From 02c99982c8e5a88ca14cc217254f3d9b3c792646 Mon Sep 17 00:00:00 2001
From: Danil Chapovalov <danilchap@webrtc.org>
Date: Fri, 26 Aug 2022 10:19:38 +0200
Subject: [PATCH] Limit input size for the rtp video layers allocation fuzzer

Bug: chromium:1355892
Change-Id: Ib0c48d27fb1e79212d2354e0249511aeeb53f650
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/272961
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Reviewed-by: Per Kjellander <perkj@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#37913}
---
 test/fuzzers/BUILD.gn                             |  4 ++++
 .../fuzzers/rtp_video_layers_allocation_fuzzer.cc | 15 +++++++++++----
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn
index 42a46acc38..9896e07563 100644
--- a/test/fuzzers/BUILD.gn
+++ b/test/fuzzers/BUILD.gn
@@ -605,6 +605,10 @@ webrtc_fuzzer_test("rtp_video_layers_allocation_fuzzer") {
     "../../modules/rtp_rtcp:rtp_rtcp_format",
     "../../rtc_base:checks",
   ]
+
+  # video_layers_allocation is an rtp header extension and thus can't be longer
+  # than 255 bytes on the wire.
+  libfuzzer_options = [ "max_len=255" ]
 }
 
 webrtc_fuzzer_test("rtp_frame_reference_finder_fuzzer") {
diff --git a/test/fuzzers/rtp_video_layers_allocation_fuzzer.cc b/test/fuzzers/rtp_video_layers_allocation_fuzzer.cc
index 8e203bc1c4..ae8b8728fb 100644
--- a/test/fuzzers/rtp_video_layers_allocation_fuzzer.cc
+++ b/test/fuzzers/rtp_video_layers_allocation_fuzzer.cc
@@ -10,6 +10,7 @@
 
 #include <cstddef>
 #include <cstdint>
+#include <limits>
 
 #include "api/array_view.h"
 #include "api/video/video_layers_allocation.h"
@@ -19,6 +20,14 @@
 namespace webrtc {
 
 void FuzzOneInput(const uint8_t* data, size_t size) {
+  // Video layers allocation is an rtp header extension.
+  // Per https://datatracker.ietf.org/doc/html/rfc8285#section-4.3
+  // rtp header extension uses up to one byte to store the size, i.e.
+  // maximum size of any rtp header extension is 255 bytes.
+  constexpr int kMaxSize = std::numeric_limits<uint8_t>::max();
+  if (size > kMaxSize) {
+    return;
+  }
   auto raw = rtc::MakeArrayView(data, size);
 
   VideoLayersAllocation allocation1;
@@ -32,10 +41,8 @@ void FuzzOneInput(const uint8_t* data, size_t size) {
   // Check `writer` use minimal number of bytes to pack the extension by
   // checking it doesn't use more than reader consumed.
   RTC_CHECK_LE(value_size, raw.size());
-  uint8_t some_memory[256];
-  // An extension may not be larger than 255 bytes since the extension lenght
-  // field is only one byte.
-  RTC_CHECK_LT(value_size, 256);
+  uint8_t some_memory[kMaxSize];
+  RTC_CHECK_LE(value_size, kMaxSize);
   rtc::ArrayView<uint8_t> write_buffer(some_memory, value_size);
   RTC_CHECK(
       RtpVideoLayersAllocationExtension::Write(write_buffer, allocation1));