[FFmpeg-devel] [PATCH] tools/target_dec_bsf: call avcodec_flush_buffers() on random keyframes

Michael Niedermayer michael at niedermayer.cc
Sat Dec 7 00:59:22 EET 2019


On Fri, Dec 06, 2019 at 04:16:23PM -0300, James Almer wrote:
> This should increase coverage on some decoders by executing flushing code.
> 
> Signed-off-by: James Almer <jamrial at gmail.com>
> ---
>  tools/target_dec_fuzzer.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
> index dcf47b0f4d..3c2f9125bb 100644
> --- a/tools/target_dec_fuzzer.c
> +++ b/tools/target_dec_fuzzer.c
> @@ -256,6 +256,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
>              error("Failed memory allocation");
>          memcpy(parsepkt.data, last, data - last);
>          parsepkt.flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;
> +        int flush = !!(keyframes & 4);
>          keyframes = (keyframes >> 2) + (keyframes<<62);
>          data += sizeof(fuzz_tag);
>          last = data;
> @@ -289,6 +290,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
>                  av_packet_move_ref(&avpkt, &parsepkt);
>              }
>  
> +          if (avpkt.flags & AV_PKT_FLAG_KEY && flush)
> +              avcodec_flush_buffers(ctx);
> +
>            // Iterate through all data
>            while (avpkt.size > 0 && it++ < maxiteration) {
>              av_frame_unref(frame);

This would call flush in a pattern locked onto the keyframe and discard flags.
Not sure if that could affect coverage
An alternative would be to use a seperate pattern for flush. (see patch below)

That said, both these patches will disrupt existing test cases


commit 1a1f747a7afd181f6b763d4dca59cd848e7acb20 (HEAD -> master)
Author: Michael Niedermayer <michael at niedermayer.cc>
Date:   Fri Dec 6 23:42:28 2019 +0100

    tools/target_dec_fuzzer: Call avcodec_flush_buffers() in a fuzzer choosen pattern
    
    This should increase coverage
    
    Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index dcf47b0f4d..c11a11514c 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -110,6 +110,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
                           const AVPacket *avpkt) = NULL;
     AVCodecParserContext *parser = NULL;
     uint64_t keyframes = 0;
+    uint64_t flushpattern = -1;
 
 
     if (!c) {
@@ -210,6 +211,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         ctx->block_align                        = bytestream2_get_le32(&gbc);
         ctx->codec_tag                          = bytestream2_get_le32(&gbc);
         keyframes                               = bytestream2_get_le64(&gbc);
+        flushpattern                            = bytestream2_get_le64(&gbc);
 
         if (extradata_size < size) {
             ctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
@@ -289,6 +291,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
                 av_packet_move_ref(&avpkt, &parsepkt);
             }
 
+          if (!(flushpattern & 7))
+              avcodec_flush_buffers(ctx);
+          flushpattern = (flushpattern >> 3) + (flushpattern<<61);
+
           // Iterate through all data
           while (avpkt.size > 0 && it++ < maxiteration) {
             av_frame_unref(frame);

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Avoid a single point of failure, be that a person or equipment.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20191206/3969b20c/attachment.sig>


More information about the ffmpeg-devel mailing list