1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
|
/*
* Copyright (c) 2025 The WebM project authors. All Rights Reserved.
*
* Use of this source code is governed by a BSD-style license
* that can be found in the LICENSE file in the root of the source
* tree. An additional intellectual property rights grant can be found
* in the file PATENTS. All contributing project authors may
* be found in the AUTHORS file in the root of the source tree.
*/
/*
* Fuzzer for libvpx encoders
* ==========================
* Requirements
* --------------
* Requires Clang 6.0 or above as -fsanitize=fuzzer is used as a linker
* option.
* Steps to build
* --------------
* Clone libvpx repository
$git clone https://chromium.googlesource.com/webm/libvpx
* Create a directory in parallel to libvpx and change directory
$mkdir vpx_enc_fuzzer
$cd vpx_enc_fuzzer/
* Enable sanitizers (Supported: address integer memory thread undefined)
$source ../libvpx/tools/set_analyzer_env.sh address
* Configure libvpx.
* Note --size-limit and VPX_MAX_ALLOCABLE_MEMORY are defined to avoid
* Out of memory errors when running generated fuzzer binary
$../libvpx/configure --disable-unit-tests --size-limit=12288x12288 \
--extra-cflags="-fsanitize=fuzzer-no-link \
-DVPX_MAX_ALLOCABLE_MEMORY=1073741824" \
--disable-webm-io --enable-debug --enable-vp8-encoder \
--enable-vp9-encoder --disable-examples
* Build libvpx
$make -j32
* Build vp9 fuzzer
$ $CXX $CXXFLAGS -std=gnu++17 -DENCODER=vp9 \
-fsanitize=fuzzer -I../libvpx -I. -Wl,--start-group \
../libvpx/examples/vpx_enc_fuzzer.cc -o ./vpx_enc_fuzzer_vp9 \
./libvpx.a -Wl,--end-group
* ENCODER should be defined as vp9 or vp8 to enable vp9/vp8
*
* create a corpus directory and copy some ivf files there.
* Based on which codec (vp8/vp9) is being tested, it is recommended to
* have corresponding ivf files in corpus directory
* Empty corpus directory also is acceptable, though not recommended
$mkdir CORPUS && cp some-files CORPUS
* Run fuzzing:
$./vpx_enc_fuzzer_vp9 CORPUS
* References:
* http://llvm.org/docs/LibFuzzer.html
* https://github.com/google/oss-fuzz
*/
#include <assert.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "vpx/vp8cx.h"
#include "vpx/vpx_encoder.h"
#include "vpx_ports/mem_ops.h"
#include "third_party/nalloc/nalloc.h"
// fuzz header to have config options, before raw image data
#define FUZZ_HDR_SZ 32
#define VPXC_INTERFACE(name) VPXC_INTERFACE_(name)
#define VPXC_INTERFACE_(name) vpx_codec_##name##_cx()
extern "C" void usage_exit(void) { exit(EXIT_FAILURE); }
static int vpx_img_plane_width(const vpx_image_t *img, int plane) {
if (plane > 0 && img->x_chroma_shift > 0)
return (img->d_w + 1) >> img->x_chroma_shift;
else
return img->d_w;
}
static int vpx_img_plane_height(const vpx_image_t *img, int plane) {
if (plane > 0 && img->y_chroma_shift > 0)
return (img->d_h + 1) >> img->y_chroma_shift;
else
return img->d_h;
}
static int fuzz_vpx_img_read(vpx_image_t *img, const uint8_t *data,
size_t size) {
int plane;
// TODO: wtc - Need to clamp the sample values so that they are in range
// For example, if the bit depth is 10, the sample values must be <= 1023.
assert(img->bit_depth == 8);
const size_t bytespp = (img->fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? 2 : 1;
if (size == 0) return 0;
size_t used = 0;
for (plane = 0; plane < 3; ++plane) {
unsigned char *buf = img->planes[plane];
const int stride = img->stride[plane];
int w = vpx_img_plane_width(img, plane);
const int h = vpx_img_plane_height(img, plane);
int y;
// Assuming that for nv12 we read all chroma data at once
if (img->fmt == VPX_IMG_FMT_NV12 && plane > 1) break;
// Fixing NV12 chroma width if it is odd
if (img->fmt == VPX_IMG_FMT_NV12 && plane == 1) w = (w + 1) & ~1;
for (y = 0; y < h; ++y) {
size_t nb = bytespp * w;
if (nb > size - used) {
nb = size - used;
}
memcpy(buf, data, nb);
memset(buf + nb, 0, bytespp * w - nb);
buf += stride;
data += nb;
used += nb;
}
}
return used;
}
static int encode_frame(vpx_codec_ctx_t *codec, vpx_image_t *img,
int frame_index, int flags, FILE *out,
vpx_enc_deadline_t quality) {
int got_pkts = 0;
vpx_codec_iter_t iter = NULL;
const vpx_codec_cx_pkt_t *pkt = NULL;
const vpx_codec_err_t res =
vpx_codec_encode(codec, img, frame_index, 1, flags, quality);
if (res != VPX_CODEC_OK) return 0;
while ((pkt = vpx_codec_get_cx_data(codec, &iter)) != NULL) {
got_pkts = 1;
if (pkt->kind == VPX_CODEC_CX_FRAME_PKT) {
if (fwrite(pkt->data.frame.buf, 1, pkt->data.frame.sz, out) !=
pkt->data.frame.sz)
return 0;
}
}
return got_pkts;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
if (size <= FUZZ_HDR_SZ) {
return 0;
}
nalloc_init(nullptr);
int keyframe_interval = 0;
int frame_count = 0;
vpx_codec_ctx_t codec;
vpx_image_t raw;
vpx_codec_enc_cfg_t cfg;
vpx_enc_deadline_t quality = VPX_DL_GOOD_QUALITY;
if ((data[0] & 0x80) != 0) {
keyframe_interval = 8;
}
if ((data[0] & 0x40) != 0) {
quality = VPX_DL_REALTIME;
} else if ((data[0] & 0x20) != 0) {
quality = VPX_DL_BEST_QUALITY;
}
if (vpx_codec_enc_config_default(VPXC_INTERFACE(ENCODER), &cfg, 0)) abort();
FILE *out = fopen("/dev/null", "wb");
switch (data[0] & 0x1F) {
case 0: cfg.g_w = 64; cfg.g_h = 1;
case 1: cfg.g_w = 1; cfg.g_h = 48;
case 2: cfg.g_w = 1; cfg.g_h = 1;
case 3: cfg.g_w = 4; cfg.g_h = 4;
case 4: cfg.g_w = 16; cfg.g_h = 16;
default: cfg.g_w = 64; cfg.g_h = 48;
}
cfg.g_timebase.num = 1;
cfg.g_timebase.den = 30; // fps
cfg.rc_target_bitrate = 200;
cfg.g_error_resilient = 1;
if (vpx_codec_enc_init(&codec, VPXC_INTERFACE(ENCODER), &cfg, 0)) {
return 0;
}
if (!vpx_img_alloc(&raw, VPX_IMG_FMT_I420, cfg.g_w, cfg.g_h, 1)) {
goto fail;
}
nalloc_start(data, size);
// We may want to add more config options (for more complex encoders as seen
// in the examples) in the future while still maintaining the same format (so
// that generated corpus is still valid). So we reserve FUZZ_HDR_SZ=32 bytes
// for this even if we just use one byte so far.
data += FUZZ_HDR_SZ;
size -= FUZZ_HDR_SZ;
// Encode frames.
while (1) {
int flags = 0;
size_t size_read = fuzz_vpx_img_read(&raw, data, size);
if (size_read == 0) break;
data += size_read;
size -= size_read;
if (keyframe_interval > 0 && frame_count % keyframe_interval == 0)
flags |= VPX_EFLAG_FORCE_KF;
encode_frame(&codec, &raw, frame_count++, flags, out, quality);
}
// Flush encoder.
while (encode_frame(&codec, NULL, -1, 0, out, quality)) {
}
fail:
nalloc_end();
vpx_img_free(&raw);
vpx_codec_destroy(&codec);
fclose(out);
return 0;
}
|
