From 632cd9bb03093333b885a1204adf7a84b442eded Mon Sep 17 00:00:00 2001 From: Danil Chapovalov Date: Thu, 5 Jan 2023 13:12:32 +0100 Subject: [PATCH] Replace packet buffer fuzzer with rtp video frame assembler fuzzer PacketBuffer takes RtpVideoHeader struct as an input that is complicated and hard to fuzz. Current PacketBuffer doesn't fuzz it and thus has very low coverage. RtpVideoFrameAssembler uses PacketBuffer underneath and takes as input almost raw rtp packet and thus easier to fuzz and better match production input Bug: webrtc:7408 Change-Id: I00394c35e002a667760eed477f11ac7898f7eacc Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/290574 Commit-Queue: Danil Chapovalov Reviewed-by: Philip Eliasson Cr-Commit-Position: refs/heads/main@{#39013} --- test/fuzzers/BUILD.gn | 9 ++-- test/fuzzers/packet_buffer_fuzzer.cc | 46 ------------------- .../rtp_video_frame_assembler_fuzzer.cc | 44 ++++++++++++++++++ 3 files changed, 48 insertions(+), 51 deletions(-) delete mode 100644 test/fuzzers/packet_buffer_fuzzer.cc create mode 100644 test/fuzzers/rtp_video_frame_assembler_fuzzer.cc diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn index d7dc9ea1fa..4679c6980b 100644 --- a/test/fuzzers/BUILD.gn +++ b/test/fuzzers/BUILD.gn @@ -191,12 +191,11 @@ webrtc_fuzzer_test("flexfec_receiver_fuzzer") { ] } -webrtc_fuzzer_test("packet_buffer_fuzzer") { - sources = [ "packet_buffer_fuzzer.cc" ] +webrtc_fuzzer_test("rtp_video_frame_assembler_fuzzer") { + sources = [ "rtp_video_frame_assembler_fuzzer.cc" ] deps = [ - "../../modules/video_coding:packet_buffer", - "../../modules/video_coding/", - "../../system_wrappers", + "../../api/video:rtp_video_frame_assembler", + "../../modules/rtp_rtcp:rtp_rtcp_format", ] } diff --git a/test/fuzzers/packet_buffer_fuzzer.cc b/test/fuzzers/packet_buffer_fuzzer.cc deleted file mode 100644 index 3c4e9688ab..0000000000 --- a/test/fuzzers/packet_buffer_fuzzer.cc +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 2017 The WebRTC project authors. All Rights Reserved. - * - * Use of this source code is governed by a BSD-style license - * that can be found in the LICENSE file in the root of the source - * tree. An additional intellectual property rights grant can be found - * in the file PATENTS. All contributing project authors may - * be found in the AUTHORS file in the root of the source tree. - */ - -#include -#include - -#include "modules/video_coding/frame_object.h" -#include "modules/video_coding/packet_buffer.h" -#include "test/fuzzers/fuzz_data_helper.h" - -namespace webrtc { - -void IgnoreResult(video_coding::PacketBuffer::InsertResult result) {} - -void FuzzOneInput(const uint8_t* data, size_t size) { - if (size > 200000) { - return; - } - video_coding::PacketBuffer packet_buffer(8, 1024); - test::FuzzDataHelper helper(rtc::ArrayView(data, size)); - - while (helper.BytesLeft()) { - auto packet = std::make_unique(); - // Fuzz POD members of the packet. - helper.CopyTo(&packet->marker_bit); - helper.CopyTo(&packet->payload_type); - helper.CopyTo(&packet->seq_num); - helper.CopyTo(&packet->timestamp); - helper.CopyTo(&packet->times_nacked); - - // Fuzz non-POD member of the packet. - packet->video_payload.SetSize(helper.ReadOrDefaultValue(0)); - // TODO(danilchap): Fuzz other non-POD members of the `packet`. - - IgnoreResult(packet_buffer.InsertPacket(std::move(packet))); - } -} - -} // namespace webrtc diff --git a/test/fuzzers/rtp_video_frame_assembler_fuzzer.cc b/test/fuzzers/rtp_video_frame_assembler_fuzzer.cc new file mode 100644 index 0000000000..6ab6b9a905 --- /dev/null +++ b/test/fuzzers/rtp_video_frame_assembler_fuzzer.cc @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2023 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#include +#include +#include + +#include "api/video/rtp_video_frame_assembler.h" +#include "modules/rtp_rtcp/include/rtp_header_extension_map.h" +#include "modules/rtp_rtcp/source/rtp_dependency_descriptor_extension.h" +#include "modules/rtp_rtcp/source/rtp_generic_frame_descriptor_extension.h" +#include "modules/rtp_rtcp/source/rtp_packet_received.h" + +namespace webrtc { + +void FuzzOneInput(const uint8_t* data, size_t size) { + if (size == 0) { + return; + } + RtpHeaderExtensionMap extensions; + extensions.Register(1); + extensions.Register(2); + RtpPacketReceived rtp_packet(&extensions); + + RtpVideoFrameAssembler assembler( + static_cast(data[0] % 6)); + + for (size_t i = 1; i < size;) { + size_t packet_size = std::min(size - i, 300); + if (rtp_packet.Parse(data + i, packet_size)) { + assembler.InsertPacket(rtp_packet); + } + i += packet_size; + } +} + +} // namespace webrtc