tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

av1_dec_fuzzer.cc (3134B)

      1 /*
      2 * Copyright (c) 2019, Alliance for Open Media. All rights reserved.
      3 *
      4 * This source code is subject to the terms of the BSD 2 Clause License and
      5 * the Alliance for Open Media Patent License 1.0. If the BSD 2 Clause License
      6 * was not distributed with this source code in the LICENSE file, you can
      7 * obtain it at www.aomedia.org/license/software. If the Alliance for Open
      8 * Media Patent License 1.0 was not distributed with this source code in the
      9 * PATENTS file, you can obtain it at www.aomedia.org/license/patent.
     10 */
     11 
     12 /*
     13 * See build_av1_dec_fuzzer.sh for building instructions.
     14 */
     15 
     16 #include <stddef.h>
     17 #include <stdint.h>
     18 #include <stdio.h>
     19 #include <stdlib.h>
     20 #include <algorithm>
     21 #include <memory>
     22 #include "config/aom_config.h"
     23 #include "aom/aom_decoder.h"
     24 #include "aom/aomdx.h"
     25 #include "aom_ports/mem_ops.h"
     26 
     27 #define IVF_FRAME_HDR_SZ (4 + 8) /* 4 byte size + 8 byte timestamp */
     28 #define IVF_FILE_HDR_SZ 32
     29 
     30 extern "C" void usage_exit(void) { exit(EXIT_FAILURE); }
     31 
     32 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     33  if (size <= IVF_FILE_HDR_SZ) {
     34    return 0;
     35  }
     36 
     37  // Abusing the four unused bytes at the end of the IVF file header as a source
     38  // of random bits.
     39  unsigned int tile_mode = (data[IVF_FILE_HDR_SZ - 1] & 2) != 0;
     40  unsigned int ext_tile_debug = (data[IVF_FILE_HDR_SZ - 1] & 4) != 0;
     41  unsigned int is_annexb = (data[IVF_FILE_HDR_SZ - 1] & 8) != 0;
     42  int output_all_layers = (data[IVF_FILE_HDR_SZ - 1] & 0x10) != 0;
     43  int operating_point = data[IVF_FILE_HDR_SZ - 2] & 0x1F;
     44 
     45  aom_codec_iface_t *codec_interface = aom_codec_av1_dx();
     46  aom_codec_ctx_t codec;
     47  // Set thread count in the range [1, 64].
     48  const unsigned int threads = (data[IVF_FILE_HDR_SZ] & 0x3f) + 1;
     49  aom_codec_dec_cfg_t cfg = { threads, 0, 0, !FORCE_HIGHBITDEPTH_DECODING };
     50  if (aom_codec_dec_init(&codec, codec_interface, &cfg, 0)) {
     51    return 0;
     52  }
     53  AOM_CODEC_CONTROL_TYPECHECKED(&codec, AV1_SET_TILE_MODE, tile_mode);
     54  AOM_CODEC_CONTROL_TYPECHECKED(&codec, AV1D_EXT_TILE_DEBUG, ext_tile_debug);
     55  AOM_CODEC_CONTROL_TYPECHECKED(&codec, AV1D_SET_IS_ANNEXB, is_annexb);
     56  AOM_CODEC_CONTROL_TYPECHECKED(&codec, AV1D_SET_OUTPUT_ALL_LAYERS,
     57                                output_all_layers);
     58  AOM_CODEC_CONTROL_TYPECHECKED(&codec, AV1D_SET_OPERATING_POINT,
     59                                operating_point);
     60 
     61  data += IVF_FILE_HDR_SZ;
     62  size -= IVF_FILE_HDR_SZ;
     63 
     64  while (size > IVF_FRAME_HDR_SZ) {
     65    size_t frame_size = mem_get_le32(data);
     66    size -= IVF_FRAME_HDR_SZ;
     67    data += IVF_FRAME_HDR_SZ;
     68    frame_size = std::min(size, frame_size);
     69 
     70    aom_codec_stream_info_t stream_info;
     71    stream_info.is_annexb = is_annexb;
     72    aom_codec_err_t err =
     73        aom_codec_peek_stream_info(codec_interface, data, size, &stream_info);
     74    static_cast<void>(err);
     75 
     76    err = aom_codec_decode(&codec, data, frame_size, nullptr);
     77    static_cast<void>(err);
     78    aom_codec_iter_t iter = nullptr;
     79    aom_image_t *img = nullptr;
     80    while ((img = aom_codec_get_frame(&codec, &iter)) != nullptr) {
     81    }
     82    data += frame_size;
     83    size -= frame_size;
     84  }
     85  aom_codec_destroy(&codec);
     86  return 0;
     87 }