h265: fix crash in DTS extractor; improve fuzz tests

bluenviron · May 18, 2024 · 9853336 · 9853336
1 parent 1e6e29b
commit 9853336
Show file tree

Hide file tree

Showing 50 changed files with 167 additions and 83 deletions.
diff --git a/pkg/codecs/h264/dts_extractor_test.go b/pkg/codecs/h264/dts_extractor_test.go
@@ -319,21 +319,42 @@ func TestDTSExtractor(t *testing.T) {
 	}
 }
 
-func FuzzDTSExtractor(f *testing.F) {
-	ex := NewDTSExtractor()
-
-	f.Fuzz(func(_ *testing.T, b []byte, p uint64) {
-		if len(b) < 1 {
+func FuzzDTSExtractorFirstAU(f *testing.F) {
+	f.Fuzz(func(_ *testing.T, a []byte, b []byte) {
+		if len(a) < 1 || len(b) < 1 {
 			return
 		}
+
+		ex := NewDTSExtractor()
+
 		ex.Extract([][]byte{ //nolint:errcheck
+			a,
+			b,
+		}, 0)
+	})
+}
+
+func FuzzDTSExtractorSecondAU(f *testing.F) {
+	f.Fuzz(func(t *testing.T, a []byte) {
+		if len(a) < 1 {
+			return
+		}
+
+		ex := NewDTSExtractor()
+
+		_, err := ex.Extract([][]byte{
 			{ // SPS
 				0x27, 0x64, 0x00, 0x20, 0xac, 0x52, 0x18, 0x0f,
 				0x01, 0x17, 0xef, 0xff, 0x00, 0x01, 0x00, 0x01,
 				0x6a, 0x02, 0x02, 0x03, 0x6d, 0x85, 0x6b, 0xde,
 				0xf8, 0x08,
 			},
-			b,
-		}, time.Duration(p))
+			{ // IDR
+				0x05,
+			},
+		}, 0)
+		require.NoError(t, err)
+
+		ex.Extract([][]byte{a}, 1*time.Second) //nolint:errcheck
 	})
 }
diff --git a/...ta/fuzz/FuzzDTSExtractor/1222d4cb572fa515ca7b8ba8dc649a0c711445e6307ee02a65b0a4322e758021 b/...ta/fuzz/FuzzDTSExtractor/1222d4cb572fa515ca7b8ba8dc649a0c711445e6307ee02a65b0a4322e758021
diff --git a/...ta/fuzz/FuzzDTSExtractor/1223ae83b4925a9f1ade3b85a3b44c94a8135edafbbd664bd8e2eca808ca5ebc b/...ta/fuzz/FuzzDTSExtractor/1223ae83b4925a9f1ade3b85a3b44c94a8135edafbbd664bd8e2eca808ca5ebc
diff --git a/...ta/fuzz/FuzzDTSExtractor/262c62a888c4d2e7f51c8ac2c37a8459445dd9279b725d7243c3341e8e5bc746 b/...ta/fuzz/FuzzDTSExtractor/262c62a888c4d2e7f51c8ac2c37a8459445dd9279b725d7243c3341e8e5bc746
diff --git a/...ta/fuzz/FuzzDTSExtractor/3b9a2adc3e27d7bc69f2eac840715796c9540b4942476167f0b4db164b52ce56 b/...ta/fuzz/FuzzDTSExtractor/3b9a2adc3e27d7bc69f2eac840715796c9540b4942476167f0b4db164b52ce56
diff --git a/...ta/fuzz/FuzzDTSExtractor/3cb3e1217d3d42a93448aba8877b465cf77c9425c65d3e2cf6f314d6cbd0050e b/...ta/fuzz/FuzzDTSExtractor/3cb3e1217d3d42a93448aba8877b465cf77c9425c65d3e2cf6f314d6cbd0050e
diff --git a/...ta/fuzz/FuzzDTSExtractor/676f114d18955cd69fb374e86badcea42b216770d5fc4629d036eb04cfef9ae7 b/...ta/fuzz/FuzzDTSExtractor/676f114d18955cd69fb374e86badcea42b216770d5fc4629d036eb04cfef9ae7
diff --git a/...ta/fuzz/FuzzDTSExtractor/b1d032bee609ec2a117b65530fb6f91bc8a0f066193f73e2d2fc35b282b88839 b/...ta/fuzz/FuzzDTSExtractor/b1d032bee609ec2a117b65530fb6f91bc8a0f066193f73e2d2fc35b282b88839
diff --git a/...ta/fuzz/FuzzDTSExtractor/be0df8dc8259c6db1f7fe9c07d133559251d8a4697da418218cbaf077650f873 b/...ta/fuzz/FuzzDTSExtractor/be0df8dc8259c6db1f7fe9c07d133559251d8a4697da418218cbaf077650f873
diff --git a/...ta/fuzz/FuzzDTSExtractor/c43c2cabc7b2a36f19a4717161402f7e12129cbe32cf765847b4377867ebc9b5 b/...ta/fuzz/FuzzDTSExtractor/c43c2cabc7b2a36f19a4717161402f7e12129cbe32cf765847b4377867ebc9b5
diff --git a/...ta/fuzz/FuzzDTSExtractor/c624d6d8804714db4b342d59c9e32f26eec2d69bb3aff1746a521786027b732c b/...ta/fuzz/FuzzDTSExtractor/c624d6d8804714db4b342d59c9e32f26eec2d69bb3aff1746a521786027b732c
diff --git a/...cff0054b22899ced04b7aa1fddf0c96c76937d0fd → .../FuzzDTSExtractorFirstAU/6bd9babbebf7eb78 b/...cff0054b22899ced04b7aa1fddf0c96c76937d0fd → .../FuzzDTSExtractorFirstAU/6bd9babbebf7eb78
@@ -1,3 +1,3 @@
 go test fuzz v1
 []byte("0")
-uint64(200)
+[]byte("0")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorFirstAU/8c94630ea61f63e3 b/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorFirstAU/8c94630ea61f63e3
@@ -0,0 +1,3 @@
+go test fuzz v1
+[]byte("'")
+[]byte("0")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorFirstAU/b82dcea5f8c5d6f2 b/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorFirstAU/b82dcea5f8c5d6f2
@@ -0,0 +1,3 @@
+go test fuzz v1
+[]byte("0")
+[]byte("'0002B\x7fB20")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/19981bffc2abbaf1 b/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/19981bffc2abbaf1
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("A")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/263c5fd4790f9883 b/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/263c5fd4790f9883
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("A7")
diff --git a/...09cb55a3a35b9dd081ab4959ba7a35d04c5f91cb8 → ...FuzzDTSExtractorSecondAU/582528ddfad69eb5 b/...09cb55a3a35b9dd081ab4959ba7a35d04c5f91cb8 → ...FuzzDTSExtractorSecondAU/582528ddfad69eb5
@@ -1,3 +1,2 @@
 go test fuzz v1
 []byte("0")
-uint64(0)
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/65db35c79fa73545 b/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/65db35c79fa73545
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("A2")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/6ef46b9e96fa4662 b/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/6ef46b9e96fa4662
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("A0")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/80596f720e22eb8e b/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/80596f720e22eb8e
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("A10")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/cf0f062be803f290 b/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/cf0f062be803f290
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("AX00")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/d1f79e34f3e16aac b/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/d1f79e34f3e16aac
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("AX\x000")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/de99d62765a6ee07 b/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/de99d62765a6ee07
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("A2A0")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/e9303a9fd30fc85b b/pkg/codecs/h264/testdata/fuzz/FuzzDTSExtractorSecondAU/e9303a9fd30fc85b
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("A00000000000000000000000")
diff --git a/pkg/codecs/h265/dts_extractor_test.go b/pkg/codecs/h265/dts_extractor_test.go
@@ -295,26 +295,71 @@ func TestDTSExtractor(t *testing.T) {
 	}
 }
 
-func FuzzDTSExtractor(f *testing.F) {
-	sps := []byte{
-		0x42, 0x01, 0x01, 0x01, 0x60, 0x00, 0x00, 0x03,
-		0x00, 0x90, 0x00, 0x00, 0x03, 0x00, 0x00, 0x03,
-		0x00, 0x78, 0xa0, 0x03, 0xc0, 0x80, 0x10, 0xe5,
-		0x96, 0x66, 0x69, 0x24, 0xca, 0xe0, 0x10, 0x00,
-		0x00, 0x03, 0x00, 0x10, 0x00, 0x00, 0x03, 0x01,
-		0xe0, 0x80,
-	}
+func FuzzDTSExtractorFirstAU(f *testing.F) {
+	f.Fuzz(func(_ *testing.T, a []byte, b []byte, c []byte) {
+		if len(a) < 1 || len(b) < 1 || len(c) < 1 {
+			return
+		}
 
-	pps := []byte{
-		0x44, 0x01, 0xc1, 0x72, 0xb4, 0x62, 0x40,
-	}
+		ex := NewDTSExtractor()
 
-	ex := NewDTSExtractor()
+		ex.Extract([][]byte{ //nolint:errcheck
+			a,
+			b,
+			c,
+		}, 0)
+	})
+}
 
-	f.Fuzz(func(_ *testing.T, b []byte, p uint64) {
-		if len(b) < 1 {
+func FuzzDTSExtractorSecondAU(f *testing.F) {
+	f.Fuzz(func(t *testing.T, sps int, a []byte) {
+		if len(a) < 1 {
 			return
 		}
-		ex.Extract([][]byte{sps, pps, b}, time.Duration(p)) //nolint:errcheck
+
+		ex := NewDTSExtractor()
+
+		switch sps % 2 {
+		case 0:
+			_, err := ex.Extract([][]byte{
+				{ // SPS
+					0x42, 0x01, 0x01, 0x01, 0x40, 0x00, 0x00, 0x03,
+					0x00, 0x80, 0x00, 0x00, 0x03, 0x00, 0x00, 0x03,
+					0x00, 0x99, 0xa0, 0x03, 0xc0, 0x80, 0x10, 0xe5,
+					0x8d, 0xa5, 0x92, 0x42, 0x36, 0x22, 0xec, 0xb8,
+					0x80, 0x40, 0x00, 0x00, 0x03, 0x00, 0x40, 0x00,
+					0x00, 0x05, 0x0f, 0xe2, 0xc4, 0xa0,
+				},
+				{ // PPS
+					0x44, 0x01, 0xc0, 0xe0, 0x98, 0x93, 0x03, 0x05,
+					0x14, 0x90,
+				},
+				{ // IDR
+					0x26,
+				},
+			}, 0)
+			require.NoError(t, err)
+
+		default:
+			_, err := ex.Extract([][]byte{
+				{ // SPS
+					0x42, 0x01, 0x01, 0x01, 0x60, 0x00, 0x00, 0x03,
+					0x00, 0x90, 0x00, 0x00, 0x03, 0x00, 0x00, 0x03,
+					0x00, 0x78, 0xa0, 0x03, 0xc0, 0x80, 0x10, 0xe5,
+					0x96, 0x66, 0x69, 0x24, 0xca, 0xe0, 0x10, 0x00,
+					0x00, 0x03, 0x00, 0x10, 0x00, 0x00, 0x03, 0x01,
+					0xe0, 0x80,
+				},
+				{ // PPS
+					0x44, 0x01, 0xc1, 0x72, 0xb4, 0x62, 0x40,
+				},
+				{ // IDR
+					0x26,
+				},
+			}, 0)
+			require.NoError(t, err)
+		}
+
+		ex.Extract([][]byte{a}, 1*time.Second) //nolint:errcheck
 	})
 }
diff --git a/pkg/codecs/h265/sps.go b/pkg/codecs/h265/sps.go
@@ -448,6 +448,10 @@ func (r *SPS_ShortTermRefPicSet) unmarshal(buf []byte, pos *int, stRpsIdx uint32
 		deltaRps := (1 - 2*s) * (int32(r.AbsDeltaRpsMinus1) + 1)
 
 		refRpsIdx := stRpsIdx - (r.DeltaIdxMinus1 + 1)
+		if refRpsIdx >= uint32(len(shortTermRefPicSets)) {
+			return fmt.Errorf("invalid refRpsIdx")
+		}
+
 		refRPS := shortTermRefPicSets[refRpsIdx]
 		numDeltaPocs := refRPS.NumNegativePics + refRPS.NumPositivePics
 		usedByCurrPicFlag := make([]bool, numDeltaPocs+1)

diff --git a/...ta/fuzz/FuzzDTSExtractor/0e888f462a3598bba3429e3c26cda412817aa65ef38cdeb3aaed76db1c0379a4 b/...ta/fuzz/FuzzDTSExtractor/0e888f462a3598bba3429e3c26cda412817aa65ef38cdeb3aaed76db1c0379a4
diff --git a/...ta/fuzz/FuzzDTSExtractor/1c4d7707525a482640e7c5090e339b08e446b5f9e4f7fff7e448ae377664edb0 b/...ta/fuzz/FuzzDTSExtractor/1c4d7707525a482640e7c5090e339b08e446b5f9e4f7fff7e448ae377664edb0
diff --git a/...ta/fuzz/FuzzDTSExtractor/3c6b851fbf8b3435e3757b3fd9ec0f57bfe84533014a058f89ed320caceb13a9 b/...ta/fuzz/FuzzDTSExtractor/3c6b851fbf8b3435e3757b3fd9ec0f57bfe84533014a058f89ed320caceb13a9
diff --git a/...ta/fuzz/FuzzDTSExtractor/6004440a439db44ebabbaee8a166e7a25bbaa5d4431a3900f509c70b756a06fb b/...ta/fuzz/FuzzDTSExtractor/6004440a439db44ebabbaee8a166e7a25bbaa5d4431a3900f509c70b756a06fb
diff --git a/...ta/fuzz/FuzzDTSExtractor/8bf21706c418e930c7b972e6fff78d2fcadf6942a62141398df17b6cbe61f0b7 b/...ta/fuzz/FuzzDTSExtractor/8bf21706c418e930c7b972e6fff78d2fcadf6942a62141398df17b6cbe61f0b7
diff --git a/...ta/fuzz/FuzzDTSExtractor/8e78b3e3511102b0b24e8f88b42b4e913a44408f4dfb4e496550c34cb92c93fc b/...ta/fuzz/FuzzDTSExtractor/8e78b3e3511102b0b24e8f88b42b4e913a44408f4dfb4e496550c34cb92c93fc
diff --git a/...ta/fuzz/FuzzDTSExtractor/b467576cf8e0115542bddaece5f2d2bce19860a7c060445225adcf3dab189bc4 b/...ta/fuzz/FuzzDTSExtractor/b467576cf8e0115542bddaece5f2d2bce19860a7c060445225adcf3dab189bc4
diff --git a/...ta/fuzz/FuzzDTSExtractor/f45d427ed4a5ea4af4846b4aeaf70d8194277f53bc68eb6255f52278d879d48c b/...ta/fuzz/FuzzDTSExtractor/f45d427ed4a5ea4af4846b4aeaf70d8194277f53bc68eb6255f52278d879d48c
diff --git a/...ta/fuzz/FuzzDTSExtractor/fd6f09d0654e93abb8d685f39f20a5ddcdb857a09391b3e18e55376b8155e3a8 b/...ta/fuzz/FuzzDTSExtractor/fd6f09d0654e93abb8d685f39f20a5ddcdb857a09391b3e18e55376b8155e3a8
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorFirstAU/549200b53e3350c0 b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorFirstAU/549200b53e3350c0
@@ -0,0 +1,4 @@
+go test fuzz v1
+[]byte("0")
+[]byte("0")
+[]byte("E")
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorFirstAU/5e059407f9d308eb b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorFirstAU/5e059407f9d308eb
@@ -0,0 +1,4 @@
+go test fuzz v1
+[]byte("0")
+[]byte("B")
+[]byte("0")
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorFirstAU/6796209af8c4e71c b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorFirstAU/6796209af8c4e71c
@@ -0,0 +1,4 @@
+go test fuzz v1
+[]byte("0")
+[]byte("0")
+[]byte("B000000000000000000177\xe6018")
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorFirstAU/6c405f23a18d6f98 b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorFirstAU/6c405f23a18d6f98
@@ -0,0 +1,4 @@
+go test fuzz v1
+[]byte("\xc400000")
+[]byte("\xc4010")
+[]byte("B000000000000000000177\xe601800000")
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorFirstAU/a5d98d692ed59bcb b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorFirstAU/a5d98d692ed59bcb
@@ -0,0 +1,4 @@
+go test fuzz v1
+[]byte("*0\xf0$00")
+[]byte("\xc4010")
+[]byte("B00000000000000B00177\xd0A0AA90000A0000000000000010A000000000Ay90700000000")
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorFirstAU/f66c57164ae54470 b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorFirstAU/f66c57164ae54470
@@ -0,0 +1,4 @@
+go test fuzz v1
+[]byte("0")
+[]byte("0")
+[]byte("0")
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/0b73a79407958e1d b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/0b73a79407958e1d
@@ -0,0 +1,3 @@
+go test fuzz v1
+int(0)
+[]byte("*0\xd707\xd7")
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/0bd4ba21547c36a3 b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/0bd4ba21547c36a3
@@ -0,0 +1,3 @@
+go test fuzz v1
+int(0)
+[]byte("*0\xcc")
diff --git a/...b872ad99a77e5d04e1472db9455c4b1b5bd8b7073 → ...FuzzDTSExtractorSecondAU/344f11fb49663b9a b/...b872ad99a77e5d04e1472db9455c4b1b5bd8b7073 → ...FuzzDTSExtractorSecondAU/344f11fb49663b9a
@@ -1,3 +1,3 @@
 go test fuzz v1
+int(0)
 []byte("*")
-uint64(34)
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/351b89a3038c309b b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/351b89a3038c309b
@@ -0,0 +1,3 @@
+go test fuzz v1
+int(-47)
+[]byte("*0\xa300")
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/7ec1c4251ecee511 b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/7ec1c4251ecee511
@@ -0,0 +1,3 @@
+go test fuzz v1
+int(0)
+[]byte("*00")
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/8e7b72124ad804cd b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/8e7b72124ad804cd
@@ -0,0 +1,3 @@
+go test fuzz v1
+int(0)
+[]byte("*0\xc0")
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/d5f72f1547208117 b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/d5f72f1547208117
@@ -0,0 +1,3 @@
+go test fuzz v1
+int(10)
+[]byte("*0\xcc002")
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/fb7bdc0f8e44681c b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/fb7bdc0f8e44681c
@@ -0,0 +1,3 @@
+go test fuzz v1
+int(0)
+[]byte("*0\xcc0")
diff --git a/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/fe778c4519c88f5a b/pkg/codecs/h265/testdata/fuzz/FuzzDTSExtractorSecondAU/fe778c4519c88f5a
@@ -0,0 +1,3 @@
+go test fuzz v1
+int(-11)
+[]byte("*0\xa60")