1*fb1b10abSAndroid Build Coastguard Worker /*
2*fb1b10abSAndroid Build Coastguard Worker * Copyright (c) 2018 The WebM project authors. All Rights Reserved.
3*fb1b10abSAndroid Build Coastguard Worker *
4*fb1b10abSAndroid Build Coastguard Worker * Use of this source code is governed by a BSD-style license
5*fb1b10abSAndroid Build Coastguard Worker * that can be found in the LICENSE file in the root of the source
6*fb1b10abSAndroid Build Coastguard Worker * tree. An additional intellectual property rights grant can be found
7*fb1b10abSAndroid Build Coastguard Worker * in the file PATENTS. All contributing project authors may
8*fb1b10abSAndroid Build Coastguard Worker * be found in the AUTHORS file in the root of the source tree.
9*fb1b10abSAndroid Build Coastguard Worker */
10*fb1b10abSAndroid Build Coastguard Worker
11*fb1b10abSAndroid Build Coastguard Worker /*
12*fb1b10abSAndroid Build Coastguard Worker * Fuzzer for libvpx decoders
13*fb1b10abSAndroid Build Coastguard Worker * ==========================
14*fb1b10abSAndroid Build Coastguard Worker * Requirements
15*fb1b10abSAndroid Build Coastguard Worker * --------------
16*fb1b10abSAndroid Build Coastguard Worker * Requires Clang 6.0 or above as -fsanitize=fuzzer is used as a linker
17*fb1b10abSAndroid Build Coastguard Worker * option.
18*fb1b10abSAndroid Build Coastguard Worker
19*fb1b10abSAndroid Build Coastguard Worker * Steps to build
20*fb1b10abSAndroid Build Coastguard Worker * --------------
21*fb1b10abSAndroid Build Coastguard Worker * Clone libvpx repository
22*fb1b10abSAndroid Build Coastguard Worker $git clone https://chromium.googlesource.com/webm/libvpx
23*fb1b10abSAndroid Build Coastguard Worker
24*fb1b10abSAndroid Build Coastguard Worker * Create a directory in parallel to libvpx and change directory
25*fb1b10abSAndroid Build Coastguard Worker $mkdir vpx_dec_fuzzer
26*fb1b10abSAndroid Build Coastguard Worker $cd vpx_dec_fuzzer/
27*fb1b10abSAndroid Build Coastguard Worker
28*fb1b10abSAndroid Build Coastguard Worker * Enable sanitizers (Supported: address integer memory thread undefined)
29*fb1b10abSAndroid Build Coastguard Worker $source ../libvpx/tools/set_analyzer_env.sh address
30*fb1b10abSAndroid Build Coastguard Worker
31*fb1b10abSAndroid Build Coastguard Worker * Configure libvpx.
32*fb1b10abSAndroid Build Coastguard Worker * Note --size-limit and VPX_MAX_ALLOCABLE_MEMORY are defined to avoid
33*fb1b10abSAndroid Build Coastguard Worker * Out of memory errors when running generated fuzzer binary
34*fb1b10abSAndroid Build Coastguard Worker $../libvpx/configure --disable-unit-tests --size-limit=12288x12288 \
35*fb1b10abSAndroid Build Coastguard Worker --extra-cflags="-fsanitize=fuzzer-no-link \
36*fb1b10abSAndroid Build Coastguard Worker -DVPX_MAX_ALLOCABLE_MEMORY=1073741824" \
37*fb1b10abSAndroid Build Coastguard Worker --disable-webm-io --enable-debug --disable-vp8-encoder \
38*fb1b10abSAndroid Build Coastguard Worker --disable-vp9-encoder --disable-examples
39*fb1b10abSAndroid Build Coastguard Worker
40*fb1b10abSAndroid Build Coastguard Worker * Build libvpx
41*fb1b10abSAndroid Build Coastguard Worker $make -j32
42*fb1b10abSAndroid Build Coastguard Worker
43*fb1b10abSAndroid Build Coastguard Worker * Build vp9 fuzzer
44*fb1b10abSAndroid Build Coastguard Worker $ $CXX $CXXFLAGS -std=gnu++11 -DDECODER=vp9 \
45*fb1b10abSAndroid Build Coastguard Worker -fsanitize=fuzzer -I../libvpx -I. -Wl,--start-group \
46*fb1b10abSAndroid Build Coastguard Worker ../libvpx/examples/vpx_dec_fuzzer.cc -o ./vpx_dec_fuzzer_vp9 \
47*fb1b10abSAndroid Build Coastguard Worker ./libvpx.a -Wl,--end-group
48*fb1b10abSAndroid Build Coastguard Worker
49*fb1b10abSAndroid Build Coastguard Worker * DECODER should be defined as vp9 or vp8 to enable vp9/vp8
50*fb1b10abSAndroid Build Coastguard Worker *
51*fb1b10abSAndroid Build Coastguard Worker * create a corpus directory and copy some ivf files there.
52*fb1b10abSAndroid Build Coastguard Worker * Based on which codec (vp8/vp9) is being tested, it is recommended to
53*fb1b10abSAndroid Build Coastguard Worker * have corresponding ivf files in corpus directory
54*fb1b10abSAndroid Build Coastguard Worker * Empty corpus directoy also is acceptable, though not recommended
55*fb1b10abSAndroid Build Coastguard Worker $mkdir CORPUS && cp some-files CORPUS
56*fb1b10abSAndroid Build Coastguard Worker
57*fb1b10abSAndroid Build Coastguard Worker * Run fuzzing:
58*fb1b10abSAndroid Build Coastguard Worker $./vpx_dec_fuzzer_vp9 CORPUS
59*fb1b10abSAndroid Build Coastguard Worker
60*fb1b10abSAndroid Build Coastguard Worker * References:
61*fb1b10abSAndroid Build Coastguard Worker * http://llvm.org/docs/LibFuzzer.html
62*fb1b10abSAndroid Build Coastguard Worker * https://github.com/google/oss-fuzz
63*fb1b10abSAndroid Build Coastguard Worker */
64*fb1b10abSAndroid Build Coastguard Worker
65*fb1b10abSAndroid Build Coastguard Worker #include <stddef.h>
66*fb1b10abSAndroid Build Coastguard Worker #include <stdint.h>
67*fb1b10abSAndroid Build Coastguard Worker #include <stdio.h>
68*fb1b10abSAndroid Build Coastguard Worker #include <stdlib.h>
69*fb1b10abSAndroid Build Coastguard Worker #include <algorithm>
70*fb1b10abSAndroid Build Coastguard Worker #include <memory>
71*fb1b10abSAndroid Build Coastguard Worker
72*fb1b10abSAndroid Build Coastguard Worker #include "vpx/vp8dx.h"
73*fb1b10abSAndroid Build Coastguard Worker #include "vpx/vpx_decoder.h"
74*fb1b10abSAndroid Build Coastguard Worker #include "vpx_ports/mem_ops.h"
75*fb1b10abSAndroid Build Coastguard Worker
76*fb1b10abSAndroid Build Coastguard Worker #define IVF_FRAME_HDR_SZ (4 + 8) /* 4 byte size + 8 byte timestamp */
77*fb1b10abSAndroid Build Coastguard Worker #define IVF_FILE_HDR_SZ 32
78*fb1b10abSAndroid Build Coastguard Worker
79*fb1b10abSAndroid Build Coastguard Worker #define VPXD_INTERFACE(name) VPXD_INTERFACE_(name)
80*fb1b10abSAndroid Build Coastguard Worker #define VPXD_INTERFACE_(name) vpx_codec_##name##_dx()
81*fb1b10abSAndroid Build Coastguard Worker
usage_exit(void)82*fb1b10abSAndroid Build Coastguard Worker extern "C" void usage_exit(void) { exit(EXIT_FAILURE); }
83*fb1b10abSAndroid Build Coastguard Worker
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)84*fb1b10abSAndroid Build Coastguard Worker extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
85*fb1b10abSAndroid Build Coastguard Worker if (size <= IVF_FILE_HDR_SZ) {
86*fb1b10abSAndroid Build Coastguard Worker return 0;
87*fb1b10abSAndroid Build Coastguard Worker }
88*fb1b10abSAndroid Build Coastguard Worker
89*fb1b10abSAndroid Build Coastguard Worker vpx_codec_ctx_t codec;
90*fb1b10abSAndroid Build Coastguard Worker // Set thread count in the range [1, 64].
91*fb1b10abSAndroid Build Coastguard Worker const unsigned int threads = (data[IVF_FILE_HDR_SZ] & 0x3f) + 1;
92*fb1b10abSAndroid Build Coastguard Worker vpx_codec_dec_cfg_t cfg = { threads, 0, 0 };
93*fb1b10abSAndroid Build Coastguard Worker if (vpx_codec_dec_init(&codec, VPXD_INTERFACE(DECODER), &cfg, 0)) {
94*fb1b10abSAndroid Build Coastguard Worker return 0;
95*fb1b10abSAndroid Build Coastguard Worker }
96*fb1b10abSAndroid Build Coastguard Worker
97*fb1b10abSAndroid Build Coastguard Worker if (threads > 1) {
98*fb1b10abSAndroid Build Coastguard Worker const int enable = (data[IVF_FILE_HDR_SZ] & 0xa0) != 0;
99*fb1b10abSAndroid Build Coastguard Worker const vpx_codec_err_t err =
100*fb1b10abSAndroid Build Coastguard Worker vpx_codec_control(&codec, VP9D_SET_LOOP_FILTER_OPT, enable);
101*fb1b10abSAndroid Build Coastguard Worker static_cast<void>(err);
102*fb1b10abSAndroid Build Coastguard Worker }
103*fb1b10abSAndroid Build Coastguard Worker
104*fb1b10abSAndroid Build Coastguard Worker data += IVF_FILE_HDR_SZ;
105*fb1b10abSAndroid Build Coastguard Worker size -= IVF_FILE_HDR_SZ;
106*fb1b10abSAndroid Build Coastguard Worker
107*fb1b10abSAndroid Build Coastguard Worker while (size > IVF_FRAME_HDR_SZ) {
108*fb1b10abSAndroid Build Coastguard Worker size_t frame_size = mem_get_le32(data);
109*fb1b10abSAndroid Build Coastguard Worker size -= IVF_FRAME_HDR_SZ;
110*fb1b10abSAndroid Build Coastguard Worker data += IVF_FRAME_HDR_SZ;
111*fb1b10abSAndroid Build Coastguard Worker frame_size = std::min(size, frame_size);
112*fb1b10abSAndroid Build Coastguard Worker
113*fb1b10abSAndroid Build Coastguard Worker vpx_codec_stream_info_t stream_info;
114*fb1b10abSAndroid Build Coastguard Worker stream_info.sz = sizeof(stream_info);
115*fb1b10abSAndroid Build Coastguard Worker vpx_codec_err_t err = vpx_codec_peek_stream_info(VPXD_INTERFACE(DECODER),
116*fb1b10abSAndroid Build Coastguard Worker data, size, &stream_info);
117*fb1b10abSAndroid Build Coastguard Worker static_cast<void>(err);
118*fb1b10abSAndroid Build Coastguard Worker
119*fb1b10abSAndroid Build Coastguard Worker err = vpx_codec_decode(&codec, data, frame_size, nullptr, 0);
120*fb1b10abSAndroid Build Coastguard Worker static_cast<void>(err);
121*fb1b10abSAndroid Build Coastguard Worker vpx_codec_iter_t iter = nullptr;
122*fb1b10abSAndroid Build Coastguard Worker vpx_image_t *img = nullptr;
123*fb1b10abSAndroid Build Coastguard Worker while ((img = vpx_codec_get_frame(&codec, &iter)) != nullptr) {
124*fb1b10abSAndroid Build Coastguard Worker }
125*fb1b10abSAndroid Build Coastguard Worker data += frame_size;
126*fb1b10abSAndroid Build Coastguard Worker size -= frame_size;
127*fb1b10abSAndroid Build Coastguard Worker }
128*fb1b10abSAndroid Build Coastguard Worker vpx_codec_destroy(&codec);
129*fb1b10abSAndroid Build Coastguard Worker return 0;
130*fb1b10abSAndroid Build Coastguard Worker }
131