From 599002c905040e67d58cabf0ff067f421bda44a5 Mon Sep 17 00:00:00 2001
From: Evan Shrubsole <eshr@webrtc.org>
Date: Tue, 15 Feb 2022 09:33:24 +0100
Subject: [PATCH] Restrict frame id range in frame buffer 3 fuzzer

Bug: chromium:1293129
Change-Id: Icc9152447363e69b2be561bc90a23f411d64b11a
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/251385
Reviewed-by: Philip Eliasson <philipel@webrtc.org>
Reviewed-by: Niels Moller <nisse@webrtc.org>
Commit-Queue: Evan Shrubsole <eshr@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#36001}
---
 test/fuzzers/BUILD.gn                | 1 +
 test/fuzzers/frame_buffer3_fuzzer.cc | 9 ++++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn
index c5c0a70363..69c4d3d29f 100644
--- a/test/fuzzers/BUILD.gn
+++ b/test/fuzzers/BUILD.gn
@@ -600,6 +600,7 @@ webrtc_fuzzer_test("frame_buffer3_fuzzer") {
     "../../api:array_view",
     "../../api/video:encoded_frame",
     "../../modules/video_coding:frame_buffer",
+    "../../rtc_base:rtc_numerics",
   ]
 }
 
diff --git a/test/fuzzers/frame_buffer3_fuzzer.cc b/test/fuzzers/frame_buffer3_fuzzer.cc
index 6fe42ca785..75906ac24e 100644
--- a/test/fuzzers/frame_buffer3_fuzzer.cc
+++ b/test/fuzzers/frame_buffer3_fuzzer.cc
@@ -11,6 +11,7 @@
 #include "api/array_view.h"
 #include "api/video/encoded_frame.h"
 #include "modules/video_coding/frame_buffer3.h"
+#include "rtc_base/numerics/sequence_number_util.h"
 #include "test/fuzzers/fuzz_data_helper.h"
 
 namespace webrtc {
@@ -20,6 +21,9 @@ class FuzzyFrameObject : public EncodedFrame {
   int64_t ReceivedTime() const override { return 0; }
   int64_t RenderTime() const override { return 0; }
 };
+
+constexpr int kFrameIdLength = 1 << 15;
+
 }  // namespace
 
 void FuzzOneInput(const uint8_t* data, size_t size) {
@@ -29,6 +33,7 @@ void FuzzOneInput(const uint8_t* data, size_t size) {
 
   FrameBuffer buffer(/*max_frame_slots=*/100, /*max_decode_history=*/1000);
   test::FuzzDataHelper helper(rtc::MakeArrayView(data, size));
+  SeqNumUnwrapper<uint16_t, kFrameIdLength> unwrapper;
 
   while (helper.BytesLeft() > 0) {
     int action = helper.ReadOrDefaultValue<uint8_t>(0) % 7;
@@ -61,7 +66,9 @@ void FuzzOneInput(const uint8_t* data, size_t size) {
       case 6: {
         auto frame = std::make_unique<FuzzyFrameObject>();
         frame->SetTimestamp(helper.ReadOrDefaultValue<uint32_t>(0));
-        frame->SetId(helper.ReadOrDefaultValue<int64_t>(0));
+        int64_t wire_id =
+            helper.ReadOrDefaultValue<uint16_t>(0) & (kFrameIdLength - 1);
+        frame->SetId(unwrapper.Unwrap(wire_id));
         frame->is_last_spatial_layer = helper.ReadOrDefaultValue<bool>(false);
 
         frame->num_references = helper.ReadOrDefaultValue<uint8_t>(0) %