...
 
Commits (4)
......@@ -5,10 +5,11 @@ endif()
add_library(aec_fuzz STATIC ${libaec_SRCS})
add_executable(fuzz_target fuzz_target.cc)
set(FUZZ_TARGET_LINK_FLAGS "-fsanitize=address")
set(FUZZ_TARGET_LINK_FLAGS "-fsanitize=address,undefined")
set(FUZZ_TARGET_COMPILE_FLAGS
"-g"
"-fsanitize=address"
"-fsanitize=address,undefined"
"-fno-sanitize-recover=undefined"
"-fsanitize-coverage=trace-pc-guard,indirect-calls,edge")
set_target_properties(fuzz_target aec_fuzz PROPERTIES
LINK_FLAGS ${FUZZ_TARGET_LINK_FLAGS}
......
......@@ -12,6 +12,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
strm.bits_per_sample = (Data[0] & 0x1f) | 1;
strm.block_size = 8 << (Data[1] & 3);
strm.rsi = 2;
strm.flags = AEC_DATA_PREPROCESS;
if (Data[1] & 0x80)
strm.flags |= AEC_DATA_MSB;
......@@ -21,14 +22,21 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
strm.bits_per_sample > 16 &&
Data[1] & 0x10)
strm.flags |= AEC_DATA_3BYTE;
// Decode data
strm.next_in = (unsigned char *)(Data + 2);
strm.avail_in = Size - 2;
strm.next_out = dest;
strm.avail_out = (Size - 2) * 4;
aec_buffer_encode(&strm);
// Encode data
strm.next_in = (unsigned char *)(Data + 2);
strm.avail_in = Size - 2;
strm.next_out = dest;
strm.avail_out = (Size - 2) * 4;
if (Data[1] & 0x20)
aec_buffer_encode(&strm);
else
aec_buffer_decode(&strm);
aec_buffer_decode(&strm);
free(dest);
return 0;
}
......@@ -68,7 +68,7 @@
static void flush_##KIND(struct aec_stream *strm) \
{ \
uint32_t *flush_end, *bp, half_d; \
int32_t data, m; \
uint32_t xmax, d, data, m; \
struct internal_state *state = strm->state; \
\
flush_end = state->rsip; \
......@@ -87,11 +87,11 @@
} \
\
data = state->last_out; \
xmax = state->xmax; \
\
if (state->xmin == 0) { \
uint32_t xmax, med, d; \
uint32_t med; \
med = state->xmax / 2 + 1; \
xmax = state->xmax; \
\
for (bp = state->flush_start; bp < flush_end; bp++) { \
uint32_t mask; \
......@@ -101,36 +101,33 @@
mask = (data & med)?xmax:0; \
\
/*in this case: xmax - data == xmax ^ data */ \
if (half_d <= (mask ^ (uint32_t)data)) { \
if (half_d <= (mask ^ data)) { \
data += (d >> 1)^(~((d & 1) - 1)); \
} else { \
data = mask ^ d; \
} \
put_##KIND(strm, (uint32_t)data); \
put_##KIND(strm, data); \
} \
state->last_out = data; \
} else { \
int32_t xmax, d; \
xmax = state->xmax; \
\
for (bp = state->flush_start; bp < flush_end; bp++) { \
d = *bp; \
half_d = ((uint32_t)d >> 1) + (d & 1); \
half_d = (d >> 1) + (d & 1); \
\
if (data < 0) { \
if (half_d <= xmax + (uint32_t)data + 1) { \
data += ((uint32_t)d >> 1)^(~((d & 1) - 1)); \
if ((int32_t)data < 0) { \
if (half_d <= xmax + data + 1) { \
data += (d >> 1)^(~((d & 1) - 1)); \
} else { \
data = d - xmax - 1; \
} \
} else { \
if (half_d <= xmax - (uint32_t)data) { \
data += ((uint32_t)d >> 1)^(~((d & 1) - 1)); \
if (half_d <= xmax - data) { \
data += (d >> 1)^(~((d & 1) - 1)); \
} else { \
data = xmax - d; \
} \
} \
put_##KIND(strm, (uint32_t)data); \
put_##KIND(strm, data); \
} \
state->last_out = data; \
} \
......
......@@ -272,29 +272,30 @@ static void preprocess_signed(struct aec_stream *strm)
uint32_t D;
struct internal_state *state = strm->state;
int32_t *restrict x = (int32_t *)state->data_raw;
uint32_t *restrict x = state->data_raw;
uint32_t *restrict d = state->data_pp;
int32_t xmax = (int32_t)state->xmax;
int32_t xmin = (int32_t)state->xmin;
uint32_t xmax = state->xmax;
uint32_t xmin = state->xmin;
uint32_t rsi = strm->rsi * strm->block_size - 1;
uint32_t m = UINT64_C(1) << (strm->bits_per_sample - 1);
uint32_t m = UINT32_C(1) << (strm->bits_per_sample - 1);
state->ref = 1;
state->ref_sample = x[0];
d[0] = 0;
/* Sign extension */
x[0] = (x[0] ^ m) - m;
for (size_t i = 0; i < rsi; i++) {
x[i + 1] = (x[i + 1] ^ m) - m;
if (x[i + 1] < x[i]) {
D = (uint32_t)(x[i] - x[i + 1]);
if (D <= (uint32_t)(xmax - x[i]))
if ((int32_t)x[i + 1] < (int32_t)x[i]) {
D = x[i] - x[i + 1];
if (D <= xmax - x[i])
d[i + 1] = 2 * D - 1;
else
d[i + 1] = xmax - x[i + 1];
} else {
D = (uint32_t)(x[i + 1] - x[i]);
if (D <= (uint32_t)(x[i] - xmin))
D = x[i + 1] - x[i];
if (D <= x[i] - xmin)
d[i + 1] = 2 * D;
else
d[i + 1] = x[i + 1] - xmin;
......