From 62e9bda7bf0fb52f7c672e8a589007091755cbbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20Bostr=C3=B6m?= Date: Mon, 23 Nov 2015 15:12:06 +0100 Subject: [PATCH] Implement fuzzing of VP9 depacketization. Provides an example for how to use fuzzing within the webrtc tree. BUG=webrtc:4771 R=aizatsky@chromium.org, asapersson@webrtc.org, kjellander@webrtc.org Review URL: https://codereview.webrtc.org/1463523002 . Cr-Commit-Position: refs/heads/master@{#10752} --- webrtc/BUILD.gn | 14 ++++++-- webrtc/test/BUILD.gn | 4 +-- webrtc/test/fuzzers/BUILD.gn | 35 +++++++++++++++++++ webrtc/test/fuzzers/OWNERS | 1 + .../test/fuzzers/vp9_depacketizer_fuzzer.cc | 18 ++++++++++ webrtc/test/fuzzers/webrtc_fuzzer_main.cc | 29 +++++++++++++++ 6 files changed, 97 insertions(+), 4 deletions(-) create mode 100644 webrtc/test/fuzzers/BUILD.gn create mode 100644 webrtc/test/fuzzers/OWNERS create mode 100644 webrtc/test/fuzzers/vp9_depacketizer_fuzzer.cc create mode 100644 webrtc/test/fuzzers/webrtc_fuzzer_main.cc diff --git a/webrtc/BUILD.gn b/webrtc/BUILD.gn index 45e7c144fd..f2767e0197 100644 --- a/webrtc/BUILD.gn +++ b/webrtc/BUILD.gn @@ -9,6 +9,7 @@ # TODO(kjellander): Rebase this to webrtc/build/common.gypi changes after r6330. import("//build/config/linux/pkg_config.gni") +import("//build/config/sanitizers/sanitizers.gni") import("build/webrtc.gni") import("//third_party/protobuf/proto_library.gni") @@ -177,8 +178,8 @@ source_set("webrtc") { public_configs = [ ":common_inherited_config" ] deps = [ - "audio", ":webrtc_common", + "audio", "base:rtc_base", "call", "common_audio", @@ -218,8 +219,8 @@ if (!build_with_chromium) { testonly = true deps = [ ":webrtc", - "modules/video_render:video_render_internal_impl", "modules/video_capture:video_capture_internal_impl", + "modules/video_render:video_render_internal_impl", "test", ] } @@ -278,3 +279,12 @@ source_set("rtc_event_log") { configs -= [ "//build/config/clang:find_bad_constructs" ] } } + +if (use_libfuzzer) { + group("webrtc_fuzzers") { + testonly = true + deps = [ + "test/fuzzers:vp9_depacketizer_fuzzer", + ] + } +} diff --git a/webrtc/test/BUILD.gn b/webrtc/test/BUILD.gn index ed1dc75078..2fbd6df58a 100644 --- a/webrtc/test/BUILD.gn +++ b/webrtc/test/BUILD.gn @@ -70,10 +70,10 @@ source_set("test_support") { ] deps = [ - "//testing/gmock", - "//testing/gtest", "..:gtest_prod", "../system_wrappers", + "//testing/gmock", + "//testing/gtest", ] if (is_android) { diff --git a/webrtc/test/fuzzers/BUILD.gn b/webrtc/test/fuzzers/BUILD.gn new file mode 100644 index 0000000000..279c80be93 --- /dev/null +++ b/webrtc/test/fuzzers/BUILD.gn @@ -0,0 +1,35 @@ +# Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. +# +# Use of this source code is governed by a BSD-style license +# that can be found in the LICENSE file in the root of the source +# tree. An additional intellectual property rights grant can be found +# in the file PATENTS. All contributing project authors may +# be found in the AUTHORS file in the root of the source tree. + +import("//build/config/features.gni") +import("//testing/test.gni") + +static_library("webrtc_fuzzer_main") { + sources = [ + "webrtc_fuzzer_main.cc", + ] + deps = [ + "..:field_trial", + "//testing/libfuzzer:libfuzzer_main", + ] +} + +test("vp9_depacketizer_fuzzer") { + sources = [ + "vp9_depacketizer_fuzzer.cc", + ] + deps = [ + ":webrtc_fuzzer_main", + "../../modules/rtp_rtcp", + ] + if (is_clang) { + # Suppress warnings from Chrome's Clang plugins. + # See http://code.google.com/p/webrtc/issues/detail?id=163 for details. + configs -= [ "//build/config/clang:find_bad_constructs" ] + } +} diff --git a/webrtc/test/fuzzers/OWNERS b/webrtc/test/fuzzers/OWNERS new file mode 100644 index 0000000000..6782b61fca --- /dev/null +++ b/webrtc/test/fuzzers/OWNERS @@ -0,0 +1 @@ +pbos@webrtc.org diff --git a/webrtc/test/fuzzers/vp9_depacketizer_fuzzer.cc b/webrtc/test/fuzzers/vp9_depacketizer_fuzzer.cc new file mode 100644 index 0000000000..02a7cc0f81 --- /dev/null +++ b/webrtc/test/fuzzers/vp9_depacketizer_fuzzer.cc @@ -0,0 +1,18 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ +#include "webrtc/modules/rtp_rtcp/source/rtp_format_vp9.h" + +namespace webrtc { +void FuzzOneInput(const uint8_t* data, size_t size) { + RtpDepacketizerVp9 depacketizer; + RtpDepacketizer::ParsedPayload parsed_payload; + depacketizer.Parse(&parsed_payload, data, size); +} +} // namespace webrtc diff --git a/webrtc/test/fuzzers/webrtc_fuzzer_main.cc b/webrtc/test/fuzzers/webrtc_fuzzer_main.cc new file mode 100644 index 0000000000..9c29a5dc57 --- /dev/null +++ b/webrtc/test/fuzzers/webrtc_fuzzer_main.cc @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ +#include "webrtc/base/logging.h" + +// This file is intended to provide a common interface for fuzzing functions, so +// whether we're running fuzzing under libFuzzer or DrFuzz the webrtc functions +// can remain the same. +// TODO(pbos): Implement FuzzOneInput() for more than one platform (currently +// libFuzzer). + +namespace webrtc { +extern void FuzzOneInput(const uint8_t* data, size_t size); +} // namespace webrtc + +extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { + // TODO(pbos): Figure out whether this can be moved to common startup code and + // not be done per-input. + // Remove default logging to prevent huge slowdowns. + rtc::LogMessage::LogToDebug(rtc::LS_NONE); + webrtc::FuzzOneInput(data, size); + return 0; +}