From 262047055dcf8c7b6ec65eefe952138b4e04054b Mon Sep 17 00:00:00 2001 From: Sam Zackrisson Date: Thu, 25 Oct 2018 13:46:26 +0200 Subject: [PATCH] Update fuzzer max input length handling The docs have been updated. max_len is libfuzzer specific, new way is fuzzer agnostic. Docs: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/getting_started.md#improving-your-fuzz-target Bug: chromium:895082 Test: flexfec_sender_fuzzer input size still converges at <=200 after running locally for 5-10 minutes. Change-Id: I7a5ce95cb4d8b8ca461f6e502b81b599daa855f9 Reviewed-on: https://webrtc-review.googlesource.com/c/107883 Commit-Queue: Sam Zackrisson Reviewed-by: Alex Loiko Cr-Commit-Position: refs/heads/master@{#25361} --- test/fuzzers/BUILD.gn | 23 ------------------- test/fuzzers/agc_fuzzer.cc | 3 +++ test/fuzzers/audio_decoder_ilbc_fuzzer.cc | 3 +++ test/fuzzers/audio_decoder_isac_fuzzer.cc | 3 +++ ...dio_decoder_isac_incoming_packet_fuzzer.cc | 3 +++ test/fuzzers/audio_decoder_isacfix_fuzzer.cc | 3 +++ test/fuzzers/comfort_noise_decoder_fuzzer.cc | 3 +++ test/fuzzers/flexfec_receiver_fuzzer.cc | 2 +- test/fuzzers/flexfec_sender_fuzzer.cc | 3 +-- .../forward_error_correction_fuzzer.cc | 3 +++ test/fuzzers/frame_buffer2_fuzzer.cc | 3 +++ test/fuzzers/neteq_rtp_fuzzer.cc | 3 +++ test/fuzzers/neteq_signal_fuzzer.cc | 3 ++- test/fuzzers/packet_buffer_fuzzer.cc | 3 +++ .../rtp_frame_reference_finder_fuzzer.cc | 3 +++ test/fuzzers/sdp_parser_fuzzer.cc | 3 +++ test/fuzzers/ulpfec_receiver_fuzzer.cc | 2 +- 17 files changed, 41 insertions(+), 28 deletions(-) diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn index dc1acc7db8..08eb3fa61e 100644 --- a/test/fuzzers/BUILD.gn +++ b/test/fuzzers/BUILD.gn @@ -125,7 +125,6 @@ webrtc_fuzzer_test("forward_error_correction_fuzzer") { "../../modules/rtp_rtcp:rtp_rtcp_format", "../../rtc_base:rtc_base_approved", ] - libfuzzer_options = [ "max_len=5000" ] } webrtc_fuzzer_test("flexfec_header_reader_fuzzer") { @@ -148,7 +147,6 @@ webrtc_fuzzer_test("flexfec_sender_fuzzer") { "../../modules/rtp_rtcp:rtp_rtcp_format", "../../system_wrappers", ] - libfuzzer_options = [ "max_len=200" ] } webrtc_fuzzer_test("ulpfec_header_reader_fuzzer") { @@ -186,7 +184,6 @@ webrtc_fuzzer_test("ulpfec_receiver_fuzzer") { "../../modules/rtp_rtcp:rtp_rtcp_format", "../../rtc_base:rtc_base_approved", ] - libfuzzer_options = [ "max_len=2000" ] } webrtc_fuzzer_test("flexfec_receiver_fuzzer") { @@ -198,7 +195,6 @@ webrtc_fuzzer_test("flexfec_receiver_fuzzer") { "../../modules/rtp_rtcp:rtp_rtcp_format", "../../rtc_base:rtc_base_approved", ] - libfuzzer_options = [ "max_len=2000" ] } webrtc_fuzzer_test("packet_buffer_fuzzer") { @@ -209,7 +205,6 @@ webrtc_fuzzer_test("packet_buffer_fuzzer") { "../../modules/video_coding/", "../../system_wrappers", ] - libfuzzer_options = [ "max_len=200000" ] } webrtc_fuzzer_test("rtcp_receiver_fuzzer") { @@ -283,8 +278,6 @@ webrtc_fuzzer_test("audio_decoder_ilbc_fuzzer") { ":audio_decoder_fuzzer", "../../modules/audio_coding:ilbc", ] - - libfuzzer_options = [ "max_len=10000" ] } webrtc_fuzzer_test("audio_decoder_isac_fuzzer") { @@ -295,8 +288,6 @@ webrtc_fuzzer_test("audio_decoder_isac_fuzzer") { ":audio_decoder_fuzzer", "../../modules/audio_coding:isac", ] - - libfuzzer_options = [ "max_len=20000" ] } webrtc_fuzzer_test("audio_decoder_isac_incoming_packet_fuzzer") { @@ -307,8 +298,6 @@ webrtc_fuzzer_test("audio_decoder_isac_incoming_packet_fuzzer") { ":audio_decoder_fuzzer", "../../modules/audio_coding:isac", ] - - libfuzzer_options = [ "max_len=20000" ] } webrtc_fuzzer_test("audio_decoder_isacfix_fuzzer") { @@ -319,8 +308,6 @@ webrtc_fuzzer_test("audio_decoder_isacfix_fuzzer") { ":audio_decoder_fuzzer", "../../modules/audio_coding:isac_fix", ] - - libfuzzer_options = [ "max_len=20000" ] } webrtc_fuzzer_test("audio_decoder_opus_fuzzer") { @@ -379,8 +366,6 @@ webrtc_fuzzer_test("neteq_rtp_fuzzer") { "../../rtc_base:rtc_base_approved", "../../rtc_base:rtc_base_tests_utils", ] - - libfuzzer_options = [ "max_len=100000" ] } webrtc_fuzzer_test("neteq_signal_fuzzer") { @@ -396,8 +381,6 @@ webrtc_fuzzer_test("neteq_signal_fuzzer") { "../../rtc_base:rtc_base_approved", "../../rtc_base:rtc_base_tests_utils", ] - - libfuzzer_options = [ "max_len=90000" ] } webrtc_fuzzer_test("residual_echo_detector_fuzzer") { @@ -420,7 +403,6 @@ webrtc_fuzzer_test("sdp_parser_fuzzer") { "../../pc:libjingle_peerconnection", ] seed_corpus = "corpora/sdp-corpus" - libfuzzer_options = [ "max_len=16384" ] } webrtc_fuzzer_test("stun_parser_fuzzer") { @@ -527,7 +509,6 @@ webrtc_fuzzer_test("agc_fuzzer") { ] seed_corpus = "corpora/agc-corpus" - libfuzzer_options = [ "max_len=200000" ] } webrtc_fuzzer_test("comfort_noise_decoder_fuzzer") { @@ -539,8 +520,6 @@ webrtc_fuzzer_test("comfort_noise_decoder_fuzzer") { "../../modules/audio_coding:cng", "../../rtc_base:rtc_base_approved", ] - - libfuzzer_options = [ "max_len=5000" ] } webrtc_fuzzer_test("rtp_frame_reference_finder_fuzzer") { @@ -553,7 +532,6 @@ webrtc_fuzzer_test("rtp_frame_reference_finder_fuzzer") { "../../system_wrappers", "//third_party/abseil-cpp/absl/memory", ] - libfuzzer_options = [ "max_len=20000" ] } webrtc_fuzzer_test("frame_buffer2_fuzzer") { @@ -564,5 +542,4 @@ webrtc_fuzzer_test("frame_buffer2_fuzzer") { "../../modules/video_coding/", "../../system_wrappers:system_wrappers", ] - libfuzzer_options = [ "max_len=10000" ] } diff --git a/test/fuzzers/agc_fuzzer.cc b/test/fuzzers/agc_fuzzer.cc index 5bd921e74d..f2c90480c8 100644 --- a/test/fuzzers/agc_fuzzer.cc +++ b/test/fuzzers/agc_fuzzer.cc @@ -109,6 +109,9 @@ void FuzzGainController(test::FuzzDataHelper* fuzz_data, GainControlImpl* gci) { } // namespace void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 200000) { + return; + } test::FuzzDataHelper fuzz_data(rtc::ArrayView(data, size)); rtc::CriticalSection crit_capture; rtc::CriticalSection crit_render; diff --git a/test/fuzzers/audio_decoder_ilbc_fuzzer.cc b/test/fuzzers/audio_decoder_ilbc_fuzzer.cc index a68725d6aa..8548645c63 100644 --- a/test/fuzzers/audio_decoder_ilbc_fuzzer.cc +++ b/test/fuzzers/audio_decoder_ilbc_fuzzer.cc @@ -13,6 +13,9 @@ namespace webrtc { void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 10000) { + return; + } AudioDecoderIlbcImpl dec; static const int kSampleRateHz = 8000; static const size_t kAllocatedOuputSizeSamples = kSampleRateHz / 10; diff --git a/test/fuzzers/audio_decoder_isac_fuzzer.cc b/test/fuzzers/audio_decoder_isac_fuzzer.cc index e79996e05b..b579083956 100644 --- a/test/fuzzers/audio_decoder_isac_fuzzer.cc +++ b/test/fuzzers/audio_decoder_isac_fuzzer.cc @@ -13,6 +13,9 @@ namespace webrtc { void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 20000) { + return; + } const int sample_rate_hz = size % 2 == 0 ? 16000 : 32000; // 16 or 32 kHz. static const size_t kAllocatedOuputSizeSamples = 32000 / 10; // 100 ms. int16_t output[kAllocatedOuputSizeSamples]; diff --git a/test/fuzzers/audio_decoder_isac_incoming_packet_fuzzer.cc b/test/fuzzers/audio_decoder_isac_incoming_packet_fuzzer.cc index 5645142a03..9bd6234fa1 100644 --- a/test/fuzzers/audio_decoder_isac_incoming_packet_fuzzer.cc +++ b/test/fuzzers/audio_decoder_isac_incoming_packet_fuzzer.cc @@ -13,6 +13,9 @@ namespace webrtc { void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 20000) { + return; + } AudioDecoderIsacFloatImpl dec(16000); FuzzAudioDecoderIncomingPacket(data, size, &dec); } diff --git a/test/fuzzers/audio_decoder_isacfix_fuzzer.cc b/test/fuzzers/audio_decoder_isacfix_fuzzer.cc index 444395b17d..6477dc361b 100644 --- a/test/fuzzers/audio_decoder_isacfix_fuzzer.cc +++ b/test/fuzzers/audio_decoder_isacfix_fuzzer.cc @@ -13,6 +13,9 @@ namespace webrtc { void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 20000) { + return; + } static const int kSampleRateHz = 16000; static const size_t kAllocatedOuputSizeSamples = 16000 / 10; // 100 ms. int16_t output[kAllocatedOuputSizeSamples]; diff --git a/test/fuzzers/comfort_noise_decoder_fuzzer.cc b/test/fuzzers/comfort_noise_decoder_fuzzer.cc index 50166d7df7..7f44af99fb 100644 --- a/test/fuzzers/comfort_noise_decoder_fuzzer.cc +++ b/test/fuzzers/comfort_noise_decoder_fuzzer.cc @@ -50,6 +50,9 @@ void FuzzOneInputTest(rtc::ArrayView data) { } // namespace test void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 5000) { + return; + } test::FuzzOneInputTest(rtc::ArrayView(data, size)); } diff --git a/test/fuzzers/flexfec_receiver_fuzzer.cc b/test/fuzzers/flexfec_receiver_fuzzer.cc index d96a328fa2..c5034bb933 100644 --- a/test/fuzzers/flexfec_receiver_fuzzer.cc +++ b/test/fuzzers/flexfec_receiver_fuzzer.cc @@ -25,7 +25,7 @@ class DummyCallback : public RecoveredPacketReceiver { void FuzzOneInput(const uint8_t* data, size_t size) { constexpr size_t kMinDataNeeded = 12; - if (size < kMinDataNeeded) { + if (size < kMinDataNeeded || size > 2000) { return; } diff --git a/test/fuzzers/flexfec_sender_fuzzer.cc b/test/fuzzers/flexfec_sender_fuzzer.cc index 8e79f95cf3..4882f7df51 100644 --- a/test/fuzzers/flexfec_sender_fuzzer.cc +++ b/test/fuzzers/flexfec_sender_fuzzer.cc @@ -31,10 +31,9 @@ const std::vector kNoRtpHeaderExtensionSizes; void FuzzOneInput(const uint8_t* data, size_t size) { size_t i = 0; - if (size < 5) { + if (size < 5 || size > 200) { return; } - SimulatedClock clock(1 + data[i++]); FlexfecSender sender(kFlexfecPayloadType, kFlexfecSsrc, kMediaSsrc, kNoMid, kNoRtpHeaderExtensions, kNoRtpHeaderExtensionSizes, diff --git a/test/fuzzers/forward_error_correction_fuzzer.cc b/test/fuzzers/forward_error_correction_fuzzer.cc index 9d5b872434..2eb357b74a 100644 --- a/test/fuzzers/forward_error_correction_fuzzer.cc +++ b/test/fuzzers/forward_error_correction_fuzzer.cc @@ -26,6 +26,9 @@ constexpr size_t kMaxPacketsInBuffer = 48; } // namespace void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 5000) { + return; + } // Object under test. std::unique_ptr fec = ForwardErrorCorrection::CreateFlexfec(kFecSsrc, kMediaSsrc); diff --git a/test/fuzzers/frame_buffer2_fuzzer.cc b/test/fuzzers/frame_buffer2_fuzzer.cc index 2d5830979c..a5591041ff 100644 --- a/test/fuzzers/frame_buffer2_fuzzer.cc +++ b/test/fuzzers/frame_buffer2_fuzzer.cc @@ -63,6 +63,9 @@ class FuzzyFrameObject : public video_coding::EncodedFrame { } // namespace void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 10000) { + return; + } DataReader reader(data, size); Clock* clock = Clock::GetRealTimeClock(); VCMJitterEstimator jitter_estimator(clock, 0, 0); diff --git a/test/fuzzers/neteq_rtp_fuzzer.cc b/test/fuzzers/neteq_rtp_fuzzer.cc index 8aa6be59dd..94dbef39eb 100644 --- a/test/fuzzers/neteq_rtp_fuzzer.cc +++ b/test/fuzzers/neteq_rtp_fuzzer.cc @@ -146,6 +146,9 @@ void FuzzOneInputTest(const uint8_t* data, size_t size) { } // namespace test void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 100000) { + return; + } test::FuzzOneInputTest(data, size); } diff --git a/test/fuzzers/neteq_signal_fuzzer.cc b/test/fuzzers/neteq_signal_fuzzer.cc index 16e776072b..25302c31a8 100644 --- a/test/fuzzers/neteq_signal_fuzzer.cc +++ b/test/fuzzers/neteq_signal_fuzzer.cc @@ -140,8 +140,9 @@ class FuzzSignalInput : public NetEqInput { } // namespace void FuzzOneInputTest(const uint8_t* data, size_t size) { - if (size < 1) + if (size < 1 || size > 90000) { return; + } FuzzDataHelper fuzz_data(rtc::ArrayView(data, size)); diff --git a/test/fuzzers/packet_buffer_fuzzer.cc b/test/fuzzers/packet_buffer_fuzzer.cc index d226764cb2..56d1557072 100644 --- a/test/fuzzers/packet_buffer_fuzzer.cc +++ b/test/fuzzers/packet_buffer_fuzzer.cc @@ -21,6 +21,9 @@ class NullCallback : public video_coding::OnReceivedFrameCallback { } // namespace void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 200000) { + return; + } VCMPacket packet; NullCallback callback; SimulatedClock clock(0); diff --git a/test/fuzzers/rtp_frame_reference_finder_fuzzer.cc b/test/fuzzers/rtp_frame_reference_finder_fuzzer.cc index fd98892a04..57d7a9623a 100644 --- a/test/fuzzers/rtp_frame_reference_finder_fuzzer.cc +++ b/test/fuzzers/rtp_frame_reference_finder_fuzzer.cc @@ -101,6 +101,9 @@ class FuzzyPacketBuffer : public video_coding::PacketBuffer { } // namespace void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 20000) { + return; + } DataReader reader(data, size); rtc::scoped_refptr pb(new FuzzyPacketBuffer(&reader)); NullCallback cb; diff --git a/test/fuzzers/sdp_parser_fuzzer.cc b/test/fuzzers/sdp_parser_fuzzer.cc index e47156c571..763dbc594a 100644 --- a/test/fuzzers/sdp_parser_fuzzer.cc +++ b/test/fuzzers/sdp_parser_fuzzer.cc @@ -15,6 +15,9 @@ namespace webrtc { void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 16384) { + return; + } std::string message(reinterpret_cast(data), size); webrtc::SdpParseError error; diff --git a/test/fuzzers/ulpfec_receiver_fuzzer.cc b/test/fuzzers/ulpfec_receiver_fuzzer.cc index 6b74f3ac95..7cb0fc61b5 100644 --- a/test/fuzzers/ulpfec_receiver_fuzzer.cc +++ b/test/fuzzers/ulpfec_receiver_fuzzer.cc @@ -25,7 +25,7 @@ class DummyCallback : public RecoveredPacketReceiver { void FuzzOneInput(const uint8_t* data, size_t size) { constexpr size_t kMinDataNeeded = 12; - if (size < kMinDataNeeded) { + if (size < kMinDataNeeded || size > 2000) { return; }