From 1295b0def0060458c312c95b6d6182067cc49e23 Mon Sep 17 00:00:00 2001
From: Benjamin Wright <benwright@webrtc.org>
Date: Wed, 13 Mar 2019 15:01:22 -0700
Subject: [PATCH] Add basic fuzzing for rtp_header_parser.h/cc.

rtp_header_parser currently has 0% fuzzing coverage. To improve this I have
added a basic fuzzer which fuzzes all of the available paths.

Bug: webrtc:10395
Change-Id: I30324b2bfa7629b0110527258b33b7e048e89fcf
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/127040
Reviewed-by: Qingsi Wang <qingsi@webrtc.org>
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#27115}
---
 test/fuzzers/BUILD.gn                    |  8 +++++
 test/fuzzers/rtp_header_parser_fuzzer.cc | 46 ++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 test/fuzzers/rtp_header_parser_fuzzer.cc

diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn
index 13a7a2017c..7418822030 100644
--- a/test/fuzzers/BUILD.gn
+++ b/test/fuzzers/BUILD.gn
@@ -611,3 +611,11 @@ webrtc_fuzzer_test("sctp_utils_fuzzer") {
   ]
 }
 
+webrtc_fuzzer_test("rtp_header_parser_fuzzer") {
+  sources = [
+    "rtp_header_parser_fuzzer.cc",
+  ]
+  deps = [
+    "../../modules/rtp_rtcp",
+  ]
+}
diff --git a/test/fuzzers/rtp_header_parser_fuzzer.cc b/test/fuzzers/rtp_header_parser_fuzzer.cc
new file mode 100644
index 0000000000..c28dcffcb5
--- /dev/null
+++ b/test/fuzzers/rtp_header_parser_fuzzer.cc
@@ -0,0 +1,46 @@
+/*
+ *  Copyright (c) 2019 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <algorithm>
+#include <memory>
+#include <string>
+
+#include "modules/rtp_rtcp/include/rtp_header_parser.h"
+
+namespace webrtc {
+
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  RtpHeaderParser::IsRtcp(data, size);
+  RtpHeaderParser::GetSsrc(data, size);
+  RTPHeader rtp_header;
+
+  std::unique_ptr<RtpHeaderParser> rtp_header_parser(RtpHeaderParser::Create());
+
+  rtp_header_parser->Parse(data, size, &rtp_header);
+  for (int i = 1; i < kRtpExtensionNumberOfExtensions; ++i) {
+    if (size > 0 && i >= data[size - 1]) {
+      RTPExtensionType add_extension = static_cast<RTPExtensionType>(i);
+      rtp_header_parser->RegisterRtpHeaderExtension(add_extension, i);
+    }
+  }
+  rtp_header_parser->Parse(data, size, &rtp_header);
+
+  for (int i = 1; i < kRtpExtensionNumberOfExtensions; ++i) {
+    if (size > 1 && i >= data[size - 2]) {
+      RTPExtensionType remove_extension = static_cast<RTPExtensionType>(i);
+      rtp_header_parser->DeregisterRtpHeaderExtension(remove_extension);
+    }
+  }
+  rtp_header_parser->Parse(data, size, &rtp_header);
+}
+
+}  // namespace webrtc