{
unsigned v = le ? bytestream2_get_le16(gb) : bytestream2_get_be16(gb);
return v;
}
unsigned ff_tget_long(GetByteContext *gb, int le)
{
unsigned v = le ? bytestream2_get_le32(gb) : bytestream2_get_be32(gb);
return v;
}
double ff_tget_double(GetByteContext *gb, int le)
{
av_alias64 i = { .u64 = le ? bytestream2_get_le64(gb) : bytestream2_get_be64(gb)};
return i.f64;
}
unsigned ff_tget(GetByteContext *gb, int type, int le)
{
switch (type) {
case TIFF_BYTE:
return bytestream2_get_byte(gb);
case TIFF_SHORT:
return ff_tget_short(gb, le);
case TIFF_LONG:
return ff_tget_long(gb, le);
default:
return UINT_MAX;
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
const uint64_t fuzz_tag = FUZZ_TAG;
FuzzDataBuffer buffer;
const uint8_t *last = data;
const uint8_t *end = data + size;
uint32_t it = 0;
int (*decode_handler)(AVCodecContext *avctx, AVFrame *picture,
int *got_picture_ptr,
const AVPacket *avpkt) = NULL;
if (!c) {
#ifdef FFMPEG_DECODER
#define DECODER_SYMBOL0(CODEC) ff_##CODEC##_decoder
#define DECODER_SYMBOL(CODEC) DECODER_SYMBOL0(CODEC)
extern AVCodec DECODER_SYMBOL(FFMPEG_DECODER);
avcodec_register(&DECODER_SYMBOL(FFMPEG_DECODER));
c = &DECODER_SYMBOL(FFMPEG_DECODER);
#else
avcodec_register_all();
c = AVCodecInitialize(FFMPEG_CODEC); // Done once.
#endif
av_log_set_level(AV_LOG_PANIC);
}
// Unsupported
if (c->capabilities & AV_CODEC_CAP_HWACCEL_VDPAU)
return 0;
switch (c->type) {
case AVMEDIA_TYPE_AUDIO : decode_handler = avcodec_decode_audio4; break;
case AVMEDIA_TYPE_VIDEO : decode_handler = avcodec_decode_video2; break;
case AVMEDIA_TYPE_SUBTITLE: decode_handler = subtitle_handler ; break;
}
AVCodecContext* ctx = avcodec_alloc_context3(NULL);
if (!ctx)
error("Failed memory allocation");
ctx->max_pixels = 4096 * 4096; //To reduce false positive OOM and hangs
if (size > 1024) {
GetByteContext gbc;
bytestream2_init(&gbc, data + size - 1024, 1024);
ctx->width = bytestream2_get_le32(&gbc);
ctx->height = bytestream2_get_le32(&gbc);
ctx->bit_rate = bytestream2_get_le64(&gbc);
ctx->bits_per_coded_sample = bytestream2_get_le32(&gbc);
if (av_image_check_size(ctx->width, ctx->height, 0, ctx))
ctx->width = ctx->height = 0;
size -= 1024;
}
int res = avcodec_open2(ctx, c, NULL);
if (res < 0) {
av_free(ctx);
return 0; // Failure of avcodec_open2() does not imply that a issue was found
}
FDBCreate(&buffer);
int got_frame;
AVFrame *frame = av_frame_alloc();
if (!frame)
error("Failed memory allocation");
// Read very simple container
AVPacket avpkt;
while (data < end && it < maxiteration) {
// Search for the TAG
while (data + sizeof(fuzz_tag) < end) {
if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag)
break;
data++;
}
if (data + sizeof(fuzz_tag) > end)
data = end;
FDBPrepare(&buffer, &avpkt, last, data - last);
data += sizeof(fuzz_tag);
last = data;
// Iterate through all data
while (avpkt.size > 0 && it++ < maxiteration) {
av_frame_unref(frame);
int ret = decode_handler(ctx, frame, &got_frame, &avpkt);
if (it > 20)
ctx->error_concealment = 0;
if (ret <= 0 || ret > avpkt.size)
break;
if (ctx->codec_type != AVMEDIA_TYPE_AUDIO)
ret = avpkt.size;
avpkt.data += ret;
avpkt.size -= ret;
}
}
av_init_packet(&avpkt);
avpkt.data = NULL;
avpkt.size = 0;
do {
got_frame = 0;
decode_handler(ctx, frame, &got_frame, &avpkt);
} while (got_frame == 1 && it++ < maxiteration);
av_frame_free(&frame);
avcodec_free_context(&ctx);
av_freep(&ctx);
FDBDesroy(&buffer);
return 0;
}
