av1_dec_fuzzer: vary thread count in range [2, 64] (#1840)

* av1_dec_fuzzer: vary thread count in range [2, 64] use at most the first 100 bytes after skipping the file header to calculate a hash used to create the thread count. + add missing includes, delete unused string.h * av1_dec_fuzzer: use the first 32 bytes as a hash This is the minimum required by this function as it's read and interpreted as the IVF file header * av1_dec_fuzzer: use 1 header byte for thread count this is less complex than using a hash and produces the same coverage, similar to: https://github.com/ImageMagick/ImageMagick/blob/master/Magick++/fuzz/rotate_fuzzer.cc#L9-L16 https://cs.chromium.org/chromium/src/base/json/json_reader_fuzzer.cc?type=cs&q=json_reader_fuzzer&sq=package:chromium&g=0&l=20
2018-10-04 08:36:32 -07:00 · 2018-10-04 08:36:32 -07:00 · 72adedc68e
parent 91f0474ec3
commit 72adedc68e
1 changed files with 8 additions and 3 deletions
--- a/projects/libaom/av1_dec_fuzzer.cc
+++ b/projects/libaom/av1_dec_fuzzer.cc
@ -1,8 +1,12 @@
 // Fuzzing of AV1 decoder.

+#include <stddef.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
+#if defined(DECODE_MODE_threaded)
+#include <algorithm>
+#endif
 #include <memory>

 #include "config/aom_config.h"
@ -33,9 +37,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {

  aom_codec_ctx_t codec;
 #if defined(DECODE_MODE)
-  const int threads = 1;
+  const unsigned int threads = 1;
 #elif defined(DECODE_MODE_threaded)
-  const int threads = 16;
+  // Set thread count in the range [2, 64].
+  const unsigned int threads = std::max((header[0] & 0x3f) + 1, 2);
 #else
 #error define one of DECODE_MODE or DECODE_MODE_threaded
 #endif