From 242a9e0ffe94c0105515565cabfb3369695b2dbf Mon Sep 17 00:00:00 2001
From: Danil Chapovalov <danilchap@webrtc.org>
Date: Fri, 29 Nov 2019 10:08:33 +0100
Subject: [PATCH] Fuzz RtpPacketizerAv1

Bug: webrtc:11042
Change-Id: Id44699395f6dee9cb3bde84c936573b65ad0d848
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/161009
Reviewed-by: Sam Zackrisson <saza@webrtc.org>
Reviewed-by: Philip Eliasson <philipel@webrtc.org>
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30007}
---
 test/fuzzers/BUILD.gn                     | 12 ++++
 test/fuzzers/rtp_packetizer_av1_fuzzer.cc | 70 +++++++++++++++++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 test/fuzzers/rtp_packetizer_av1_fuzzer.cc

diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn
index 068254d17d..b95773d533 100644
--- a/test/fuzzers/BUILD.gn
+++ b/test/fuzzers/BUILD.gn
@@ -240,6 +240,18 @@ webrtc_fuzzer_test("rtp_packet_fuzzer") {
   seed_corpus = "corpora/rtp-corpus"
 }
 
+webrtc_fuzzer_test("rtp_packetizer_av1_fuzzer") {
+  sources = [
+    "rtp_packetizer_av1_fuzzer.cc",
+  ]
+  deps = [
+    "../../api/video:video_frame_type",
+    "../../modules/rtp_rtcp:rtp_rtcp",
+    "../../modules/rtp_rtcp:rtp_rtcp_format",
+    "../../rtc_base:checks",
+  ]
+}
+
 webrtc_fuzzer_test("rtp_header_fuzzer") {
   sources = [
     "rtp_header_fuzzer.cc",
diff --git a/test/fuzzers/rtp_packetizer_av1_fuzzer.cc b/test/fuzzers/rtp_packetizer_av1_fuzzer.cc
new file mode 100644
index 0000000000..5277c10f4b
--- /dev/null
+++ b/test/fuzzers/rtp_packetizer_av1_fuzzer.cc
@@ -0,0 +1,70 @@
+/*
+ *  Copyright (c) 2019 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+#include <stddef.h>
+#include <stdint.h>
+
+#include "api/video/video_frame_type.h"
+#include "modules/rtp_rtcp/source/rtp_format.h"
+#include "modules/rtp_rtcp/source/rtp_packet_to_send.h"
+#include "modules/rtp_rtcp/source/rtp_packetizer_av1.h"
+#include "rtc_base/checks.h"
+#include "test/fuzzers/fuzz_data_helper.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  test::FuzzDataHelper fuzz_input(rtc::MakeArrayView(data, size));
+
+  RtpPacketizer::PayloadSizeLimits limits;
+  limits.max_payload_len = 1200;
+  // Read uint8_t to be sure reduction_lens are much smaller than
+  // max_payload_len and thus limits structure is valid.
+  limits.first_packet_reduction_len = fuzz_input.ReadOrDefaultValue<uint8_t>(0);
+  limits.last_packet_reduction_len = fuzz_input.ReadOrDefaultValue<uint8_t>(0);
+  limits.single_packet_reduction_len =
+      fuzz_input.ReadOrDefaultValue<uint8_t>(0);
+  const VideoFrameType kFrameTypes[] = {VideoFrameType::kVideoFrameKey,
+                                        VideoFrameType::kVideoFrameDelta};
+  VideoFrameType frame_type = fuzz_input.SelectOneOf(kFrameTypes);
+
+  // Main function under test: RtpPacketizerAv1's constructor.
+  RtpPacketizerAv1 packetizer(fuzz_input.ReadByteArray(fuzz_input.BytesLeft()),
+                              limits, frame_type);
+
+  size_t num_packets = packetizer.NumPackets();
+  if (num_packets == 0) {
+    return;
+  }
+  // When packetization was successful, validate NextPacket function too.
+  // While at it, check that packets respect the payload size limits.
+  RtpPacketToSend rtp_packet(nullptr);
+  // Single packet.
+  if (num_packets == 1) {
+    RTC_CHECK(packetizer.NextPacket(&rtp_packet));
+    RTC_CHECK_LE(rtp_packet.payload_size(),
+                 limits.max_payload_len - limits.single_packet_reduction_len);
+    return;
+  }
+  // First packet.
+  RTC_CHECK(packetizer.NextPacket(&rtp_packet));
+  RTC_CHECK_LE(rtp_packet.payload_size(),
+               limits.max_payload_len - limits.first_packet_reduction_len);
+  // Middle packets.
+  for (size_t i = 1; i < num_packets - 1; ++i) {
+    RTC_CHECK(packetizer.NextPacket(&rtp_packet))
+        << "Failed to get packet#" << i;
+    RTC_CHECK_LE(rtp_packet.payload_size(), limits.max_payload_len)
+        << "Packet #" << i << " exceeds it's limit";
+  }
+  // Last packet.
+  RTC_CHECK(packetizer.NextPacket(&rtp_packet));
+  RTC_CHECK_LE(rtp_packet.payload_size(),
+               limits.max_payload_len - limits.last_packet_reduction_len);
+}
+}  // namespace webrtc