Allows to specify custom fontconfig sysroot. Useful for fuzzing
environments where we might use specific config, font or the system wide
config is not available.
We wait for timeout and stop fuzzing, but if there are events spammed
this timeout never fire, so instead limit the number of events after
playback reset.
While testing larger inputs can be useful for uncovering bugs related to
processing large data or inefficiencies in memory allocation, it also
makes the fuzzing process slower and more fragile.
Beyond the obvious slowdown, there are OOM issues and even in libFuzzer.
Specifically, in fuzzer::InputCorpus::AddToCorpus, after a few hours of
fuzzing, we accumulate so many inputs that memory usage exceeds our
quota. This could be mitigated in other ways, such as dumping data early
or shortening the fuzzing run duration. However, in practice, these huge
inputs are often not very useful.
This change will also encourage the fuzzer to mutate existing data
rather than continually adding more bytes to input, because it give
higher coverage. Which in turn will produce higher quality corpus.
The 100 KiB limit could be reduced further. It's still quite large, let's
see how it performs. I believe even 10 KiB might be sufficient or less.
This issue is especially noticeable in the Matroska fuzzer, because we
add input data there, which is bigger and sets max_len high in fuzzer
itself.
In a perfect world, we wouldn't need to impose such limits, but in
reality, we face constraints in both memory and compute resources.
I'll monitor coverage and fuzzing results after this change and adjust
as needed. Unfortunately, this will discard all existing corpus entries
larger than the limit, but that's expected.
This ensures a clear separation between public and private headers. It
also makes it clear in Meson and prevents the accidental use of private
headers.
This ensures that we don't open some other fd, for example when loading
playlist. Also filters out loading any local files.
This also allows to remove custom filtering from fuzzer itself.
Timeouts can happen with various conditions, big, slow to decode files
is one of them. Most of the time those timeouts are not really important
to "fix". While they may show some issues like we currently have with
audio EOF #14427 for ao-null-untimed. Most of the reports are completely
not important and we should focus on other topics.
Ignore the timeouts during file playback, note that this will still
report any timeouts that happen in other conditions.
5 seconds of playback should cover most of interesting mpv code, even
for strange samples.
This will likely be reverted at some point in the future, but let first
stabilize the OSS-Fuzz, without dozens of bogus timeouts.
`:` were not escaped correctly. Also while at it clear other external
file lists, as we don't want to load any. Subtitle fuzzer will be added
in the future.
It is surprisingly hard to clear the list with C API. That needs whole
mpv_node_list with 0 elements, to make it clear it.
They were previously left over, and now that it looks like runners are
stuck, the big question is: is /tmp persistent?
This commit will be reverted after the next rebuild.
Loading external files makes little sense. Might disable this completely
later, but let see how it works, The idea is the same as for direct
load. Exclude paths starting with `file://.` and `file:///`. But still
fuzz any processing that other input might have. It shouldn't be a huge
problem if we do `file://mpv` for example. Not great, but also not
terrible.
fuzzer_set_property.c:
fuzz mpv_set_property in both initialized and non-initialized state.
Useful for user provided values sanitization test. I've already seen
some memory leaks in parsing code, good to drill it.
fuzzer_loadfile.c:
mpv_command "loadfile" test. Good for testing demuxers, decoding and
playback loop. Sadly in headless mode we can't really test AO and VO,
but at least all the code around can be fuzzed. Especially our custom
demuxers like demux_mkv.
fuzzer_loadfile_direct.c:
Similar to loadfile above, but instead of saving the data to file, it
passes the fuzz input in the command. Generated protocol specific
versions (mf:// and memory:// for now) and generic one.
Nothing really complex, but good start and even those few targets should
give good coverage of the most common code paths in libmpv.
