1 /*
2 * This file is part of FFmpeg.
3 *
4 * FFmpeg is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * FFmpeg is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with FFmpeg; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 #include "config.h"
20 #include "libavutil/imgutils.h"
21 #include "libavutil/opt.h"
22
23 #include "libavcodec/avcodec.h"
24 #include "libavcodec/bsf_internal.h"
25 #include "libavcodec/bytestream.h"
26 #include "libavcodec/internal.h"
27
28 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
29
error(const char * err)30 static void error(const char *err)
31 {
32 fprintf(stderr, "%s", err);
33 exit(1);
34 }
35
36 static AVBitStreamFilter *f = NULL;
37
38 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
39
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)40 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
41 const uint64_t fuzz_tag = FUZZ_TAG;
42 const uint8_t *last = data;
43 const uint8_t *end = data + size;
44 AVBSFContext *bsf = NULL;
45 AVPacket *in, *out;
46 uint64_t keyframes = 0;
47 uint64_t flushpattern = -1;
48 int res;
49
50 if (!f) {
51 #ifdef FFMPEG_BSF
52 #define BSF_SYMBOL0(BSF) ff_##BSF##_bsf
53 #define BSF_SYMBOL(BSF) BSF_SYMBOL0(BSF)
54 extern AVBitStreamFilter BSF_SYMBOL(FFMPEG_BSF);
55 f = &BSF_SYMBOL(FFMPEG_BSF);
56 #else
57 extern AVBitStreamFilter ff_null_bsf;
58 f = &ff_null_bsf;
59 #endif
60 av_log_set_level(AV_LOG_PANIC);
61 }
62
63 res = av_bsf_alloc(f, &bsf);
64 if (res < 0)
65 error("Failed memory allocation");
66
67 if (size > 1024) {
68 GetByteContext gbc;
69 int extradata_size;
70 int flags;
71 size -= 1024;
72 bytestream2_init(&gbc, data + size, 1024);
73 bsf->par_in->width = bytestream2_get_le32(&gbc);
74 bsf->par_in->height = bytestream2_get_le32(&gbc);
75 bsf->par_in->bit_rate = bytestream2_get_le64(&gbc);
76 bsf->par_in->bits_per_coded_sample = bytestream2_get_le32(&gbc);
77
78 if (f->codec_ids) {
79 int i, id;
80 for (i = 0; f->codec_ids[i] != AV_CODEC_ID_NONE; i++);
81 id = f->codec_ids[bytestream2_get_byte(&gbc) % i];
82 bsf->par_in->codec_id = id;
83 bsf->par_in->codec_tag = bytestream2_get_le32(&gbc);
84 }
85
86 extradata_size = bytestream2_get_le32(&gbc);
87
88 bsf->par_in->sample_rate = bytestream2_get_le32(&gbc);
89 bsf->par_in->channels = (unsigned)bytestream2_get_le32(&gbc) % FF_SANE_NB_CHANNELS;
90 bsf->par_in->block_align = bytestream2_get_le32(&gbc);
91 keyframes = bytestream2_get_le64(&gbc);
92 flushpattern = bytestream2_get_le64(&gbc);
93 flags = bytestream2_get_byte(&gbc);
94
95 if (flags & 0x20) {
96 if (!strcmp(f->name, "av1_metadata"))
97 av_opt_set_int(bsf->priv_data, "td", bytestream2_get_byte(&gbc) % 3, 0);
98 else if (!strcmp(f->name, "h264_metadata") || !strcmp(f->name, "h265_metadata"))
99 av_opt_set_int(bsf->priv_data, "aud", bytestream2_get_byte(&gbc) % 3, 0);
100 else if (!strcmp(f->name, "extract_extradata"))
101 av_opt_set_int(bsf->priv_data, "remove", bytestream2_get_byte(&gbc) & 1, 0);
102 }
103
104 if (extradata_size < size) {
105 bsf->par_in->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
106 if (bsf->par_in->extradata) {
107 bsf->par_in->extradata_size = extradata_size;
108 size -= bsf->par_in->extradata_size;
109 memcpy(bsf->par_in->extradata, data + size, bsf->par_in->extradata_size);
110 }
111 }
112 if (av_image_check_size(bsf->par_in->width, bsf->par_in->height, 0, bsf))
113 bsf->par_in->width = bsf->par_in->height = 0;
114 }
115
116 res = av_bsf_init(bsf);
117 if (res < 0) {
118 av_bsf_free(&bsf);
119 return 0; // Failure of av_bsf_init() does not imply that a issue was found
120 }
121
122 in = av_packet_alloc();
123 out = av_packet_alloc();
124 if (!in || !out)
125 error("Failed memory allocation");
126
127 while (data < end) {
128 // Search for the TAG
129 while (data + sizeof(fuzz_tag) < end) {
130 if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag)
131 break;
132 data++;
133 }
134 if (data + sizeof(fuzz_tag) > end)
135 data = end;
136
137 res = av_new_packet(in, data - last);
138 if (res < 0)
139 error("Failed memory allocation");
140 memcpy(in->data, last, data - last);
141 in->flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;
142 keyframes = (keyframes >> 2) + (keyframes<<62);
143 data += sizeof(fuzz_tag);
144 last = data;
145
146 if (!(flushpattern & 7))
147 av_bsf_flush(bsf);
148 flushpattern = (flushpattern >> 3) + (flushpattern << 61);
149
150 while (in->size) {
151 res = av_bsf_send_packet(bsf, in);
152 if (res < 0 && res != AVERROR(EAGAIN))
153 break;
154 res = av_bsf_receive_packet(bsf, out);
155 if (res < 0)
156 break;
157 av_packet_unref(out);
158 }
159 av_packet_unref(in);
160 }
161
162 res = av_bsf_send_packet(bsf, NULL);
163 while (!res) {
164 res = av_bsf_receive_packet(bsf, out);
165 if (res < 0)
166 break;
167 av_packet_unref(out);
168 }
169
170 av_packet_free(&in);
171 av_packet_free(&out);
172 av_bsf_free(&bsf);
173 return 0;
174 }
175