From 35c773dad6f602e38e87aba0b693292fa868629b Mon Sep 17 00:00:00 2001
From: Sam Zackrisson <saza@webrtc.org>
Date: Fri, 13 Jul 2018 16:00:31 +0200
Subject: [PATCH] Cap the number of fuzzed decoder packets to 200

The fuzzer figured out that 3 bytes is enough to fuzz a package.
2 bytes for packet length, and 1 byte of actual packet. A 20K test case
can generate > 6000 packets. It does not seem like efficient fuzzing.

This CL simply stops execution when 200 packets have been generated.
That corresponds to 4 seconds of 20 ms packets.

Bug: chromium:840115
Change-Id: Id2742a6f8021134bacd8a6e8c71b32f20c7f1086
Reviewed-on: https://webrtc-review.googlesource.com/88566
Reviewed-by: Alex Loiko <aleloi@webrtc.org>
Commit-Queue: Sam Zackrisson <saza@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#24000}
---
 test/fuzzers/audio_decoder_fuzzer.cc | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/test/fuzzers/audio_decoder_fuzzer.cc b/test/fuzzers/audio_decoder_fuzzer.cc
index 40a7315ef6..2b4003b5e1 100644
--- a/test/fuzzers/audio_decoder_fuzzer.cc
+++ b/test/fuzzers/audio_decoder_fuzzer.cc
@@ -51,8 +51,13 @@ void FuzzAudioDecoder(DecoderFunctionType decode_type,
   const uint8_t* data_ptr = data;
   size_t remaining_size = size;
   size_t packet_len;
-  while (ParseInt<size_t, 2>(&data_ptr, &remaining_size, &packet_len) &&
-         packet_len <= remaining_size) {
+  constexpr size_t kMaxNumFuzzedPackets = 200;
+  for (size_t num_packets = 0; num_packets < kMaxNumFuzzedPackets;
+       ++num_packets) {
+    if (!(ParseInt<size_t, 2>(&data_ptr, &remaining_size, &packet_len) &&
+          packet_len <= remaining_size)) {
+      break;
+    }
     AudioDecoder::SpeechType speech_type;
     switch (decode_type) {
       case DecoderFunctionType::kNormalDecode: