Add fuzzer for ForwardErrorCorrection::DecodeFec.

Bug: webrtc:8481 Change-Id: I23aa59ffee542c1c0b31c82186876ccc21e28592 Reviewed-on: https://webrtc-review.googlesource.com/32305 Commit-Queue: Rasmus Brandt <brandtr@webrtc.org> Reviewed-by: Henrik Lundin <henrik.lundin@webrtc.org> Cr-Commit-Position: refs/heads/master@{#21248}
2017-12-13 14:04:24 +01:00 · 2017-12-13 14:04:24 +01:00 · 49ccbdb9d6
commit 49ccbdb9d6
parent 081c651148
2 changed files with 126 additions and 0 deletions
--- a/test/fuzzers/BUILD.gn
+++ b/test/fuzzers/BUILD.gn
@ -96,6 +96,18 @@ webrtc_fuzzer_test("h264_bitstream_parser_fuzzer") {
  ]
 }

+webrtc_fuzzer_test("forward_error_correction_fuzzer") {
+  sources = [
+    "forward_error_correction_fuzzer.cc",
+  ]
+  deps = [
+    "../../modules/rtp_rtcp",
+    "../../modules/rtp_rtcp:rtp_rtcp_format",
+    "../../rtc_base:rtc_base_approved",
+  ]
+  libfuzzer_options = [ "max_len=5000" ]
+}
+
 webrtc_fuzzer_test("flexfec_header_reader_fuzzer") {
  sources = [
    "flexfec_header_reader_fuzzer.cc",
--- a/test/fuzzers/forward_error_correction_fuzzer.cc
+++ b/test/fuzzers/forward_error_correction_fuzzer.cc
@ -0,0 +1,114 @@
+/*
+ *  Copyright (c) 2017 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include <memory>
+
+#include "modules/rtp_rtcp/source/byte_io.h"
+#include "modules/rtp_rtcp/source/forward_error_correction.h"
+#include "rtc_base/bytebuffer.h"
+#include "rtc_base/scoped_ref_ptr.h"
+
+namespace webrtc {
+
+namespace {
+constexpr uint32_t kMediaSsrc = 100200300;
+constexpr uint32_t kFecSsrc = 111222333;
+
+constexpr size_t kPacketSize = 50;
+constexpr size_t kMaxPacketsInBuffer = 48;
+}  // namespace
+
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  // Object under test.
+  std::unique_ptr<ForwardErrorCorrection> fec =
+      ForwardErrorCorrection::CreateFlexfec(kFecSsrc, kMediaSsrc);
+
+  // Entropy from fuzzer.
+  rtc::ByteBufferReader fuzz_buffer(reinterpret_cast<const char*>(data), size);
+
+  // Initial stream state.
+  uint16_t media_seqnum;
+  if (!fuzz_buffer.ReadUInt16(&media_seqnum))
+    return;
+  const uint16_t original_media_seqnum = media_seqnum;
+  uint16_t fec_seqnum;
+  if (!fuzz_buffer.ReadUInt16(&fec_seqnum))
+    return;
+
+  // Existing packets in the packet buffer.
+  ForwardErrorCorrection::RecoveredPacketList recovered_packets;
+  uint8_t num_existing_recovered_packets;
+  if (!fuzz_buffer.ReadUInt8(&num_existing_recovered_packets))
+    return;
+  for (size_t i = 0; i < num_existing_recovered_packets % kMaxPacketsInBuffer;
+       ++i) {
+    ForwardErrorCorrection::RecoveredPacket* recovered_packet =
+        new ForwardErrorCorrection::RecoveredPacket();
+    recovered_packet->pkt = rtc::scoped_refptr<ForwardErrorCorrection::Packet>(
+        new ForwardErrorCorrection::Packet());
+    recovered_packet->pkt->length = kPacketSize;
+    recovered_packet->ssrc = kMediaSsrc;
+    recovered_packet->seq_num = media_seqnum++;
+    recovered_packets.emplace_back(recovered_packet);
+  }
+
+  // New packets received from the network.
+  ForwardErrorCorrection::ReceivedPacket received_packet;
+  received_packet.pkt = rtc::scoped_refptr<ForwardErrorCorrection::Packet>(
+      new ForwardErrorCorrection::Packet());
+  received_packet.pkt->length = kPacketSize;
+  uint8_t* packet_buffer = received_packet.pkt->data;
+  uint8_t reordering;
+  uint16_t seq_num_diff;
+  uint8_t packet_type;
+  uint8_t packet_loss;
+  while (true) {
+    if (!fuzz_buffer.ReadBytes(reinterpret_cast<char*>(packet_buffer),
+                               kPacketSize)) {
+      return;
+    }
+    if (!fuzz_buffer.ReadUInt8(&reordering))
+      return;
+    if (!fuzz_buffer.ReadUInt16(&seq_num_diff))
+      return;
+    if (!fuzz_buffer.ReadUInt8(&packet_type))
+      return;
+    if (!fuzz_buffer.ReadUInt8(&packet_loss))
+      return;
+
+    if (reordering % 10 != 0)
+      seq_num_diff = 0;
+
+    if (packet_type % 2 == 0) {
+      received_packet.is_fec = true;
+      received_packet.ssrc = kFecSsrc;
+      received_packet.seq_num = seq_num_diff + fec_seqnum++;
+
+      // Overwrite parts of the FlexFEC header for fuzzing efficiency.
+      packet_buffer[0] = 0;                                       // R, F bits.
+      ByteWriter<uint8_t>::WriteBigEndian(&packet_buffer[8], 1);  // SSRCCount.
+      ByteWriter<uint32_t>::WriteBigEndian(&packet_buffer[12],
+                                           kMediaSsrc);  // SSRC_i.
+      ByteWriter<uint16_t>::WriteBigEndian(
+          &packet_buffer[16], original_media_seqnum);  // SN base_i.
+    } else {
+      received_packet.is_fec = false;
+      received_packet.ssrc = kMediaSsrc;
+      received_packet.seq_num = seq_num_diff + media_seqnum++;
+    }
+
+    if (packet_loss % 10 == 0)
+      continue;
+
+    fec->DecodeFec(received_packet, &recovered_packets);
+  }
+}
+
+}  // namespace webrtc