[FFmpeg-devel] [PATCH] tools/target_dec_bsf: call avcodec_flush_buffers() on random keyframes
James Almer
jamrial at gmail.com
Sat Dec 7 01:22:41 EET 2019
On 12/6/2019 7:59 PM, Michael Niedermayer wrote:
> On Fri, Dec 06, 2019 at 04:16:23PM -0300, James Almer wrote:
>> This should increase coverage on some decoders by executing flushing code.
>>
>> Signed-off-by: James Almer <jamrial at gmail.com>
>> ---
>> tools/target_dec_fuzzer.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
>> index dcf47b0f4d..3c2f9125bb 100644
>> --- a/tools/target_dec_fuzzer.c
>> +++ b/tools/target_dec_fuzzer.c
>> @@ -256,6 +256,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
>> error("Failed memory allocation");
>> memcpy(parsepkt.data, last, data - last);
>> parsepkt.flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;
>> + int flush = !!(keyframes & 4);
>> keyframes = (keyframes >> 2) + (keyframes<<62);
>> data += sizeof(fuzz_tag);
>> last = data;
>> @@ -289,6 +290,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
>> av_packet_move_ref(&avpkt, &parsepkt);
>> }
>>
>> + if (avpkt.flags & AV_PKT_FLAG_KEY && flush)
>> + avcodec_flush_buffers(ctx);
>> +
>> // Iterate through all data
>> while (avpkt.size > 0 && it++ < maxiteration) {
>> av_frame_unref(frame);
>
> This would call flush in a pattern locked onto the keyframe and discard flags.
> Not sure if that could affect coverage
> An alternative would be to use a seperate pattern for flush. (see patch below)
>
> That said, both these patches will disrupt existing test cases
>
>
> commit 1a1f747a7afd181f6b763d4dca59cd848e7acb20 (HEAD -> master)
> Author: Michael Niedermayer <michael at niedermayer.cc>
> Date: Fri Dec 6 23:42:28 2019 +0100
>
> tools/target_dec_fuzzer: Call avcodec_flush_buffers() in a fuzzer choosen pattern
>
> This should increase coverage
>
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>
> diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
> index dcf47b0f4d..c11a11514c 100644
> --- a/tools/target_dec_fuzzer.c
> +++ b/tools/target_dec_fuzzer.c
> @@ -110,6 +110,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
> const AVPacket *avpkt) = NULL;
> AVCodecParserContext *parser = NULL;
> uint64_t keyframes = 0;
> + uint64_t flushpattern = -1;
>
>
> if (!c) {
> @@ -210,6 +211,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
> ctx->block_align = bytestream2_get_le32(&gbc);
> ctx->codec_tag = bytestream2_get_le32(&gbc);
> keyframes = bytestream2_get_le64(&gbc);
> + flushpattern = bytestream2_get_le64(&gbc);
>
> if (extradata_size < size) {
> ctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
> @@ -289,6 +291,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
> av_packet_move_ref(&avpkt, &parsepkt);
> }
>
> + if (!(flushpattern & 7))
> + avcodec_flush_buffers(ctx);
> + flushpattern = (flushpattern >> 3) + (flushpattern<<61);
> +
> // Iterate through all data
> while (avpkt.size > 0 && it++ < maxiteration) {
> av_frame_unref(frame);
LGTM.
More information about the ffmpeg-devel
mailing list