admin/webrtc_m130
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add fuzzer for vp9 qp parser.

Browse Source 
Return false if ReadBits fails.
Prevents GetQp from returning true with a qp of zero.

BUG=webrtc:7662

Review-Url: https://codereview.webrtc.org/2911013002
Cr-Commit-Position: refs/heads/master@{#18462}
This commit is contained in:
asapersson 2017-06-06 23:41:44 -07:00 committed by Commit Bot
parent 5f200f6fc1
commit 23ec19dbb9
4 changed files with 172 additions and 140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

252
webrtc/modules/video_coding/utility/vp9_uncompressed_header_parser.cc
View File

@ -9,53 +9,77 @@
*/ */
#include "webrtc/modules/video_coding/utility/vp9_uncompressed_header_parser.h" #include "webrtc/modules/video_coding/utility/vp9_uncompressed_header_parser.h"
#include "webrtc/base/bitbuffer.h"
#include "webrtc/base/logging.h"
namespace webrtc { namespace webrtc {
#define RETURN_FALSE_IF_ERROR(x) \
if (!(x)) { \
return false; \
}
namespace vp9 { namespace vp9 {
namespace { namespace {
const size_t kVp9MaxProfile = 4;
const size_t kVp9NumRefsPerFrame = 3; const size_t kVp9NumRefsPerFrame = 3;
const size_t kVp9MaxRefLFDeltas = 4; const size_t kVp9MaxRefLFDeltas = 4;
const size_t kVp9MaxModeLFDeltas = 2; const size_t kVp9MaxModeLFDeltas = 2;
} // namespace
static uint8_t VP9ReadProfile(VP9BitReader* br) { bool Vp9ReadProfile(rtc::BitBuffer* br, uint8_t* profile) {
uint8_t profile = 0; uint32_t high_bit;
if (br->GetBit()) uint32_t low_bit;
profile |= 1; RETURN_FALSE_IF_ERROR(br->ReadBits(&low_bit, 1));
if (br->GetBit()) RETURN_FALSE_IF_ERROR(br->ReadBits(&high_bit, 1));
profile |= 2; *profile = (high_bit << 1) + low_bit;
if (profile > 2 && br->GetBit()) if (*profile > 2) {
profile += 1; uint32_t reserved_bit;
return profile; RETURN_FALSE_IF_ERROR(br->ReadBits(&reserved_bit, 1));
if (reserved_bit) {
LOG(LS_WARNING) << "Failed to get QP. Unsupported bitstream profile.";
return false;
}
}
return true;
} }
static bool VP9ReadColorConfig(VP9BitReader* br, uint8_t profile) { bool Vp9ReadSyncCode(rtc::BitBuffer* br) {
uint32_t sync_code;
RETURN_FALSE_IF_ERROR(br->ReadBits(&sync_code, 24));
if (sync_code != 0x498342) {
LOG(LS_WARNING) << "Failed to get QP. Invalid sync code.";
return false;
}
return true;
}
bool Vp9ReadColorConfig(rtc::BitBuffer* br, uint8_t profile) {
if (profile == 2 || profile == 3) { if (profile == 2 || profile == 3) {
// Bitdepth. // Bitdepth.
br->GetBit(); RETURN_FALSE_IF_ERROR(br->ConsumeBits(1));
} }
uint32_t color_space;
RETURN_FALSE_IF_ERROR(br->ReadBits(&color_space, 3));
uint8_t color_space = br->GetValue(3);
// SRGB is 7. // SRGB is 7.
if (color_space != 7) { if (color_space != 7) {
// YUV range flag. // YUV range flag.
br->GetBit(); RETURN_FALSE_IF_ERROR(br->ConsumeBits(1));
if (profile == 1 || profile == 3) { if (profile == 1 || profile == 3) {
// Subsampling x. // 1 bit: subsampling x.
br->GetBit(); // 1 bit: subsampling y.
// Subsampling y. RETURN_FALSE_IF_ERROR(br->ConsumeBits(2));
br->GetBit(); uint32_t reserved_bit;
// Reserved. RETURN_FALSE_IF_ERROR(br->ReadBits(&reserved_bit, 1));
if (br->GetBit()) { if (reserved_bit) {
LOG(LS_WARNING) << "Failed to get QP. Reserved bit set."; LOG(LS_WARNING) << "Failed to get QP. Reserved bit set.";
return false; return false;
} }
} }
} else { } else {
if (profile == 1 || profile == 3) { if (profile == 1 || profile == 3) {
// Reserved. uint32_t reserved_bit;
if (br->GetBit()) { RETURN_FALSE_IF_ERROR(br->ReadBits(&reserved_bit, 1));
if (reserved_bit) {
LOG(LS_WARNING) << "Failed to get QP. Reserved bit set."; LOG(LS_WARNING) << "Failed to get QP. Reserved bit set.";
return false; return false;
} }
@ -69,164 +93,176 @@ static bool VP9ReadColorConfig(VP9BitReader* br, uint8_t profile) {
return true; return true;
} }
static void VP9ReadFrameSize(VP9BitReader* br) { bool Vp9ReadFrameSize(rtc::BitBuffer* br) {
// Frame width. // 2 bytes: frame width.
br->GetValue(16); // 2 bytes: frame height.
// Frame height. return br->ConsumeBytes(4);
br->GetValue(16);
} }
static void VP9ReadRenderSize(VP9BitReader* br) { bool Vp9ReadRenderSize(rtc::BitBuffer* br) {
// Scaling. uint32_t bit;
if (br->GetBit()) { RETURN_FALSE_IF_ERROR(br->ReadBits(&bit, 1));
// Render width. if (bit) {
br->GetValue(16); // 2 bytes: render width.
// Render height. // 2 bytes: render height.
br->GetValue(16); RETURN_FALSE_IF_ERROR(br->ConsumeBytes(4));
} }
return true;
} }
static void VP9ReadFrameSizeFromRefs(VP9BitReader* br) { bool Vp9ReadFrameSizeFromRefs(rtc::BitBuffer* br) {
int found_ref = 0; uint32_t found_ref = 0;
for (size_t i = 0; i < kVp9NumRefsPerFrame; i++) { for (size_t i = 0; i < kVp9NumRefsPerFrame; i++) {
// Size in refs. // Size in refs.
found_ref = br->GetBit(); RETURN_FALSE_IF_ERROR(br->ReadBits(&found_ref, 1));
if (found_ref) if (found_ref)
break; break;
} }
if (!found_ref) if (!found_ref) {
VP9ReadFrameSize(br); if (!Vp9ReadFrameSize(br)) {
return false;
VP9ReadRenderSize(br); }
}
return Vp9ReadRenderSize(br);
} }
static void VP9ReadInterpolationFilter(VP9BitReader* br) { bool Vp9ReadInterpolationFilter(rtc::BitBuffer* br) {
if (br->GetBit()) uint32_t bit;
return; RETURN_FALSE_IF_ERROR(br->ReadBits(&bit, 1));
if (bit)
return true;
br->GetValue(2); return br->ConsumeBits(2);
} }
static void VP9ReadLoopfilter(VP9BitReader* br) { bool Vp9ReadLoopfilter(rtc::BitBuffer* br) {
// Filter level. // 6 bits: filter level.
br->GetValue(6); // 3 bits: sharpness level.
// Sharpness level. RETURN_FALSE_IF_ERROR(br->ConsumeBits(9));
br->GetValue(3);
uint32_t mode_ref_delta_enabled = br->GetBit(); uint32_t mode_ref_delta_enabled;
RETURN_FALSE_IF_ERROR(br->ReadBits(&mode_ref_delta_enabled, 1));
if (mode_ref_delta_enabled) { if (mode_ref_delta_enabled) {
uint32_t mode_ref_delta_update = br->GetBit(); uint32_t mode_ref_delta_update;
RETURN_FALSE_IF_ERROR(br->ReadBits(&mode_ref_delta_update, 1));
if (mode_ref_delta_update) { if (mode_ref_delta_update) {
uint32_t bit;
for (size_t i = 0; i < kVp9MaxRefLFDeltas; i++) { for (size_t i = 0; i < kVp9MaxRefLFDeltas; i++) {
if (br->GetBit()) RETURN_FALSE_IF_ERROR(br->ReadBits(&bit, 1));
br->GetSignedValue(6); if (bit) {
RETURN_FALSE_IF_ERROR(br->ConsumeBits(7));
}
} }
for (size_t i = 0; i < kVp9MaxModeLFDeltas; i++) { for (size_t i = 0; i < kVp9MaxModeLFDeltas; i++) {
if (br->GetBit()) RETURN_FALSE_IF_ERROR(br->ReadBits(&bit, 1));
br->GetSignedValue(6); if (bit) {
RETURN_FALSE_IF_ERROR(br->ConsumeBits(7));
} }
} }
} }
}
return true;
} }
} // namespace
bool GetQp(const uint8_t* buf, size_t length, int* qp) { bool GetQp(const uint8_t* buf, size_t length, int* qp) {
VP9BitReader br(buf, length); rtc::BitBuffer br(buf, length);
// Frame marker. // Frame marker.
if (br.GetValue(2) != 0x2) { uint32_t frame_marker;
RETURN_FALSE_IF_ERROR(br.ReadBits(&frame_marker, 2));
if (frame_marker != 0x2) {
LOG(LS_WARNING) << "Failed to get QP. Frame marker should be 2."; LOG(LS_WARNING) << "Failed to get QP. Frame marker should be 2.";
return false; return false;
} }
// Profile. // Profile.
uint8_t profile = VP9ReadProfile(&br); uint8_t profile;
if (profile > kVp9MaxProfile) { if (!Vp9ReadProfile(&br, &profile))
LOG(LS_WARNING) << "Failed to get QP. Unsupported bitstream profile: "
<< profile;
return false; return false;
}
// Show existing frame. // Show existing frame.
if (br.GetBit()) uint32_t show_existing_frame;
RETURN_FALSE_IF_ERROR(br.ReadBits(&show_existing_frame, 1));
if (show_existing_frame)
return false; return false;
// Frame type: KEY_FRAME(0), INTER_FRAME(1). // Frame type: KEY_FRAME(0), INTER_FRAME(1).
uint8_t frame_type = br.GetBit(); uint32_t frame_type;
// Show frame. uint32_t show_frame;
uint8_t show_frame = br.GetBit(); uint32_t error_resilient;
// Error resilient. RETURN_FALSE_IF_ERROR(br.ReadBits(&frame_type, 1));
uint8_t error_resilient = br.GetBit(); RETURN_FALSE_IF_ERROR(br.ReadBits(&show_frame, 1));
RETURN_FALSE_IF_ERROR(br.ReadBits(&error_resilient, 1));
if (!frame_type) { if (!frame_type) {
// Sync code. if (!Vp9ReadSyncCode(&br))
uint32_t sync_code = br.GetValue(24);
if (sync_code != 0x498342) {
LOG(LS_WARNING) << "Failed to get QP. Invalid sync code.";
return false; return false;
} if (!Vp9ReadColorConfig(&br, profile))
return false;
if (!VP9ReadColorConfig(&br, profile)) if (!Vp9ReadFrameSize(&br))
return false;
if (!Vp9ReadRenderSize(&br))
return false; return false;
VP9ReadFrameSize(&br);
VP9ReadRenderSize(&br);
} else { } else {
uint8_t intra_only = 0; uint32_t intra_only = 0;
if (!show_frame) if (!show_frame)
intra_only = br.GetBit(); RETURN_FALSE_IF_ERROR(br.ReadBits(&intra_only, 1));
if (!error_resilient) if (!error_resilient)
// Reset frame context. RETURN_FALSE_IF_ERROR(br.ConsumeBits(2)); // Reset frame context.
br.GetValue(2);
if (intra_only) { if (intra_only) {
// Sync code. if (!Vp9ReadSyncCode(&br))
if (br.GetValue(24) != 0x498342) {
LOG(LS_WARNING) << "Failed to get QP. Invalid sync code.";
return false; return false;
}
if (profile > 0) { if (profile > 0) {
if (!VP9ReadColorConfig(&br, profile)) if (!Vp9ReadColorConfig(&br, profile))
return false; return false;
} }
// Refresh frame flags. // Refresh frame flags.
br.GetValue(8); RETURN_FALSE_IF_ERROR(br.ConsumeBits(8));
if (!Vp9ReadFrameSize(&br))
VP9ReadFrameSize(&br); return false;
VP9ReadRenderSize(&br); if (!Vp9ReadRenderSize(&br))
return false;
} else { } else {
// Refresh frame flags. // Refresh frame flags.
br.GetValue(8); RETURN_FALSE_IF_ERROR(br.ConsumeBits(8));
for (size_t i = 0; i < kVp9NumRefsPerFrame; i++) { for (size_t i = 0; i < kVp9NumRefsPerFrame; i++) {
// Ref frame index. // 3 bits: Ref frame index.
br.GetValue(3); // 1 bit: Ref frame sign biases.
// Ref frame sign biases. RETURN_FALSE_IF_ERROR(br.ConsumeBits(4));
br.GetBit();
} }
VP9ReadFrameSizeFromRefs(&br); if (!Vp9ReadFrameSizeFromRefs(&br))
return false;
// Allow high precision mv. // Allow high precision mv.
br.GetBit(); RETURN_FALSE_IF_ERROR(br.ConsumeBits(1));
// Interpolation filter. // Interpolation filter.
VP9ReadInterpolationFilter(&br); if (!Vp9ReadInterpolationFilter(&br))
return false;
} }
} }
if (!error_resilient) { if (!error_resilient) {
// Refresh frame context. // 1 bit: Refresh frame context.
br.GetBit(); // 1 bit: Frame parallel decoding mode.
// Frame parallel decoding mode. RETURN_FALSE_IF_ERROR(br.ConsumeBits(2));
br.GetBit();
} }
// Frame context index. // Frame context index.
br.GetValue(2); RETURN_FALSE_IF_ERROR(br.ConsumeBits(2));
VP9ReadLoopfilter(&br); if (!Vp9ReadLoopfilter(&br))
return false;
// Base QP. // Base QP.
const int base_q0 = br.GetValue(8); uint8_t base_q0;
RETURN_FALSE_IF_ERROR(br.ReadUInt8(&base_q0));
*qp = base_q0; *qp = base_q0;
return true; return true;
} }

32
webrtc/modules/video_coding/utility/vp9_uncompressed_header_parser.h
View File

@ -14,42 +14,10 @@
#include <stddef.h> #include <stddef.h>
#include <stdint.h> #include <stdint.h>
#include "webrtc/base/bitbuffer.h"
#include "webrtc/base/logging.h"
namespace webrtc { namespace webrtc {
namespace vp9 { namespace vp9 {
class VP9BitReader : public ::rtc::BitBuffer {
public:
VP9BitReader(const uint8_t* buffer, size_t length_)
: BitBuffer(buffer, length_) {}
uint32_t GetBit() {
uint32_t bit = 0;
if (ReadBits(&bit, 1))
return bit;
LOG(LS_WARNING) << "Failed to get bit. Reached EOF.";
return 0;
}
uint32_t GetValue(int bits) {
uint32_t value = 0;
if (ReadBits(&value, bits))
return value;
LOG(LS_WARNING) << "Failed to get bit. Reached EOF.";
return 0;
}
int32_t GetSignedValue(int bits) {
const int32_t value = static_cast<int>(GetValue(bits));
return GetBit() ? -value : value;
}
};
// Gets the QP, QP range: [0, 255]. // Gets the QP, QP range: [0, 255].
// Returns true on success, false otherwise. // Returns true on success, false otherwise.
bool GetQp(const uint8_t* buf, size_t length, int* qp); bool GetQp(const uint8_t* buf, size_t length, int* qp);

10
webrtc/test/fuzzers/BUILD.gn
View File

@ -70,6 +70,16 @@ webrtc_fuzzer_test("vp8_qp_parser_fuzzer") {
] ]
} }
webrtc_fuzzer_test("vp9_qp_parser_fuzzer") {
sources = [
"vp9_qp_parser_fuzzer.cc",
]
deps = [
"../../modules/video_coding:video_coding_utility",
"../../modules/video_coding/",
]
}
webrtc_fuzzer_test("h264_bitstream_parser_fuzzer") { webrtc_fuzzer_test("h264_bitstream_parser_fuzzer") {
sources = [ sources = [
"h264_bitstream_parser_fuzzer.cc", "h264_bitstream_parser_fuzzer.cc",

18
webrtc/test/fuzzers/vp9_qp_parser_fuzzer.cc Normal file
View File

@ -0,0 +1,18 @@
/*
* Copyright (c) 2017 The WebRTC project authors. All Rights Reserved.
*
* Use of this source code is governed by a BSD-style license
* that can be found in the LICENSE file in the root of the source
* tree. An additional intellectual property rights grant can be found
* in the file PATENTS. All contributing project authors may
* be found in the AUTHORS file in the root of the source tree.
*/
#include "webrtc/modules/video_coding/utility/vp9_uncompressed_header_parser.h"
namespace webrtc {
void FuzzOneInput(const uint8_t* data, size_t size) {
int qp;
vp9::GetQp(data, size, &qp);
}
} // namespace webrtc