[FFmpeg-devel] using afl for fuzzing (was: [PATCH] vp9: don't retain NULL as segmentation_map)

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Fri Jun 19 01:46:52 CEST 2015

On 19.06.2015 00:59, Kieran Kunhya wrote:
>> Thanks for this analysis. I've pushed the patch now.
>> By the way, afl [1] is really a great tool for finding such problems.
>> I can only recommend everyone to try it out yourself.
> Not to push this off-topic but can you let me know how you use afl
> with ffmpeg - I could never get it to work when I was fuzzing h264.
> Found lots of issues with zzuf though.

First one has to compile ffmpeg with afl, e.g. by running configure with
-cc="afl-gcc" --cxx="afl-g++" (and optionally --assert-level=2 to find
more problems).

Then one has to find a suitable test case for the demuxer/decoder one
is interested in. It is very important that it is small, ideally < 1kB.
(The larger it is, the (very much) longer the fuzzing takes.)

Finally one can run the afl fuzzer, e.g. with:
afl-fuzz -i testcases/ -o results/ -m 1G -- ./ffmpeg -threads 1 -i @@ -threads 1 -f null /dev/null

To improve the performance, I'm not fuzzing the ffmpeg binary, but rather
a much simpler program based on the demuxing_decoding example, but adapted
e.g. to only use one decoding thread to avoid variable test results.

(Besides, h264 is one of the more complex codecs, if not the most complex
one in FFmpeg, so fuzzing it thoroughly takes very long.)

Best regards,

More information about the ffmpeg-devel mailing list