← All libraries
Audio/Video · C
How to fuzz libav
Media codec library — long-standing FFmpeg fork, still in many distros
libav inherits FFmpeg's vast container + codec surface and is still bundled in legacy debian/Ubuntu releases and embedded distros. Codec demuxers and decoders are a top-yield fuzz target.
Common bug classes
- •Heap overflows in container demuxers (MOV, MKV, MPEGTS)
- •Out-of-bounds reads in codec-specific bitstream parsers
- •Integer overflow in width * height * bpp arithmetic
- •Double-free in error-path cleanup
Recommended setup
Fuzzers
- → AFL++
- → libFuzzer
- → Honggfuzz
Sanitizers
- → ASan
- → UBSan
- → MSan
Harness scaffold
#include <libavformat/avformat.h>
#include <libavformat/avio.h>
#include <stddef.h>
#include <stdint.h>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
AVFormatContext *fmt = nullptr;
uint8_t *copy = (uint8_t *)av_malloc(size);
if (!copy) return 0;
memcpy(copy, data, size);
AVIOContext *avio = avio_alloc_context(copy, (int)size, 0,
nullptr, nullptr, nullptr, nullptr);
fmt = avformat_alloc_context();
fmt->pb = avio;
if (avformat_open_input(&fmt, nullptr, nullptr, nullptr) == 0) {
avformat_find_stream_info(fmt, nullptr);
avformat_close_input(&fmt);
} else {
avformat_free_context(fmt);
}
av_freep(&avio->buffer);
avio_context_free(&avio);
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Push the harness above + a Dockerfile. First month 50% off.