[FFmpeg-devel] [PATCHv6] fate/integer.c: Connect test to fuzzer

Michael Niedermayer michael at niedermayer.cc
Wed Jun 2 18:29:13 EEST 2021


On Mon, May 31, 2021 at 10:59:11AM +0530, Vedaa wrote:
> Hi,
> 
> I have added checks so that only positive numbers are passed to the
> function, and limited the bits read to 24-bits. This has stopped the
> fuzzer from terminating. 
> ---
>  Makefile                  |  2 ++
>  libavutil/tests/integer.c | 21 ++----------------
>  libavutil/tests/integer.h | 45 +++++++++++++++++++++++++++++++++++++++
>  tools/Makefile            |  3 +++
>  tools/target_int_fuzzer.c | 38 +++++++++++++++++++++++++++++++++
>  5 files changed, 90 insertions(+), 19 deletions(-)
>  create mode 100644 libavutil/tests/integer.h
>  create mode 100644 tools/target_int_fuzzer.c
> 
> diff --git a/Makefile b/Makefile
> index 1e3da6271b..651133eb1a 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -61,6 +61,8 @@ tools/target_dem_fuzzer$(EXESUF): tools/target_dem_fuzzer.o $(FF_DEP_LIBS)
>  tools/target_io_dem_fuzzer$(EXESUF): tools/target_io_dem_fuzzer.o $(FF_DEP_LIBS)
>  	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>  
> +tools/target_int_fuzzer$(EXESUF): tools/target_int_fuzzer.o $(FF_DEP_LIBS)
> +	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>  
>  tools/enum_options$(EXESUF): ELIBS = $(FF_EXTRALIBS)
>  tools/enum_options$(EXESUF): $(FF_DEP_LIBS)
> diff --git a/libavutil/tests/integer.c b/libavutil/tests/integer.c
> index d2c8f2a903..02e1d9219c 100644
> --- a/libavutil/tests/integer.c
> +++ b/libavutil/tests/integer.c
> @@ -18,31 +18,14 @@
>   * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>   */
>  
> -#include <stdint.h>
> -
> -#include "libavutil/avassert.h"
> -#include "libavutil/integer.h"
> -#include "libavutil/intmath.h"
> +#include "libavutil/tests/integer.h"
>  
>  int main(void){
>      int64_t a,b;
>  
>      for(a=7; a<256*256*256; a+=13215){
>          for(b=3; b<256*256*256; b+=27118){
> -            AVInteger ai= av_int2i(a);
> -            AVInteger bi= av_int2i(b);
> -
> -            av_assert0(av_i2int(ai) == a);
> -            av_assert0(av_i2int(bi) == b);
> -            av_assert0(av_i2int(av_add_i(ai,bi)) == a+b);
> -            av_assert0(av_i2int(av_sub_i(ai,bi)) == a-b);
> -            av_assert0(av_i2int(av_mul_i(ai,bi)) == a*b);
> -            av_assert0(av_i2int(av_shr_i(ai, 9)) == a>>9);
> -            av_assert0(av_i2int(av_shr_i(ai,-9)) == a<<9);
> -            av_assert0(av_i2int(av_shr_i(ai, 17)) == a>>17);
> -            av_assert0(av_i2int(av_shr_i(ai,-17)) == a<<17);
> -            av_assert0(av_log2_i(ai) == av_log2(a));
> -            av_assert0(av_i2int(av_div_i(ai,bi)) == a/b);
> +            TestInteger(a,b);
>          }
>      }
>      return 0;
> diff --git a/libavutil/tests/integer.h b/libavutil/tests/integer.h
> new file mode 100644
> index 0000000000..1e28c29787
> --- /dev/null
> +++ b/libavutil/tests/integer.h
> @@ -0,0 +1,45 @@
> +/*
> + * Copyright (c) 2004 Michael Niedermayer <michaelni at gmx.at>
> + *
> + * This file is part of FFmpeg.
> + *
> + * FFmpeg is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2.1 of the License, or (at your option) any later version.
> + *
> + * FFmpeg is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with FFmpeg; if not, write to the Free Software
> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> + */
> +#ifndef AVUTIL_TESTS_INTEGER_H
> +#define AVUTIL_TESTS_INTEGER_H
> +
> +#include <stdint.h>
> +#include "libavutil/avassert.h"
> +#include "libavutil/integer.h"
> +#include "libavutil/intmath.h"
> +
> +static inline void TestInteger(int64_t a, int64_t b)
> +{
> +        AVInteger ai= av_int2i(a);
> +        AVInteger bi= av_int2i(b);
> +
> +        av_assert0(av_i2int(ai) == a);
> +        av_assert0(av_i2int(bi) == b);
> +        av_assert0(av_i2int(av_add_i(ai,bi)) == a+b);
> +        av_assert0(av_i2int(av_sub_i(ai,bi)) == a-b);
> +        av_assert0(av_i2int(av_mul_i(ai,bi)) == a*b);
> +        av_assert0(av_i2int(av_shr_i(ai, 9)) == a>>9);
> +        av_assert0(av_i2int(av_shr_i(ai,-9)) == a<<9);
> +        av_assert0(av_i2int(av_shr_i(ai, 17)) == a>>17);
> +        av_assert0(av_i2int(av_shr_i(ai,-17)) == a<<17);
> +        av_assert0(av_log2_i(ai) == av_log2(a));
> +        av_assert0(av_i2int(av_div_i(ai,bi)) == a/b);
> +}
> +#endif /* AVUTIL_TESTS_INTEGER_H */
> diff --git a/tools/Makefile b/tools/Makefile
> index 82baa8eadb..fde7f08984 100644

[...]

> +#include "libavutil/tests/integer.h"
> +#include "libavutil/intreadwrite.h"
> +
> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
> +
> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
> +    if (size < 3 * sizeof(int16_t))
> +        return 1;
> +
> +    int64_t a,b,mult;
> +    mult = AV_RB8(data);
> +    a = AV_RB16(data + sizeof(int8_t)) * mult;
> +    b = AV_RB16(data+sizeof(int8_t) + sizeof(int16_t)) * mult;

that looks a bit strange


> +    if (a <= 0 || b <= 0 )
> +        return 1;

maybe using the same input for all cases was not a good idea, it seems
to lead to quite some restrictions.
While the fuzzer should be able to reach the whole range that is
supported even if another operation has a smaller range.
Maybe each operation should have its own independant input and
cover the whole range each supports

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

He who knows, does not speak. He who speaks, does not know. -- Lao Tsu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210602/8e7a5c70/attachment.sig>


More information about the ffmpeg-devel mailing list