Commit Graph

31 Commits

Author SHA1 Message Date
Kacper Michajłow 938938a985 fuzzer_options_parser: add options parser fuzzing
To improve coverage of parse_commandline.c
2024-08-27 01:31:40 +02:00
Kacper Michajłow 25f441b740 fuzzer_set_property: ensure idle is enabled
It is used in play loop to check if playback ended cleanly. Don't allow
set_property to disable idle.
2024-08-04 21:33:36 +02:00
Kacper Michajłow ed77616f29 fuzzer: stop player after 5 seconds of playback
Timeouts can happen with various conditions, big, slow to decode files
is one of them. Most of the time those timeouts are not really important
to "fix". While they may show some issues like we currently have with
audio EOF #14427 for ao-null-untimed. Most of the reports are completely
not important and we should focus on other topics.

Ignore the timeouts during file playback, note that this will still
report any timeouts that happen in other conditions.

5 seconds of playback should cover most of interesting mpv code, even
for strange samples.

This will likely be reverted at some point in the future, but let first
stabilize the OSS-Fuzz, without dozens of bogus timeouts.
2024-07-17 22:17:52 +02:00
Kacper Michajłow 3cc42083aa fuzzer_set_property: reset sstep to 0 to avoid seeking loop
It would seek and keep player open. Not interesting to change this
behaviour, so just skip it for fuzzers.
2024-07-16 22:59:23 +02:00
Kacper Michajłow 09b25771e8 fuzzer_set_property: set duration to 0.1s
It looks like it is faster than 0.01s.
2024-07-11 21:55:21 +02:00
Kacper Michajłow 4574644b7a fuzzers: wait for file start event before idle
Sometimes we exited too soon, not waiting for full transition to idle
state.
2024-06-27 02:57:22 +02:00
Kacper Michajłow 5995f13b5f fuzzer_set_property: fix setting audio-files list
`:` were not escaped correctly. Also while at it clear other external
file lists, as we don't want to load any. Subtitle fuzzer will be added
in the future.

It is surprisingly hard to clear the list with C API. That needs whole
mpv_node_list with 0 elements, to make it clear it.
2024-06-26 01:28:55 +02:00
Kacper Michajłow 7eec246d56 fuzzer_load: seal the input fd after writing the data
Nothing should ever modify this data. Also, add CLOEXEC for good
measure.
2024-06-25 02:17:40 +02:00
Kacper Michajłow 22ca65a59d fuzzer_set_property: destroy mpv also on error
Shouldn't matter much and in fact even LSAN doesn't complain, but we
should clean it correctly.

Fixes: 1225bcbd41
2024-06-24 17:36:53 +02:00
Kacper Michajłow 8a5989628c meson: add fuzzers alias for all fuzzer targets
Makes it easier to build only fuzzer binaries and avoid building
unnecessary targets from subprojects.
2024-06-24 17:36:53 +02:00
Kacper Michajłow 1225bcbd41 fuzzer_set_property: don't run mpv if set property failed
We can avoid testing this cases, hopefully there are no side-effects
when set property fails.
2024-06-24 03:05:09 +02:00
Kacper Michajłow a5f2816278 fuzzer_load_{config_file,input_conf}: take into account file size limit
We are strict about load command errors, so we have to clamp the size.
2024-06-24 03:05:09 +02:00
Kacper Michajłow 799137a87c fuzzers: disallow include command in more principal way
We should never allow include command for fuzzers and it can be
triggered also by direct set property.
2024-06-24 03:05:09 +02:00
Kacper Michajłow c3de4f04db fuzzer_load: disallow include option in config files
It produces undeterministic results, especially if it do
`include=fd://N` which starts loading external data.
2024-06-23 02:33:04 +02:00
Kacper Michajłow 8e7d442f08 fuzzers: enable edl, file and lavf protocols
To close already fixes issues on OSS-Fuzz.

Hopefully there is enough space for those. There is no way of checking
that, except that it stops working.
2024-06-18 03:11:14 +02:00
Kacper Michajłow ee2be6dc82 fuzzer_set_property: force untimed and pause state
We don't want to accidentally set those options and timeout in pause
state.

Remove video-osd as there is no reason to set it in fact.
2024-06-18 03:11:14 +02:00
Kacper Michajłow 71d3f4157b fuzzers: disable some targets as we hit out of space errors
To test if this resolves issues with oss-fuzz.
2024-06-16 05:42:34 +02:00
Kacper Michajłow 9b935c9076 fuzzers/meson: set link language to cpp 2024-06-16 01:21:16 +02:00
Kacper Michajłow fc0d0f10eb fuzzers/common: add prototype for LLVMFuzzerTestOneInput
To suppress warning.
2024-06-05 19:07:58 +02:00
Kacper Michajłow f652f38147 Revert "fuzzers/load: clear old temp files if they exist"
It is not a problem, so revert.

This reverts commit 06ec0319db.
2024-05-24 16:55:04 +02:00
Kacper Michajłow 06ec0319db fuzzers/load: clear old temp files if they exist
They were previously left over, and now that it looks like runners are
stuck, the big question is: is /tmp persistent?

This commit will be reverted after the next rebuild.
2024-05-22 02:09:47 +02:00
Kacper Michajłow e56054bc40 fuzzers: always return 0
While LibFuzzer supports rejecting unwanted inputs, it looks like
Honggfuzz treats anything other than 0 as fatal error.

https://llvm.org/docs/LibFuzzer.html#rejecting-unwanted-inputs
348a472139/libhfuzz/persistent.c (L67)
This LOG_F calls exit(EXIT_FAILURE)
2024-05-21 06:28:18 +02:00
Kacper Michajłow 7a93a584fc fuzzer: add dedicated fuzzers for each demuxer
This will help drill deeper into specific code.
2024-05-15 20:09:54 +02:00
Kacper Michajłow 6ede789092 fuzzer_load: use memfd_create instead of real file
Should be slightly faster. Also fixes leaking temporary file on errors.
2024-05-15 20:09:54 +02:00
Kacper Michajłow 3c26389312 fuzzer_load: merge file and config load into one file
Removes code duplication. Add missing unlink while at it.
2024-05-15 20:09:54 +02:00
Kacper Michajłow fd1c13f9b3 fuzzers: don't build binaries for disabled protocols
While there is a merit to test if disabled protocols doesn't crash or
something, such test can be made as simple unit tests, no fuzzing needed.
2024-05-15 20:09:54 +02:00
Kacper Michajłow c1d5f0e9c8 fuzzers: set network-timeout to 1 second
We don't expect any data to actually access, so timeout as soon as
possible.
2024-05-10 04:15:10 +02:00
Kacper Michajłow bf6d49cbd4 fuzzer_loadfile_direct: exclude paths also for file://
Loading external files makes little sense. Might disable this completely
later, but let see how it works, The idea is the same as for direct
load. Exclude paths starting with `file://.` and `file:///`. But still
fuzz any processing that other input might have. It shouldn't be a huge
problem if we do `file://mpv` for example. Not great, but also not
terrible.
2024-05-09 02:01:24 +02:00
Kacper Michajłow 49cb039b8c fuzzer_set_property: fix for other types than string
I tested with string version, oops.
2024-05-08 18:52:40 +02:00
Kacper Michajłow e1d1eb7ace fuzzers: add fuzzer for config parsers 2024-05-08 18:52:40 +02:00
Kacper Michajłow 47dbc3a74e fuzzers: add new fuzzer targets
fuzzer_set_property.c:

fuzz mpv_set_property in both initialized and non-initialized state.
Useful for user provided values sanitization test. I've already seen
some memory leaks in parsing code, good to drill it.

fuzzer_loadfile.c:

mpv_command "loadfile" test. Good for testing demuxers, decoding and
playback loop. Sadly in headless mode we can't really test AO and VO,
but at least all the code around can be fuzzed. Especially our custom
demuxers like demux_mkv.

fuzzer_loadfile_direct.c:

Similar to loadfile above, but instead of saving the data to file, it
passes the fuzz input in the command. Generated protocol specific
versions (mf:// and memory:// for now) and generic one.

Nothing really complex, but good start and even those few targets should
give good coverage of the most common code paths in libmpv.
2024-04-27 02:47:47 +02:00