From 0c720505af2f645007b6d9646ddfa56efa64f403 Mon Sep 17 00:00:00 2001 From: Mark Brand Date: Fri, 20 Oct 2017 16:23:23 +0200 Subject: [PATCH] Adding libFuzzer target for UlpFEC receiver. Bug: none Change-Id: I20e622455aee2f5aebad835e915d65f3475fbd17 Reviewed-on: https://webrtc-review.googlesource.com/14300 Commit-Queue: Mark Brand Reviewed-by: Henrik Lundin Cr-Commit-Position: refs/heads/master@{#20384} --- test/fuzzers/BUILD.gn | 11 ++++ test/fuzzers/ulpfec_receiver_fuzzer.cc | 79 ++++++++++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 test/fuzzers/ulpfec_receiver_fuzzer.cc diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn index 78c7169300..8a1cb97df2 100644 --- a/test/fuzzers/BUILD.gn +++ b/test/fuzzers/BUILD.gn @@ -139,6 +139,17 @@ webrtc_fuzzer_test("ulpfec_generator_fuzzer") { ] } +webrtc_fuzzer_test("ulpfec_receiver_fuzzer") { + sources = [ + "ulpfec_receiver_fuzzer.cc", + ] + deps = [ + "../../modules/rtp_rtcp", + "../../rtc_base:rtc_base_approved", + ] + libfuzzer_options = [ "max_len=2000" ] +} + webrtc_fuzzer_test("flexfec_receiver_fuzzer") { sources = [ "flexfec_receiver_fuzzer.cc", diff --git a/test/fuzzers/ulpfec_receiver_fuzzer.cc b/test/fuzzers/ulpfec_receiver_fuzzer.cc new file mode 100644 index 0000000000..c850fec996 --- /dev/null +++ b/test/fuzzers/ulpfec_receiver_fuzzer.cc @@ -0,0 +1,79 @@ +/* + * Copyright (c) 2017 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#include + +#include "modules/rtp_rtcp/include/ulpfec_receiver.h" +#include "modules/rtp_rtcp/include/rtp_rtcp_defines.h" +#include "modules/rtp_rtcp/source/byte_io.h" +#include "modules/rtp_rtcp/source/rtp_packet_received.h" +#include "rtc_base/basictypes.h" + +namespace webrtc { + +namespace { +class DummyCallback : public RecoveredPacketReceiver { + void OnRecoveredPacket(const uint8_t* packet, size_t length) override {} +}; +} // namespace + +void FuzzOneInput(const uint8_t* data, size_t size) { + constexpr size_t kMinDataNeeded = 12; + if (size < kMinDataNeeded) { + return; + } + + uint32_t ulpfec_ssrc = ByteReader::ReadLittleEndian(data + 0); + uint16_t ulpfec_seq_num = ByteReader::ReadLittleEndian(data + 4); + uint32_t media_ssrc = ByteReader::ReadLittleEndian(data + 6); + uint16_t media_seq_num = ByteReader::ReadLittleEndian(data + 10); + + DummyCallback callback; + std::unique_ptr receiver( + UlpfecReceiver::Create(ulpfec_ssrc, &callback)); + + std::unique_ptr packet; + size_t packet_length; + size_t i = kMinDataNeeded; + while (i < size) { + packet_length = kRtpHeaderSize + data[i++]; + packet = std::unique_ptr(new uint8_t[packet_length]); + if (i + packet_length >= size) { + break; + } + memcpy(packet.get(), data + i, packet_length); + i += packet_length; + // Overwrite the RTPHeader fields for the sequence number and SSRC with + // consistent values for either a received UlpFEC packet or received media + // packet. (We're still relying on libfuzzer to manage to generate packet + // headers that interact together; this just ensures that we have two + // consistent streams). + if (i < size && data[i++] % 2 == 0) { + // Simulate UlpFEC packet. + ByteWriter::WriteBigEndian(packet.get() + 2, ulpfec_seq_num++); + ByteWriter::WriteBigEndian(packet.get() + 8, ulpfec_ssrc); + } else { + // Simulate media packet. + ByteWriter::WriteBigEndian(packet.get() + 2, media_seq_num++); + ByteWriter::WriteBigEndian(packet.get() + 8, media_ssrc); + } + RtpPacketReceived parsed_packet; + RTPHeader parsed_header; + if (parsed_packet.Parse(packet.get(), packet_length)) { + parsed_packet.GetHeader(&parsed_header); + receiver->AddReceivedRedPacket(parsed_header, packet.get(), + packet_length, 0); + } + } + + receiver->ProcessReceivedFec(); +} + +} // namespace webrtc