.u4_size = sizeof(ivd_delete_ip_t);
170 delete_op.u4_size = sizeof(ivd_delete_op_t);
171
172 ivd_api_function(mCodec, (void *) &delete_ip, (void *) &delete_op);
173 }
174
resetCodec()175 void Codec::resetCodec()
176 {
177 ivd_ctl_reset_ip_t s_ctl_ip{};
178 ivd_ctl_reset_op_t s_ctl_op{};
179
180 s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
181 s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_RESET;
182 s_ctl_ip.u4_size = sizeof(ivd_ctl_reset_ip_t);
183 s_ctl_op.u4_size = sizeof(ivd_ctl_reset_op_t);
184
185 ivd_api_function(mCodec, (void *) &s_ctl_ip, (void *) &s_ctl_op);
186 }
187
setCores()188 void Codec::setCores()
189 {
190 ih264d_ctl_set_num_cores_ip_t s_ctl_ip{};
191 ih264d_ctl_set_num_cores_op_t s_ctl_op{};
192
193 s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
194 s_ctl_ip.e_sub_cmd = (IVD_CONTROL_API_COMMAND_TYPE_T) IH264D_CMD_CTL_SET_NUM_CORES;
195 s_ctl_ip.u4_num_cores = mNumCores;
196 s_ctl_ip.u4_size = sizeof(ih264d_ctl_set_num_cores_ip_t);
197 s_ctl_op.u4_size = sizeof(ih264d_ctl_set_num_cores_op_t);
198
199 ivd_api_function(mCodec, (void *) &s_ctl_ip, (void *) &s_ctl_op);
200 }
201
setTgtLayer(size_t TgtLayer)202 void Codec::setTgtLayer(size_t TgtLayer)
203 {
204 isvcd_set_target_layer_ip_t s_ctl_set_target_layer_ip{};
205 isvcd_set_target_layer_op_t s_ctl_set_target_layer_op{};
206
207 s_ctl_set_target_layer_ip.e_cmd = IVD_CMD_VIDEO_CTL;
208 s_ctl_set_target_layer_ip.e_sub_cmd =
209 (IVD_CONTROL_API_COMMAND_TYPE_T) ISVCD_CMD_CTL_SET_TGT_LAYER;
210 s_ctl_set_target_layer_ip.u1_tgt_priority_id = 63;
211 s_ctl_set_target_layer_ip.u1_tgt_temp_id = 7;
212 s_ctl_set_target_layer_ip.u1_tgt_quality_id = 0;
213 s_ctl_set_target_layer_ip.u1_tgt_dep_id = TgtLayer;
214 s_ctl_set_target_layer_ip.u4_size = sizeof(isvcd_set_target_layer_ip_t);
215 s_ctl_set_target_layer_op.u4_size = sizeof(isvcd_set_target_layer_op_t);
216
217 ivd_api_function(mCodec, (void *) &s_ctl_set_target_layer_ip,
218 (void *) &s_ctl_set_target_layer_op);
219 }
220
setParams(IVD_VIDEO_DECODE_MODE_T mode)221 void Codec::setParams(IVD_VIDEO_DECODE_MODE_T mode)
222 {
223 ivd_ctl_set_config_ip_t s_ctl_ip{};
224 ivd_ctl_set_config_op_t s_ctl_op{};
225
226 s_ctl_ip.u4_disp_wd = 0;
227 s_ctl_ip.e_frm_skip_mode = IVD_SKIP_NONE;
228 s_ctl_ip.e_frm_out_mode = IVD_DISPLAY_FRAME_OUT;
229 s_ctl_ip.e_vid_dec_mode = mode;
230 s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
231 s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_SETPARAMS;
232 s_ctl_ip.u4_size = sizeof(ivd_ctl_set_config_ip_t);
233 s_ctl_op.u4_size = sizeof(ivd_ctl_set_config_op_t);
234
235 ivd_api_function(mCodec, (void *) &s_ctl_ip, (void *) &s_ctl_op);
236 }
237
setArchitecture(IVD_ARCH_T arch)238 void Codec::setArchitecture(IVD_ARCH_T arch)
239 {
240 ih264d_ctl_set_processor_ip_t s_ctl_ip{};
241 ih264d_ctl_set_processor_op_t s_ctl_op{};
242
243 s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
244 s_ctl_ip.e_sub_cmd = (IVD_CONTROL_API_COMMAND_TYPE_T) IH264D_CMD_CTL_SET_PROCESSOR;
245 s_ctl_ip.u4_arch = arch;
246 s_ctl_ip.u4_soc = SOC_GENERIC;
247 s_ctl_ip.u4_size = sizeof(ih264d_ctl_set_processor_ip_t);
248 s_ctl_op.u4_size = sizeof(ih264d_ctl_set_processor_op_t);
249
250 ivd_api_function(mCodec, (void *) &s_ctl_ip, (void *) &s_ctl_op);
251 }
252
freeFrame()253 void Codec::freeFrame()
254 {
255 for(unsigned int i = 0; i < mOutBufHandle.u4_num_bufs; i++)
256 {
257 if(mOutBufHandle.pu1_bufs[i])
258 {
259 iv_aligned_free(NULL, mOutBufHandle.pu1_bufs[i]);
260 mOutBufHandle.pu1_bufs[i] = nullptr;
261 }
262 }
263 }
264
allocFrame()265 void Codec::allocFrame()
266 {
267 size_t sizes[4] = {0};
268 UWORD32 num_bufs = 0;
269
270 freeFrame();
271
272 memset(&mOutBufHandle, 0, sizeof(mOutBufHandle));
273
274 switch(mColorFormat)
275 {
276 case IV_YUV_420SP_UV:
277 [[fallthrough]];
278 case IV_YUV_420SP_VU:
279 sizes[0] = mWidth * mHeight;
280 sizes[1] = mWidth * mHeight >> 1;
281 num_bufs = 2;
282 break;
283 case IV_YUV_422ILE:
284 sizes[0] = mWidth * mHeight * 2;
285 num_bufs = 1;
286 break;
287 case IV_RGB_565:
288 sizes[0] = mWidth * mHeight * 2;
289 num_bufs = 1;
290 break;
291 case IV_RGBA_8888:
292 sizes[0] = mWidth * mHeight * 4;
293 num_bufs = 1;
294 break;
295 case IV_YUV_420P:
296 [[fallthrough]];
297 default:
298 sizes[0] = mWidth * mHeight;
299 sizes[1] = mWidth * mHeight >> 2;
300 sizes[2] = mWidth * mHeight >> 2;
301 num_bufs = 3;
302 break;
303 }
304 mOutBufHandle.u4_num_bufs = num_bufs;
305 for(UWORD32 i = 0; i < num_bufs; i++)
306 {
307 mOutBufHandle.u4_min_out_buf_size[i] = sizes[i];
308 mOutBufHandle.pu1_bufs[i] = (UWORD8 *) iv_aligned_malloc(NULL, 16, sizes[i]);
309 }
310 }
311
decodeHeader(const uint8_t * data,size_t size)312 void Codec::decodeHeader(const uint8_t *data, size_t size)
313 {
314 setParams(IVD_DECODE_HEADER);
315 size_t numDecodeCalls = 0;
316 while(size > 0 && numDecodeCalls < kMaxNumDecodeCalls)
317 {
318 IV_API_CALL_STATUS_T ret;
319 isvcd_video_decode_ip_t s_video_decode_ip;
320 isvcd_video_decode_op_t s_video_decode_op;
321 size_t bytes_consumed;
322 memset(&s_video_decode_ip, 0, sizeof(s_video_decode_ip));
323 memset(&s_video_decode_op, 0, sizeof(s_video_decode_op));
324
325 s_video_decode_ip.s_ivd_video_decode_ip_t.e_cmd = IVD_CMD_VIDEO_DECODE;
326 s_video_decode_ip.s_ivd_video_decode_ip_t.u4_ts = 0;
327 s_video_decode_ip.s_ivd_video_decode_ip_t.pv_stream_buffer = (void *) data;
328 s_video_decode_ip.s_ivd_video_decode_ip_t.u4_num_Bytes = size;
329 s_video_decode_ip.s_ivd_video_decode_ip_t.u4_size = sizeof(s_video_decode_ip);
330 s_video_decode_op.s_ivd_video_decode_op_t.u4_size = sizeof(s_video_decode_op);
331
332 ret = ivd_api_function(mCodec, (void *) &s_video_decode_ip, (void *) &s_video_decode_op);
333 (void(ret));
334 bytes_consumed = s_video_decode_op.s_ivd_video_decode_op_t.u4_num_bytes_consumed;
335 /* If no bytes are consumed, then consume 4 bytes to ensure fuzzer proceeds
336 * to feed next data */
337 if(!bytes_consumed) bytes_consumed = 4;
338
339 bytes_consumed = std::min(size, bytes_consumed);
340
341 data += bytes_consumed;
342 size -= bytes_consumed;
343 numDecodeCalls++;
344
345 mWidth = std::min(s_video_decode_op.s_ivd_video_decode_op_t.u4_pic_wd, (UWORD32) 10240);
346 mHeight = std::min(s_video_decode_op.s_ivd_video_decode_op_t.u4_pic_ht, (UWORD32) 10240);
347
348 /* Break after successful header decode */
349 if(mWidth && mHeight)
350 {
351 break;
352 }
353 }
354 /* if width / height are invalid, set them to defaults */
355 if(!mWidth) mWidth = 1920;
356 if(!mHeight) mHeight = 1088;
357 }
358
decodeFrame(const uint8_t * data,size_t size,size_t * bytesConsumed)359 IV_API_CALL_STATUS_T Codec::decodeFrame(const uint8_t *data, size_t size, size_t *bytesConsumed)
360 {
361 IV_API_CALL_STATUS_T ret;
362 isvcd_video_decode_ip_t s_video_decode_ip{};
363 isvcd_video_decode_op_t s_video_decode_op{};
364
365 s_video_decode_ip.s_ivd_video_decode_ip_t.e_cmd = IVD_CMD_VIDEO_DECODE;
366 s_video_decode_ip.s_ivd_video_decode_ip_t.u4_ts = 0;
367 s_video_decode_ip.s_ivd_video_decode_ip_t.pv_stream_buffer = (void *) data;
368 s_video_decode_ip.s_ivd_video_decode_ip_t.u4_num_Bytes = size;
369 s_video_decode_ip.s_ivd_video_decode_ip_t.u4_size = sizeof(s_video_decode_ip);
370 s_video_decode_ip.s_ivd_video_decode_ip_t.s_out_buffer = mOutBufHandle;
371
372 s_video_decode_op.s_ivd_video_decode_op_t.u4_size = sizeof(s_video_decode_op);
373 s_video_decode_op.s_ivd_video_decode_op_t.u4_num_bytes_consumed = 0;
374 s_video_decode_op.s_ivd_video_decode_op_t.u4_pic_wd = 0;
375 s_video_decode_op.s_ivd_video_decode_op_t.u4_pic_ht = 0;
376
377 ret = ivd_api_function(mCodec, (void *) &s_video_decode_ip, (void *) &s_video_decode_op);
378
379 /* In case of change in resolution, reset codec and feed the same data again
380 */
381 if(IVD_RES_CHANGED == (s_video_decode_op.s_ivd_video_decode_op_t.u4_error_code & 0xFF))
382 {
383 resetCodec();
384 ret = ivd_api_function(mCodec, (void *) &s_video_decode_ip, (void *) &s_video_decode_op);
385 }
386 *bytesConsumed = s_video_decode_op.s_ivd_video_decode_op_t.u4_num_bytes_consumed;
387
388 /* If no bytes are consumed, then consume 4 bytes to ensure fuzzer proceeds
389 * to feed next data */
390 if(!*bytesConsumed)
391 {
392 *bytesConsumed = 4;
393 }
394 if(s_video_decode_op.s_ivd_video_decode_op_t.u4_pic_wd &&
395 s_video_decode_op.s_ivd_video_decode_op_t.u4_pic_ht &&
396 (mWidth != s_video_decode_op.s_ivd_video_decode_op_t.u4_pic_wd ||
397 mHeight != s_video_decode_op.s_ivd_video_decode_op_t.u4_pic_ht))
398 {
399 mWidth = std::min(s_video_decode_op.s_ivd_video_decode_op_t.u4_pic_wd, (UWORD32) 10240);
400 mHeight = std::min(s_video_decode_op.s_ivd_video_decode_op_t.u4_pic_ht, (UWORD32) 10240);
401 allocFrame();
402 }
403
404 return ret;
405 }
406
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)407 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
408 {
409 if(size < 1)
410 {
411 return 0;
412 }
413 size_t colorFormatOfst = std::min((size_t) OFFSET_COLOR_FORMAT, size - 1);
414 size_t numCoresOfst = std::min((size_t) OFFSET_NUM_CORES, size - 1);
415 size_t architectureOfst = std::min((size_t) OFFSET_ARCH, size - 1);
416 size_t architectureIdx = data[architectureOfst] % kSupportedArchitectures;
417 IVD_ARCH_T arch = (IVD_ARCH_T) supportedArchitectures[architectureIdx];
418 size_t colorFormatIdx = data[colorFormatOfst] % kSupportedColorFormats;
419 IV_COLOR_FORMAT_T colorFormat = (IV_COLOR_FORMAT_T) (supportedColorFormats[colorFormatIdx]);
420 uint32_t numCores = (data[numCoresOfst] % kMaxCores) + 1;
421
422 size_t numTgtLayerOfst = std::min((size_t) OFFSET_TGT_LAYER, size - 1);
423 uint32_t tgtLayer = (data[numTgtLayerOfst] % kMaxTgtLayer);
424
425 size_t numDecodeCalls = 0;
426 Codec *codec = new Codec(colorFormat, numCores);
427 codec->createCodec();
428 codec->setArchitecture(arch);
429 codec->setCores();
430 codec->setTgtLayer(tgtLayer);
431 codec->decodeHeader(data, size);
432 codec->setParams(IVD_DECODE_FRAME);
433 codec->allocFrame();
434
435 while(size > 0 && numDecodeCalls < kMaxNumDecodeCalls)
436 {
437 IV_API_CALL_STATUS_T ret;
438 size_t bytesConsumed;
439 ret = codec->decodeFrame(data, size, &bytesConsumed);
440 (void(ret));
441 bytesConsumed = std::min(size, bytesConsumed);
442 data += bytesConsumed;
443 size -= bytesConsumed;
444 numDecodeCalls++;
445 }
446
447 codec->freeFrame();
448 codec->deleteCodec();
449 delete codec;
450 return 0;
451 }
452