| /* |
| * Copyright (C) 2020 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| #include <iostream> |
| #include <fstream> |
| #include "ihevc_typedefs.h" |
| #include "ihevcd_cxa.h" |
| #include "ihevc_defs.h" |
| #include "ihevcd_defs.h" |
| #include "ihevcd_function_selector.h" |
| #include "ihevc_structs.h" |
| #include "ihevc_cabac_tables.h" |
| #include "ihevcd_structs.h" |
| #include "../includes/common.h" |
| |
| #define NUM_CORES 3 |
| #define COLOR_FORMAT IV_YUV_420SP_UV |
| #define DEFAULT_WIDTH 1920 |
| #define DEFAULT_HEIGHT 1088 |
| #define NUM_OUTPUT_BUFFERS 2 |
| #define MEM_ALIGNMENT 16 |
| #define MAX_WIDTH 10240 |
| #define MAX_HEIGHT 10240 |
| #define SKIP_BYTES 4 |
| #define INITIAL_VAL (0xBE) |
| #define INITIAL_VAL_32 (0xBEBEBEBE) |
| |
| void *iv_aligned_malloc(void *ctxt, WORD32 alignment, WORD32 size) { |
| void *buf = nullptr; |
| (void) ctxt; |
| if (0 != posix_memalign(&buf, alignment, size)) { |
| return nullptr; |
| } |
| return buf; |
| } |
| |
| void iv_aligned_free(void *ctxt, void *buf) { |
| (void) ctxt; |
| free(buf); |
| } |
| |
| class Codec { |
| public: |
| Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores); |
| ~Codec(); |
| |
| IV_API_CALL_STATUS_T createCodec(); |
| void deleteCodec(); |
| void resetCodec(); |
| void setCores(); |
| void allocFrame(); |
| void freeFrame(); |
| void decodeHeader(const uint8_t *data, size_t size); |
| void decodeFrame(const uint8_t *data, size_t size, |
| size_t *bytesConsumed, bool *isVulnerable); |
| void setParams(IVD_VIDEO_DECODE_MODE_T mode); |
| |
| private: |
| IV_COLOR_FORMAT_T mColorFormat; |
| size_t mNumCores; |
| iv_obj_t *mCodec; |
| ivd_out_bufdesc_t mOutBufHandle; |
| uint32_t mWidth; |
| uint32_t mHeight; |
| }; |
| |
| Codec::Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores) { |
| mColorFormat = colorFormat; |
| mNumCores = numCores; |
| mCodec = nullptr; |
| mWidth = 0; |
| mHeight = 0; |
| |
| memset(&mOutBufHandle, 0, sizeof(mOutBufHandle)); |
| } |
| |
| Codec::~Codec() { |
| } |
| |
| IV_API_CALL_STATUS_T Codec::createCodec() { |
| IV_API_CALL_STATUS_T ret; |
| ihevcd_cxa_create_ip_t create_ip; |
| ihevcd_cxa_create_op_t create_op; |
| void *fxns = (void *) &ihevcd_cxa_api_function; |
| |
| create_ip.s_ivd_create_ip_t.e_cmd = IVD_CMD_CREATE; |
| create_ip.s_ivd_create_ip_t.u4_share_disp_buf = 0; |
| create_ip.s_ivd_create_ip_t.e_output_format = mColorFormat; |
| create_ip.s_ivd_create_ip_t.pf_aligned_alloc = iv_aligned_malloc; |
| create_ip.s_ivd_create_ip_t.pf_aligned_free = iv_aligned_free; |
| create_ip.s_ivd_create_ip_t.pv_mem_ctxt = nullptr; |
| create_ip.s_ivd_create_ip_t.u4_size = sizeof(ihevcd_cxa_create_ip_t); |
| create_op.s_ivd_create_op_t.u4_size = sizeof(ihevcd_cxa_create_op_t); |
| |
| ret = ihevcd_cxa_api_function(nullptr, (void *)&create_ip, |
| (void *)&create_op); |
| if (ret != IV_SUCCESS) { |
| return ret; |
| } |
| mCodec = (iv_obj_t *) create_op.s_ivd_create_op_t.pv_handle; |
| mCodec->pv_fxns = fxns; |
| mCodec->u4_size = sizeof(iv_obj_t); |
| return ret; |
| } |
| |
| void Codec::deleteCodec() { |
| ivd_delete_ip_t delete_ip; |
| ivd_delete_op_t delete_op; |
| |
| delete_ip.e_cmd = IVD_CMD_DELETE; |
| delete_ip.u4_size = sizeof(ivd_delete_ip_t); |
| delete_op.u4_size = sizeof(ivd_delete_op_t); |
| |
| ihevcd_cxa_api_function(mCodec, (void *)&delete_ip, (void *)&delete_op); |
| } |
| |
| void Codec::resetCodec() { |
| ivd_ctl_reset_ip_t s_ctl_ip; |
| ivd_ctl_reset_op_t s_ctl_op; |
| |
| s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL; |
| s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_RESET; |
| s_ctl_ip.u4_size = sizeof(ivd_ctl_reset_ip_t); |
| s_ctl_op.u4_size = sizeof(ivd_ctl_reset_op_t); |
| |
| ihevcd_cxa_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op); |
| } |
| |
| void Codec::setCores() { |
| ihevcd_cxa_ctl_set_num_cores_ip_t s_ctl_ip; |
| ihevcd_cxa_ctl_set_num_cores_op_t s_ctl_op; |
| |
| s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL; |
| s_ctl_ip.e_sub_cmd = |
| (IVD_CONTROL_API_COMMAND_TYPE_T) IHEVCD_CXA_CMD_CTL_SET_NUM_CORES; |
| s_ctl_ip.u4_num_cores = mNumCores; |
| s_ctl_ip.u4_size = sizeof(ihevcd_cxa_ctl_set_num_cores_ip_t); |
| s_ctl_op.u4_size = sizeof(ihevcd_cxa_ctl_set_num_cores_op_t); |
| |
| ihevcd_cxa_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op); |
| } |
| |
| void Codec::setParams(IVD_VIDEO_DECODE_MODE_T mode) { |
| ivd_ctl_set_config_ip_t s_ctl_ip; |
| ivd_ctl_set_config_op_t s_ctl_op; |
| |
| s_ctl_ip.u4_disp_wd = 0; |
| s_ctl_ip.e_frm_skip_mode = IVD_SKIP_NONE; |
| s_ctl_ip.e_frm_out_mode = IVD_DISPLAY_FRAME_OUT; |
| s_ctl_ip.e_vid_dec_mode = mode; |
| s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL; |
| s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_SETPARAMS; |
| s_ctl_ip.u4_size = sizeof(ivd_ctl_set_config_ip_t); |
| s_ctl_op.u4_size = sizeof(ivd_ctl_set_config_op_t); |
| |
| ihevcd_cxa_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op); |
| } |
| |
| void Codec::freeFrame() { |
| for (size_t i = 0; i < mOutBufHandle.u4_num_bufs; i++) { |
| if (mOutBufHandle.pu1_bufs[i]) { |
| free(mOutBufHandle.pu1_bufs[i]); |
| mOutBufHandle.pu1_bufs[i] = nullptr; |
| } |
| } |
| } |
| |
| void Codec::allocFrame() { |
| size_t sizes[2]; |
| sizes[0] = mWidth * mHeight; |
| sizes[1] = mWidth * mHeight >> 1; |
| size_t num_bufs = NUM_OUTPUT_BUFFERS; |
| freeFrame(); |
| memset(&mOutBufHandle, 0, sizeof(mOutBufHandle)); |
| mOutBufHandle.u4_num_bufs = num_bufs; |
| for (size_t i = 0; i < num_bufs; i++) { |
| mOutBufHandle.u4_min_out_buf_size[i] = sizes[i]; |
| mOutBufHandle.pu1_bufs[i] = (UWORD8 *) iv_aligned_malloc(nullptr, |
| MEM_ALIGNMENT, |
| sizes[i]); |
| } |
| } |
| |
| void Codec::decodeHeader(const uint8_t *data, size_t size) { |
| setParams (IVD_DECODE_HEADER); |
| |
| while (size > 0) { |
| ivd_video_decode_ip_t dec_ip; |
| ivd_video_decode_op_t dec_op; |
| size_t bytes_consumed; |
| |
| memset(&dec_ip, 0, sizeof(dec_ip)); |
| memset(&dec_op, 0, sizeof(dec_op)); |
| |
| dec_ip.e_cmd = IVD_CMD_VIDEO_DECODE; |
| dec_ip.u4_ts = 0; |
| dec_ip.pv_stream_buffer = (void *) data; |
| dec_ip.u4_num_Bytes = size; |
| dec_ip.u4_size = sizeof(ivd_video_decode_ip_t); |
| dec_op.u4_size = sizeof(ivd_video_decode_op_t); |
| |
| ihevcd_cxa_api_function(mCodec, (void *)&dec_ip, |
| (void *)&dec_op); |
| |
| bytes_consumed = dec_op.u4_num_bytes_consumed; |
| if (!bytes_consumed) |
| bytes_consumed = SKIP_BYTES; |
| |
| bytes_consumed = std::min(size, bytes_consumed); |
| |
| data += bytes_consumed; |
| size -= bytes_consumed; |
| |
| mWidth = std::min(dec_op.u4_pic_wd, (UWORD32) MAX_WIDTH); |
| mHeight = std::min(dec_op.u4_pic_ht, (UWORD32) MAX_HEIGHT); |
| |
| /* Break after successful header decode */ |
| if (mWidth && mHeight) { |
| break; |
| } |
| } |
| /* if width / height are invalid, set them to defaults */ |
| if (!mWidth) |
| mWidth = DEFAULT_WIDTH; |
| if (!mHeight) |
| mHeight = DEFAULT_HEIGHT; |
| } |
| |
| void Codec::decodeFrame(const uint8_t *data, size_t size, |
| size_t *bytesConsumed, |
| bool* isVulnerable) { |
| ivd_video_decode_ip_t dec_ip; |
| ivd_video_decode_op_t dec_op; |
| |
| memset(&dec_ip, 0, sizeof(dec_ip)); |
| memset(&dec_op, 0, sizeof(dec_op)); |
| |
| dec_ip.e_cmd = IVD_CMD_VIDEO_DECODE; |
| dec_ip.u4_ts = 0; |
| dec_ip.pv_stream_buffer = (void *) data; |
| dec_ip.u4_num_Bytes = size; |
| dec_ip.u4_size = sizeof(ivd_video_decode_ip_t); |
| dec_ip.s_out_buffer = mOutBufHandle; |
| |
| dec_op.u4_size = sizeof(ivd_video_decode_op_t); |
| *isVulnerable = false; |
| codec_t * ps_codec = (codec_t *) mCodec->pv_codec_handle; |
| parse_ctxt_t *ps_parse = &ps_codec->s_parse; |
| buf_period_sei_params_t *ps_buf_period_sei_params; |
| ps_buf_period_sei_params = &ps_parse->s_sei_params.s_buf_period_sei_params; |
| memset((void *) ps_buf_period_sei_params, INITIAL_VAL, |
| sizeof(buf_period_sei_params_t)); |
| ihevcd_cxa_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op); |
| UWORD32 len = ps_buf_period_sei_params->u4_initial_cpb_removal_delay_length; |
| if (len != INITIAL_VAL_32) { |
| *isVulnerable = true; |
| } |
| /* In case of change in resolution, reset codec and feed the same data again |
| */ |
| if ((dec_op.u4_error_code & 0xFF) == IVD_RES_CHANGED) { |
| resetCodec(); |
| ihevcd_cxa_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op); |
| } |
| *bytesConsumed = dec_op.u4_num_bytes_consumed; |
| |
| /* If no bytes are consumed, then consume 4 bytes to ensure fuzzer proceeds |
| * to feed next data */ |
| if (!*bytesConsumed) |
| *bytesConsumed = SKIP_BYTES; |
| |
| if (dec_op.u4_pic_wd && dec_op.u4_pic_ht |
| && (mWidth != dec_op.u4_pic_wd || mHeight != dec_op.u4_pic_ht)) { |
| mWidth = std::min(dec_op.u4_pic_wd, (UWORD32) MAX_WIDTH); |
| mHeight = std::min(dec_op.u4_pic_ht, (UWORD32) MAX_HEIGHT); |
| allocFrame(); |
| } |
| } |
| |
| int main(int argc, char **argv) { |
| if (argc != 2) { |
| return EXIT_FAILURE; |
| } |
| std::ifstream inFile(argv[1]); |
| if (!inFile) { |
| return EXIT_FAILURE; |
| } |
| inFile.seekg(0, inFile.end); |
| size_t size = inFile.tellg(); |
| if (size < 1) { |
| inFile.close(); |
| return EXIT_FAILURE; |
| } |
| inFile.seekg(0, inFile.beg); |
| uint8_t *data = new uint8_t[size]; |
| inFile.read(reinterpret_cast<char *>(data), size); |
| IV_COLOR_FORMAT_T colorFormat = COLOR_FORMAT; |
| uint32_t numCores = NUM_CORES; |
| bool isVulnerable = false; |
| |
| Codec *codec = new Codec(colorFormat, numCores); |
| IV_API_CALL_STATUS_T ret = codec->createCodec(); |
| if(ret != IV_SUCCESS){ |
| inFile.close(); |
| delete codec; |
| delete[] data; |
| return EXIT_FAILURE; |
| } |
| codec->setCores(); |
| codec->decodeHeader(data, size); |
| codec->setParams(IVD_DECODE_FRAME); |
| codec->allocFrame(); |
| |
| while (size > 0) { |
| size_t bytesConsumed; |
| codec->decodeFrame(data, size, &bytesConsumed, &isVulnerable); |
| bytesConsumed = std::min(size, bytesConsumed); |
| data += bytesConsumed; |
| size -= bytesConsumed; |
| } |
| |
| codec->freeFrame(); |
| codec->deleteCodec(); |
| inFile.close(); |
| delete codec; |
| delete[] data; |
| if (isVulnerable) { |
| return EXIT_VULNERABLE; |
| } |
| return EXIT_SUCCESS; |
| } |