diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2020-04-28 20:22:23 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-04-28 20:22:23 +0000 |
| commit | 65f29c123bd6dfcc036b124e0c01883b5d42e849 (patch) | |
| tree | c38084927c6fbda0c62cbc5d13bbdafff55f6593 | |
| parent | d41f406b2c1bf28fa32c487b8d39f5810d56d046 (diff) | |
| parent | c414acd144e0b8a1d4d23719314d1256624c69d6 (diff) | |
| download | libmpeg2-q_tzdata_aml_297100300.tar.gz | |
Snap for 6439596 from c414acd144e0b8a1d4d23719314d1256624c69d6 to qt-aml-tzdata-releaseq_tzdata_aml_297100400q_tzdata_aml_297100300q_tzdata_aml_297100000q_tzdata_aml_296200000q_tzdata_aml_295600118q_tzdata_aml_295600110q_tzdata_aml_295500002q_tzdata_aml_295500001q_tzdata_aml_294400310android-mainline-12.0.0_r54android-mainline-12.0.0_r111android-mainline-10.0.0_r13android-mainline-10.0.0_r12android-mainline-10.0.0_r11q_tzdata_aml_297100000android12-mainline-tzdata-releaseandroid10-mainline-tzdata-releaseandroid10-android13-mainline-tzdata-release
Change-Id: I0d1c056fb3797d43c505e63406f1aa0ed8919ed1
| -rw-r--r-- | Android.bp | 1 | ||||
| -rw-r--r-- | CMakeLists.txt | 95 | ||||
| -rw-r--r-- | common/arm/impeg2_format_conv.s | 8 | ||||
| -rw-r--r-- | common/armv8/impeg2_format_conv.s | 9 | ||||
| -rw-r--r-- | common/ideint.c | 15 | ||||
| -rw-r--r-- | common/impeg2_format_conv.c | 4 | ||||
| -rw-r--r-- | decoder/impeg2d_api_main.c | 40 | ||||
| -rw-r--r-- | decoder/impeg2d_dec_hdr.c | 1 | ||||
| -rw-r--r-- | fuzzer/Android.bp | 16 | ||||
| -rw-r--r-- | fuzzer/README.md | 69 | ||||
| -rw-r--r-- | fuzzer/mpeg2_dec_fuzzer.cpp | 419 | ||||
| -rw-r--r-- | fuzzer/mpeg2_dec_fuzzer.dict | 2 | ||||
| -rwxr-xr-x | fuzzer/ossfuzz.sh | 44 | ||||
| -rw-r--r-- | test/Android.bp | 13 |
14 files changed, 51 insertions, 685 deletions
@@ -1,7 +1,6 @@ cc_library_static { name: "libmpeg2dec", vendor_available: true, - host_supported:true, shared_libs: ["liblog", "libcutils"], cflags: [ diff --git a/CMakeLists.txt b/CMakeLists.txt deleted file mode 100644 index 9ef4a43..0000000 --- a/CMakeLists.txt +++ /dev/null @@ -1,95 +0,0 @@ -cmake_minimum_required(VERSION 3.5) - -set(MPEG2_ROOT "${CMAKE_CURRENT_SOURCE_DIR}") -set(MPEG2_CONFIG_DIR "${CMAKE_CURRENT_BINARY_DIR}") - -if("${MPEG2_ROOT}" STREQUAL "${MPEG2_CONFIG_DIR}") - message( - FATAL_ERROR - "Building from within the libmpeg2 source tree is not supported.\n" - "Hint: Run these commands\n" - "$ rm -rf CMakeCache.txt CMakeFiles\n" - "$ mkdir -p ./build\n" - "$ cd ./build\n" - "And re-run CMake from the build directory.") -endif() - -set(THREADS_PREFER_PTHREAD_FLAG ON) -find_package(Threads REQUIRED) -set(CMAKE_STATIC_LIBRARY_PREFIX "") - -if(SANITIZE) - string(TOLOWER ${SANITIZE} SANITIZE) - - set(CMAKE_SANITIZER_C_FLAGS "-fno-omit-frame-pointer -fsanitize=${SANITIZE}") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CMAKE_SANITIZER_C_FLAGS}") -endif() - -list(APPEND LIBMPEG2DEC_SRCS - "${MPEG2_ROOT}/common/impeg2_buf_mgr.c" - "${MPEG2_ROOT}/common/impeg2_disp_mgr.c" - "${MPEG2_ROOT}/common/impeg2_format_conv.c" - "${MPEG2_ROOT}/common/impeg2_globals.c" - "${MPEG2_ROOT}/common/impeg2_idct.c" - "${MPEG2_ROOT}/common/impeg2_inter_pred.c" - "${MPEG2_ROOT}/common/impeg2_job_queue.c" - "${MPEG2_ROOT}/common/impeg2_mem_func.c" - "${MPEG2_ROOT}/common/ithread.c" - "${MPEG2_ROOT}/decoder/impeg2d_api_main.c" - "${MPEG2_ROOT}/decoder/impeg2d_bitstream.c" - "${MPEG2_ROOT}/decoder/impeg2d_debug.c" - "${MPEG2_ROOT}/decoder/impeg2d_dec_hdr.c" - "${MPEG2_ROOT}/decoder/impeg2d_decoder.c" - "${MPEG2_ROOT}/decoder/impeg2d_d_pic.c" - "${MPEG2_ROOT}/decoder/impeg2d_function_selector_generic.c" - "${MPEG2_ROOT}/decoder/impeg2d_globals.c" - "${MPEG2_ROOT}/decoder/impeg2d_i_pic.c" - "${MPEG2_ROOT}/decoder/impeg2d_mc.c" - "${MPEG2_ROOT}/decoder/impeg2d_mv_dec.c" - "${MPEG2_ROOT}/decoder/impeg2d_pic_proc.c" - "${MPEG2_ROOT}/decoder/impeg2d_pnb_pic.c" - "${MPEG2_ROOT}/decoder/impeg2d_vld.c" - "${MPEG2_ROOT}/decoder/impeg2d_vld_tables.c" - "${MPEG2_ROOT}/decoder/impeg2d_deinterlace.c" - "${MPEG2_ROOT}/common/icv_sad.c" - "${MPEG2_ROOT}/common/icv_variance.c" - "${MPEG2_ROOT}/common/ideint.c" - "${MPEG2_ROOT}/common/ideint_cac.c" - "${MPEG2_ROOT}/common/ideint_debug.c" - "${MPEG2_ROOT}/common/ideint_function_selector_generic.c" - "${MPEG2_ROOT}/common/ideint_utils.c") - -list(APPEND LIBMPEG2DEC_X86_SRCS - "${MPEG2_ROOT}/decoder/x86/impeg2d_function_selector.c" - "${MPEG2_ROOT}/decoder/x86/impeg2d_function_selector_avx2.c" - "${MPEG2_ROOT}/decoder/x86/impeg2d_function_selector_ssse3.c" - "${MPEG2_ROOT}/decoder/x86/impeg2d_function_selector_sse42.c" - "${MPEG2_ROOT}/common/x86/ideint_function_selector.c" - "${MPEG2_ROOT}/common/x86/ideint_function_selector_ssse3.c" - "${MPEG2_ROOT}/common/x86/ideint_function_selector_sse42.c" - "${MPEG2_ROOT}/common/x86/icv_variance_ssse3.c" - "${MPEG2_ROOT}/common/x86/icv_sad_ssse3.c" - "${MPEG2_ROOT}/common/x86/ideint_cac_ssse3.c" - "${MPEG2_ROOT}/common/x86/ideint_spatial_filter_ssse3.c" - "${MPEG2_ROOT}/common/x86/impeg2_idct_recon_sse42_intr.c" - "${MPEG2_ROOT}/common/x86/impeg2_inter_pred_sse42_intr.c" - "${MPEG2_ROOT}/common/x86/impeg2_mem_func_sse42_intr.c") - -set(LIBMPEG2DEC_INCLUDES ${MPEG2_ROOT}/common ${MPEG2_ROOT}/decoder) - -set(LIBMPEG2DEC_X86_C_FLAGS "-DX86 -DDISABLE_AVX2 -msse4.2 -mno-avx \ - -DDEFAULT_ARCH=D_ARCH_X86_SSE42 -DMULTICORE") -set(LIBMPEG2DEC_X86_INCLUDES ${MPEG2_ROOT}/common/x86 ${MPEG2_ROOT}/decoder/x86) -set(LIBMPEG2DEC_C_FLAGS "${LIBMPEG2DEC_X86_C_FLAGS}") - -include_directories(${LIBMPEG2DEC_INCLUDES} ${LIBMPEG2DEC_X86_INCLUDES}) -add_library(libmpeg2dec ${LIBMPEG2DEC_SRCS} ${LIBMPEG2DEC_X86_SRCS}) -set_target_properties(libmpeg2dec - PROPERTIES COMPILE_FLAGS "${LIBMPEG2DEC_C_FLAGS}") - -list(APPEND MPEG2DEC_SRCS "${MPEG2_ROOT}/test/decoder/main.c") - -add_executable(mpeg2dec ${MPEG2DEC_SRCS}) -set_target_properties(mpeg2dec - PROPERTIES COMPILE_FLAGS "-DMD5_DISABLE -DPROFILE_ENABLE") -target_link_libraries(mpeg2dec libmpeg2dec Threads::Threads) diff --git a/common/arm/impeg2_format_conv.s b/common/arm/impeg2_format_conv.s index c07edda..bd9a81a 100644 --- a/common/arm/impeg2_format_conv.s +++ b/common/arm/impeg2_format_conv.s @@ -170,9 +170,11 @@ yuv420sp_uv_chroma: ldr r3, [sp, #24] @// Load pu1_dest_uv from stack ldr r4, [sp, #28] @// Load u2_height from stack + add r4, r4, 1 ldr r5, [sp, #32] @// Load u2_width from stack - + add r5, r5, 1 + bic r5, r5, #1 ldr r7, [sp, #40] @// Load u2_strideu from stack @@ -332,9 +334,11 @@ yuv420sp_vu_chroma: ldr r3, [sp, #24] @// Load pu1_dest_uv from stack ldr r4, [sp, #28] @// Load u2_height from stack + add r4, r4, 1 ldr r5, [sp, #32] @// Load u2_width from stack - + add r5, r5, 1 + bic r5, r5, #1 ldr r7, [sp, #40] @// Load u2_strideu from stack diff --git a/common/armv8/impeg2_format_conv.s b/common/armv8/impeg2_format_conv.s index 48baf04..ec76e29 100644 --- a/common/armv8/impeg2_format_conv.s +++ b/common/armv8/impeg2_format_conv.s @@ -185,6 +185,10 @@ yuv420sp_uv_chroma: ldr w8, [sp, #104] //// Load u2_dest_stride_uv from stack sxtw x8, w8 + add x6, x6, 1 + bic x6, x6, #1 + + add x9, x9, 1 sub x7, x7, x6, lsr #1 //// Source increment @@ -359,6 +363,11 @@ yuv420sp_vu_chroma: ldr w8, [sp, #104] //// Load u2_dest_stride_uv from stack sxtw x8, w8 + add x6, x6, 1 + bic x6, x6, #1 + + add x9, x9, 1 + sub x7, x7, x6, lsr #1 //// Source increment sub x8, x8, x6 //// Destination increment diff --git a/common/ideint.c b/common/ideint.c index 24e4e72..af6d15e 100644 --- a/common/ideint.c +++ b/common/ideint.c @@ -206,7 +206,7 @@ IDEINT_ERROR_T ideint_process(void *pv_ctxt, for(i = 0; i < num_comp; i++) { - UWORD8 *pu1_prv, *pu1_out; + UWORD8 *pu1_prv = NULL, *pu1_out; UWORD8 *pu1_top, *pu1_bot, *pu1_dst; WORD32 cur_strd, out_strd, dst_strd; @@ -255,14 +255,16 @@ IDEINT_ERROR_T ideint_process(void *pv_ctxt, { disable_cac_sad = 1; } - for(row = comp_row_start; row < comp_row_end; row++) { pu1_out = ps_out_frm->apu1_buf[i]; pu1_out += (ps_out_frm->ai4_strd[i] * row << 3); - pu1_prv = ps_prv_fld->apu1_buf[i]; - pu1_prv += (ps_prv_fld->ai4_strd[i] * row << 2); + if(0 == disable_cac_sad) + { + pu1_prv = ps_prv_fld->apu1_buf[i]; + pu1_prv += (ps_prv_fld->ai4_strd[i] * row << 2); + } if(ps_ctxt->s_params.i4_cur_fld_top) { @@ -408,7 +410,10 @@ IDEINT_ERROR_T ideint_process(void *pv_ctxt, memcpy(pu1_out + j * out_strd, au1_dst + j * BLK_WD, blk_wd); } } - pu1_prv += 8; + if(NULL != pu1_prv) + { + pu1_prv += 8; + } pu1_top += 8; pu1_bot += 8; pu1_out += 8; diff --git a/common/impeg2_format_conv.c b/common/impeg2_format_conv.c index ec0bcfb..b4d62cc 100644 --- a/common/impeg2_format_conv.c +++ b/common/impeg2_format_conv.c @@ -321,7 +321,7 @@ void impeg2_fmt_conv_yuv420p_to_yuv420sp_vu(UWORD8 *pu1_y, UWORD8 *pu1_u, UWORD8 pu1_src_u = pu1_u; pu1_src_v = pu1_v; pu1_dst = pu1_dest_uv ; - + u4_width = ((u4_width + 1) >> 1) << 1; u4_height = (u4_height + 1) >> 1; u2_width_uv = (u4_width + 1) >> 1; for(i = 0; i < u4_height ; i++) @@ -379,7 +379,7 @@ void impeg2_fmt_conv_yuv420p_to_yuv420sp_uv(UWORD8 *pu1_y, UWORD8 *pu1_u, UWORD8 pu1_src_u = pu1_u; pu1_src_v = pu1_v; pu1_dst = pu1_dest_uv ; - + u4_width = ((u4_width + 1) >> 1) << 1; u4_height = (u4_height + 1) >> 1; u2_width_uv = (u4_width + 1) >> 1; for(i = 0; i < u4_height ; i++) diff --git a/decoder/impeg2d_api_main.c b/decoder/impeg2d_api_main.c index e0b67cb..44e1708 100644 --- a/decoder/impeg2d_api_main.c +++ b/decoder/impeg2d_api_main.c @@ -90,7 +90,7 @@ #define CODEC_RELEASE_VER "01.00" #define CODEC_VENDOR "ITTIAM" -#ifdef ANDROID +#ifdef __ANDROID__ #define VERSION(version_string, codec_name, codec_release_type, codec_release_ver, codec_vendor) \ strcpy(version_string,"@(#)Id:"); \ strcat(version_string,codec_name); \ @@ -1500,10 +1500,8 @@ UWORD32 impeg2d_get_outbuf_size(WORD32 pic_wd,UWORD32 pic_ht, WORD32 u1_chroma_f if(u1_chroma_format == IV_YUV_420P) { p_buf_size[0] = (pic_wd * pic_ht); - p_buf_size[1] = (pic_wd * pic_ht) - >> 2; - p_buf_size[2] = (pic_wd * pic_ht) - >> 2; + p_buf_size[1] = ((pic_wd + 1) >> 1) * ((pic_ht + 1) >> 1); + p_buf_size[2] = ((pic_wd + 1) >> 1) * ((pic_ht + 1) >> 1); } else if(u1_chroma_format == IV_YUV_422ILE) { @@ -1523,11 +1521,9 @@ UWORD32 impeg2d_get_outbuf_size(WORD32 pic_wd,UWORD32 pic_ht, WORD32 u1_chroma_f || (u1_chroma_format == IV_YUV_420SP_VU)) { p_buf_size[0] = (pic_wd * pic_ht); - p_buf_size[1] = (pic_wd * pic_ht) - >> 1; + p_buf_size[1] = ((pic_wd + 1) >> 1) * ((pic_ht + 1) >> 1) * 2; p_buf_size[2] = 0; } - return u4_min_num_out_bufs; } @@ -3330,20 +3326,20 @@ IV_API_CALL_STATUS_T impeg2d_api_entity(iv_obj_t *ps_dechdl, ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_y_strd = ps_dec_state->u4_frm_buf_stride; ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_y_ht = ps_dec_state->u2_vertical_size; - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_wd = ps_dec_state->u2_horizontal_size >> 1; - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_strd = ps_dec_state->u4_frm_buf_stride >> 1; - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_ht = ps_dec_state->u2_vertical_size >> 1; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_wd = (ps_dec_state->u2_horizontal_size + 1) >> 1; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_strd = (ps_dec_state->u4_frm_buf_stride + 1) >> 1; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_ht = (ps_dec_state->u2_vertical_size + 1) >> 1; - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_v_wd = ps_dec_state->u2_horizontal_size >> 1; - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_v_strd = ps_dec_state->u4_frm_buf_stride >> 1; - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_v_ht = ps_dec_state->u2_vertical_size >> 1; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_v_wd = (ps_dec_state->u2_horizontal_size + 1) >> 1; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_v_strd = (ps_dec_state->u4_frm_buf_stride + 1) >> 1; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_v_ht = (ps_dec_state->u2_vertical_size + 1) >> 1; ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_size = sizeof(ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf); switch(ps_dec_state->i4_chromaFormat) { case IV_YUV_420SP_UV: case IV_YUV_420SP_VU: - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_wd = ps_dec_state->u2_horizontal_size; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_wd = (((ps_dec_state->u2_horizontal_size + 1) >> 1) << 1); ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_strd = ps_dec_state->u4_frm_buf_stride; break; case IV_YUV_422ILE: @@ -3418,20 +3414,20 @@ IV_API_CALL_STATUS_T impeg2d_api_entity(iv_obj_t *ps_dechdl, ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_y_strd = ps_dec_state->u4_frm_buf_stride; ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_y_ht = ps_dec_state->u2_vertical_size; - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_wd = ps_dec_state->u2_horizontal_size >> 1; - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_strd = ps_dec_state->u4_frm_buf_stride >> 1; - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_ht = ps_dec_state->u2_vertical_size >> 1; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_wd = (ps_dec_state->u2_horizontal_size + 1) >> 1; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_strd = (ps_dec_state->u4_frm_buf_stride + 1) >> 1; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_ht = (ps_dec_state->u2_vertical_size + 1) >> 1; - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_v_wd = ps_dec_state->u2_horizontal_size >> 1; - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_v_strd = ps_dec_state->u4_frm_buf_stride >> 1; - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_v_ht = ps_dec_state->u2_vertical_size >> 1; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_v_wd = (ps_dec_state->u2_horizontal_size + 1) >> 1; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_v_strd = (ps_dec_state->u4_frm_buf_stride + 1) >> 1; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_v_ht = (ps_dec_state->u2_vertical_size + 1) >> 1; ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_size = sizeof(ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf); switch(ps_dec_state->i4_chromaFormat) { case IV_YUV_420SP_UV: case IV_YUV_420SP_VU: - ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_wd = ps_dec_state->u2_horizontal_size; + ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_wd = (((ps_dec_state->u2_horizontal_size + 1) >> 1) << 1); ps_dec_op->s_ivd_video_decode_op_t.s_disp_frm_buf.u4_u_strd = ps_dec_state->u4_frm_buf_stride; break; case IV_YUV_422ILE: diff --git a/decoder/impeg2d_dec_hdr.c b/decoder/impeg2d_dec_hdr.c index b60f488..3c974a5 100644 --- a/decoder/impeg2d_dec_hdr.c +++ b/decoder/impeg2d_dec_hdr.c @@ -1253,6 +1253,7 @@ static WORD32 impeg2d_init_thread_dec_ctxt(dec_state_t *ps_dec, ps_dec_thd->ps_func_forw_or_back = ps_dec->ps_func_forw_or_back; ps_dec_thd->pv_deinterlacer_ctxt = ps_dec->pv_deinterlacer_ctxt; ps_dec_thd->ps_deint_pic = ps_dec->ps_deint_pic; + ps_dec_thd->pu1_deint_fmt_buf = ps_dec->pu1_deint_fmt_buf; return 0; } diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp deleted file mode 100644 index 4250ec5..0000000 --- a/fuzzer/Android.bp +++ /dev/null @@ -1,16 +0,0 @@ -cc_fuzz { - name: "mpeg2_dec_fuzzer", - host_supported: true, - srcs: [ - "mpeg2_dec_fuzzer.cpp", - ], - static_libs: [ - "libmpeg2dec", - "liblog", - ], - target: { - darwin: { - enabled: false, - }, - }, -} diff --git a/fuzzer/README.md b/fuzzer/README.md deleted file mode 100644 index 562b123..0000000 --- a/fuzzer/README.md +++ /dev/null @@ -1,69 +0,0 @@ -# Fuzzer for libmpeg2 decoder - -This describes steps to build mpeg2_dec_fuzzer binary. - -## Linux x86/x64 - -### Requirements -- cmake (3.5 or above) -- make -- clang (6.0 or above) - needs to support -fsanitize=fuzzer, -fsanitize=fuzzer-no-link - -### Steps to build -Clone libmpeg2 repository -``` -$ git clone https://android.googlesource.com/platform/external/libmpeg2 -``` -Create a directory inside libmpeg2 and change directory -``` - $ cd libmpeg2 - $ mkdir build - $ cd build -``` -Build libmpeg2 using cmake -``` - $ CC=clang CXX=clang++ cmake ../ \ - -DSANITIZE=fuzzer-no-link,address,signed-integer-overflow - $ make - ``` -Build the fuzzer -``` - $ clang++ -std=c++11 -fsanitize=fuzzer,address -I. -I../ -I../common \ - -I../decoder -Wl,--start-group ../fuzzer/mpeg2_dec_fuzzer.cpp \ - -o ./mpeg2_dec_fuzzer ./libmpeg2dec.a -Wl,--end-group -``` - -### Steps to run -Create a directory CORPUS_DIR and copy some elementary mpeg2 files to that folder -To run the fuzzer -``` -$ ./mpeg2_dec_fuzzer CORPUS_DIR -``` - -## Android - -### Steps to build -Build the fuzzer -``` - $ SANITIZE_TARGET=address SANITIZE_HOST=address mmma -j$(nproc) \ - external/libmpeg2/fuzzer -``` - -### Steps to run -Create a directory CORPUS_DIR and copy some elementary mpeg2 files to that folder -Push this directory to device. - -To run on device -``` - $ adb sync data - $ adb shell /data/fuzz/mpeg2_dec_fuzzer CORPUS_DIR -``` -To run on host -``` - $ $ANDROID_HOST_OUT/fuzz/mpeg2_dec_fuzzer CORPUS_DIR -``` - -## References: - * http://llvm.org/docs/LibFuzzer.html - * https://github.com/google/oss-fuzz diff --git a/fuzzer/mpeg2_dec_fuzzer.cpp b/fuzzer/mpeg2_dec_fuzzer.cpp deleted file mode 100644 index bf9744d..0000000 --- a/fuzzer/mpeg2_dec_fuzzer.cpp +++ /dev/null @@ -1,419 +0,0 @@ -/****************************************************************************** - * - * Copyright (C) 2019 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - ***************************************************************************** - * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore - */ - -#include <malloc.h> -#include <stddef.h> -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <algorithm> -#include <memory> - -#include "iv_datatypedef.h" -#include "iv.h" -#include "ivd.h" -#include "impeg2d.h" - -#define ALIGN2(x) ((((x) + 1) >> 1) << 1) -#define MAX_FRAME_WIDTH 3840 -#define MAX_FRAME_HEIGHT 2160 -#define NELEMENTS(x) (sizeof(x) / sizeof(x[0])) -#define ivd_api_function impeg2d_api_function -const IV_COLOR_FORMAT_T supportedColorFormats[] = {IV_YUV_420P, IV_YUV_420SP_UV, - IV_YUV_420SP_VU}; - -enum { - OFFSET_COLOR_FORMAT = 6, - OFFSET_NUM_CORES, - /* Should be the last entry */ - OFFSET_MAX, -}; - -const static int kSupportedColorFormats = NELEMENTS(supportedColorFormats); -const static int kMaxCores = 4; - -class Codec { - public: - Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores); - ~Codec(); - - void createCodec(); - void deleteCodec(); - void resetCodec(); - void setCores(); - void allocFrame(); - void freeFrame(); - void decodeHeader(const uint8_t *data, size_t size); - IV_API_CALL_STATUS_T decodeFrame(const uint8_t *data, size_t size, - size_t *bytesConsumed); - void setParams(IVD_VIDEO_DECODE_MODE_T mode); - - private: - IV_COLOR_FORMAT_T mColorFormat; - size_t mNumCores; - iv_obj_t *mCodec; - ivd_out_bufdesc_t mOutBufHandle; - uint32_t mWidth; - uint32_t mHeight; - uint32_t mDeinterlace; - iv_mem_rec_t *mMemRecords; -}; - -Codec::Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores) { - mColorFormat = colorFormat; - mNumCores = numCores; - mCodec = nullptr; - mWidth = 0; - mHeight = 0; - mDeinterlace = 1; - memset(&mOutBufHandle, 0, sizeof(mOutBufHandle)); -} - -Codec::~Codec() {} - -void Codec::createCodec() { - IV_API_CALL_STATUS_T ret; - UWORD32 numMemRecords; - size_t i; - void *fxns = (void *)&ivd_api_function; - - iv_num_mem_rec_ip_t get_mem_ip; - iv_num_mem_rec_op_t get_mem_op; - - get_mem_ip.u4_size = sizeof(get_mem_ip); - get_mem_op.u4_size = sizeof(get_mem_op); - get_mem_ip.e_cmd = IV_CMD_GET_NUM_MEM_REC; - - ret = ivd_api_function(NULL, (void *)&get_mem_ip, (void *)&get_mem_op); - if (ret != IV_SUCCESS) { - return; - } - - numMemRecords = get_mem_op.u4_num_mem_rec; - - mMemRecords = (iv_mem_rec_t *)malloc(numMemRecords * sizeof(iv_mem_rec_t)); - if (mMemRecords == NULL) { - return; - } - - impeg2d_fill_mem_rec_ip_t fill_mem_ip; - impeg2d_fill_mem_rec_op_t fill_mem_op; - - fill_mem_ip.s_ivd_fill_mem_rec_ip_t.e_cmd = IV_CMD_FILL_NUM_MEM_REC; - fill_mem_ip.s_ivd_fill_mem_rec_ip_t.pv_mem_rec_location = - (iv_mem_rec_t *)mMemRecords; - fill_mem_ip.s_ivd_fill_mem_rec_ip_t.u4_max_frm_wd = MAX_FRAME_WIDTH; - fill_mem_ip.s_ivd_fill_mem_rec_ip_t.u4_max_frm_ht = MAX_FRAME_HEIGHT; - fill_mem_ip.u4_share_disp_buf = 0; - fill_mem_ip.u4_deinterlace = mDeinterlace; - fill_mem_ip.e_output_format = mColorFormat; - - fill_mem_ip.s_ivd_fill_mem_rec_ip_t.u4_size = - sizeof(impeg2d_fill_mem_rec_ip_t); - fill_mem_op.s_ivd_fill_mem_rec_op_t.u4_size = - sizeof(impeg2d_fill_mem_rec_op_t); - - for (i = 0; i < numMemRecords; i++) - mMemRecords[i].u4_size = sizeof(iv_mem_rec_t); - - ret = ivd_api_function(NULL, (void *)&fill_mem_ip, (void *)&fill_mem_op); - - if (ret != IV_SUCCESS) { - return; - } - numMemRecords = fill_mem_op.s_ivd_fill_mem_rec_op_t.u4_num_mem_rec_filled; - - iv_mem_rec_t *ps_mem_rec = (iv_mem_rec_t *)mMemRecords; - - for (i = 0; i < numMemRecords; i++) { - ps_mem_rec->pv_base = - memalign(ps_mem_rec->u4_mem_alignment, ps_mem_rec->u4_mem_size); - if (ps_mem_rec->pv_base == NULL) { - return; - } - - ps_mem_rec++; - } - - mCodec = (iv_obj_t *)(iv_obj_t *)mMemRecords[0].pv_base; - mCodec->pv_fxns = fxns; - mCodec->u4_size = sizeof(iv_obj_t); - - impeg2d_init_ip_t init_ip; - impeg2d_init_op_t init_op; - - init_ip.s_ivd_init_ip_t.e_cmd = (IVD_API_COMMAND_TYPE_T)IV_CMD_INIT; - init_ip.s_ivd_init_ip_t.pv_mem_rec_location = mMemRecords; - init_ip.s_ivd_init_ip_t.u4_frm_max_wd = MAX_FRAME_WIDTH; - init_ip.s_ivd_init_ip_t.u4_frm_max_ht = MAX_FRAME_HEIGHT; - - init_ip.u4_share_disp_buf = 0; - init_ip.u4_deinterlace = mDeinterlace; - init_ip.s_ivd_init_ip_t.u4_num_mem_rec = numMemRecords; - init_ip.s_ivd_init_ip_t.e_output_format = mColorFormat; - init_ip.s_ivd_init_ip_t.u4_size = sizeof(impeg2d_init_ip_t); - init_op.s_ivd_init_op_t.u4_size = sizeof(impeg2d_init_op_t); - - ret = ivd_api_function(mCodec, (void *)&init_ip, (void *)&init_op); - if (ret != IV_SUCCESS) { - return; - } -} - -void Codec::deleteCodec() { - IV_API_CALL_STATUS_T ret; - iv_retrieve_mem_rec_ip_t retrieve_ip; - iv_retrieve_mem_rec_op_t retrieve_op; - retrieve_ip.pv_mem_rec_location = (iv_mem_rec_t *)mMemRecords; - - retrieve_ip.e_cmd = IV_CMD_RETRIEVE_MEMREC; - retrieve_ip.u4_size = sizeof(iv_retrieve_mem_rec_ip_t); - retrieve_op.u4_size = sizeof(iv_retrieve_mem_rec_op_t); - - ret = ivd_api_function(mCodec, (void *)&retrieve_ip, (void *)&retrieve_op); - - if (ret != IV_SUCCESS) { - return; - } - - iv_mem_rec_t *ps_mem_rec = retrieve_ip.pv_mem_rec_location; - for (size_t i = 0; i < retrieve_op.u4_num_mem_rec_filled; i++) { - free(ps_mem_rec->pv_base); - ps_mem_rec++; - } - free(retrieve_ip.pv_mem_rec_location); -} - -void Codec::resetCodec() { - ivd_ctl_reset_ip_t s_ctl_ip; - ivd_ctl_reset_op_t s_ctl_op; - - s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL; - s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_RESET; - s_ctl_ip.u4_size = sizeof(ivd_ctl_reset_ip_t); - s_ctl_op.u4_size = sizeof(ivd_ctl_reset_op_t); - - ivd_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op); -} - -void Codec::setCores() { - impeg2d_ctl_set_num_cores_ip_t s_ctl_ip; - impeg2d_ctl_set_num_cores_op_t s_ctl_op; - - s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL; - s_ctl_ip.e_sub_cmd = - (IVD_CONTROL_API_COMMAND_TYPE_T)IMPEG2D_CMD_CTL_SET_NUM_CORES; - s_ctl_ip.u4_num_cores = mNumCores; - s_ctl_ip.u4_size = sizeof(impeg2d_ctl_set_num_cores_ip_t); - s_ctl_op.u4_size = sizeof(impeg2d_ctl_set_num_cores_op_t); - - ivd_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op); -} - -void Codec::setParams(IVD_VIDEO_DECODE_MODE_T mode) { - ivd_ctl_set_config_ip_t s_ctl_ip; - ivd_ctl_set_config_op_t s_ctl_op; - - s_ctl_ip.u4_disp_wd = 0; - s_ctl_ip.e_frm_skip_mode = IVD_SKIP_NONE; - s_ctl_ip.e_frm_out_mode = IVD_DISPLAY_FRAME_OUT; - s_ctl_ip.e_vid_dec_mode = mode; - s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL; - s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_SETPARAMS; - s_ctl_ip.u4_size = sizeof(ivd_ctl_set_config_ip_t); - s_ctl_op.u4_size = sizeof(ivd_ctl_set_config_op_t); - - ivd_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op); -} - -void Codec::freeFrame() { - for (int i = 0; i < mOutBufHandle.u4_num_bufs; i++) { - if (mOutBufHandle.pu1_bufs[i]) { - free(mOutBufHandle.pu1_bufs[i]); - mOutBufHandle.pu1_bufs[i] = nullptr; - } - } -} - -void Codec::allocFrame() { - size_t sizes[4] = {0}; - size_t num_bufs = 0; - - freeFrame(); - - memset(&mOutBufHandle, 0, sizeof(mOutBufHandle)); - - switch (mColorFormat) { - case IV_YUV_420SP_UV: - [[fallthrough]]; - case IV_YUV_420SP_VU: - sizes[0] = mWidth * mHeight; - sizes[1] = ALIGN2(mWidth) * ALIGN2(mHeight) >> 1; - num_bufs = 2; - break; - case IV_YUV_422ILE: - sizes[0] = mWidth * mHeight * 2; - num_bufs = 1; - break; - case IV_RGB_565: - sizes[0] = mWidth * mHeight * 2; - num_bufs = 1; - break; - case IV_RGBA_8888: - sizes[0] = mWidth * mHeight * 4; - num_bufs = 1; - break; - case IV_YUV_420P: - [[fallthrough]]; - default: - sizes[0] = mWidth * mHeight; - sizes[1] = ALIGN2(mWidth) * ALIGN2(mHeight) >> 2; - sizes[2] = ALIGN2(mWidth) * ALIGN2(mHeight) >> 2; - num_bufs = 3; - break; - } - mOutBufHandle.u4_num_bufs = num_bufs; - for (int i = 0; i < num_bufs; i++) { - mOutBufHandle.u4_min_out_buf_size[i] = sizes[i]; - mOutBufHandle.pu1_bufs[i] = (UWORD8 *)memalign(16, sizes[i]); - } -} - -void Codec::decodeHeader(const uint8_t *data, size_t size) { - setParams(IVD_DECODE_HEADER); - - while (size > 0) { - IV_API_CALL_STATUS_T ret; - ivd_video_decode_ip_t dec_ip; - ivd_video_decode_op_t dec_op; - size_t bytes_consumed; - - memset(&dec_ip, 0, sizeof(dec_ip)); - memset(&dec_op, 0, sizeof(dec_op)); - - dec_ip.e_cmd = IVD_CMD_VIDEO_DECODE; - dec_ip.u4_ts = 0; - dec_ip.pv_stream_buffer = (void *)data; - dec_ip.u4_num_Bytes = size; - dec_ip.u4_size = sizeof(ivd_video_decode_ip_t); - dec_op.u4_size = sizeof(ivd_video_decode_op_t); - - ret = ivd_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op); - - bytes_consumed = dec_op.u4_num_bytes_consumed; - /* If no bytes are consumed, then consume 4 bytes to ensure fuzzer proceeds - * to feed next data */ - if (!bytes_consumed) bytes_consumed = 4; - - bytes_consumed = std::min(size, bytes_consumed); - - data += bytes_consumed; - size -= bytes_consumed; - - mWidth = std::min(dec_op.u4_pic_wd, (UWORD32)10240); - mHeight = std::min(dec_op.u4_pic_ht, (UWORD32)10240); - - /* Break after successful header decode */ - if (mWidth && mHeight) { - break; - } - } - /* if width / height are invalid, set them to defaults */ - if (!mWidth) mWidth = 1920; - if (!mHeight) mHeight = 1088; -} - -IV_API_CALL_STATUS_T Codec::decodeFrame(const uint8_t *data, size_t size, - size_t *bytesConsumed) { - IV_API_CALL_STATUS_T ret; - ivd_video_decode_ip_t dec_ip; - ivd_video_decode_op_t dec_op; - - memset(&dec_ip, 0, sizeof(dec_ip)); - memset(&dec_op, 0, sizeof(dec_op)); - - dec_ip.e_cmd = IVD_CMD_VIDEO_DECODE; - dec_ip.u4_ts = 0; - dec_ip.pv_stream_buffer = (void *)data; - dec_ip.u4_num_Bytes = size; - dec_ip.u4_size = sizeof(ivd_video_decode_ip_t); - dec_ip.s_out_buffer = mOutBufHandle; - - dec_op.u4_size = sizeof(ivd_video_decode_op_t); - - ret = ivd_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op); - if (IMPEG2D_UNSUPPORTED_DIMENSIONS == dec_op.u4_error_code) { - /* In case of unsupported resolution, reset codec */ - resetCodec(); - } else if (IVD_RES_CHANGED == (dec_op.u4_error_code & 0xFF)) { - /* In case of change in resolution, reset codec and feed the same data - * again */ - resetCodec(); - ret = ivd_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op); - } - *bytesConsumed = dec_op.u4_num_bytes_consumed; - - /* If no bytes are consumed, then consume 4 bytes to ensure fuzzer proceeds - * to feed next data */ - if (!*bytesConsumed) *bytesConsumed = 4; - - if (mWidth != dec_op.u4_pic_wd || mHeight != dec_op.u4_pic_ht) { - mWidth = std::min(dec_op.u4_pic_wd, (UWORD32)10240); - mHeight = std::min(dec_op.u4_pic_ht, (UWORD32)10240); - allocFrame(); - } - - return ret; -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - if (size < 1) { - return 0; - } - size_t colorFormatOfst = std::min((size_t)OFFSET_COLOR_FORMAT, size - 1); - size_t numCoresOfst = std::min((size_t)OFFSET_NUM_CORES, size - 1); - size_t colorFormatIdx = data[colorFormatOfst] % kSupportedColorFormats; - IV_COLOR_FORMAT_T colorFormat = - (IV_COLOR_FORMAT_T)(supportedColorFormats[colorFormatIdx]); - uint32_t numCores = (data[numCoresOfst] % kMaxCores) + 1; - - Codec *codec = new Codec(colorFormat, numCores); - codec->createCodec(); - codec->setCores(); - codec->decodeHeader(data, size); - codec->setParams(IVD_DECODE_FRAME); - codec->allocFrame(); - - while (size > 0) { - IV_API_CALL_STATUS_T ret; - size_t bytesConsumed; - ret = codec->decodeFrame(data, size, &bytesConsumed); - - bytesConsumed = std::min(size, bytesConsumed); - data += bytesConsumed; - size -= bytesConsumed; - } - - codec->freeFrame(); - codec->deleteCodec(); - delete codec; - return 0; -} diff --git a/fuzzer/mpeg2_dec_fuzzer.dict b/fuzzer/mpeg2_dec_fuzzer.dict deleted file mode 100644 index f436f20..0000000 --- a/fuzzer/mpeg2_dec_fuzzer.dict +++ /dev/null @@ -1,2 +0,0 @@ -# Start code (bytes 0-3) -kw1="\x00\x00\x00\x01" diff --git a/fuzzer/ossfuzz.sh b/fuzzer/ossfuzz.sh deleted file mode 100755 index 3493031..0000000 --- a/fuzzer/ossfuzz.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash -eu -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -################################################################################ -# Ensure SRC and WORK are set -test "${SRC}" != "" || exit 1 -test "${WORK}" != "" || exit 1 -test "${OUT}" != "" || exit 1 - -# Build libmpeg2 -build_dir=$WORK/build -rm -rf ${build_dir} -mkdir -p ${build_dir} -pushd ${build_dir} - -cmake $SRC/libmpeg2 -make -j$(nproc) -popd - -# build fuzzers -$CXX $CXXFLAGS -std=c++11 \ --I$SRC/libmpeg2 \ --I$SRC/libmpeg2/common \ --I$SRC/libmpeg2/decoder \ --I${build_dir} \ --Wl,--start-group \ -$LIB_FUZZING_ENGINE \ -$SRC/libmpeg2/fuzzer/mpeg2_dec_fuzzer.cpp -o $OUT/mpeg2_dec_fuzzer \ -${build_dir}/libmpeg2dec.a \ --Wl,--end-group - -cp $SRC/mpeg2_dec_fuzzer_seed_corpus.zip $OUT/mpeg2_dec_fuzzer_seed_corpus.zip -cp $SRC/libmpeg2/fuzzer/mpeg2_dec_fuzzer.dict $OUT/mpeg2_dec_fuzzer.dict diff --git a/test/Android.bp b/test/Android.bp index b8325c3..f17489e 100644 --- a/test/Android.bp +++ b/test/Android.bp @@ -1,7 +1,6 @@ -cc_test { +cc_binary { name: "mpeg2dec", - host_supported:true, - gtest: false, + cflags: [ "-DPROFILE_ENABLE", "-DMD5_DISABLE", @@ -10,12 +9,10 @@ cc_test { "-Wall", "-Werror", ], + local_include_dirs: [ + "decoder/", + ], srcs: ["decoder/main.c"], static_libs: ["libmpeg2dec"], shared_libs: ["liblog"], - target: { - darwin: { - enabled: false, - }, - }, } |