From 9aa870a2d107560864f8e78a438789534f777734 Mon Sep 17 00:00:00 2001
From: Chen Xing <chxg@google.com>
Date: Fri, 21 Jun 2019 10:48:59 +0200
Subject: [PATCH] Fixing fuzzer by backing up and restoring `packet_info`.

This change fixes `packet_buffer_fuzzer` so that it doesn't attempt to fuzz `std::vector`.

Bug: chromium:977309 chromium:977411 chromium:977421 chromium:977422 chromium:977454 chromium:977455 chromium:977477 chromium:977457
Change-Id: I0845d7f53008606c2a8b5943ef58fd35a9eb1085
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/143171
Reviewed-by: Sam Zackrisson <saza@webrtc.org>
Reviewed-by: Benjamin Wright <benwright@webrtc.org>
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Commit-Queue: Chen Xing <chxg@google.com>
Cr-Commit-Position: refs/heads/master@{#28344}
---
 test/fuzzers/packet_buffer_fuzzer.cc | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/test/fuzzers/packet_buffer_fuzzer.cc b/test/fuzzers/packet_buffer_fuzzer.cc
index 709c14c704..f8067b78ea 100644
--- a/test/fuzzers/packet_buffer_fuzzer.cc
+++ b/test/fuzzers/packet_buffer_fuzzer.cc
@@ -32,23 +32,27 @@ void FuzzOneInput(const uint8_t* data, size_t size) {
   test::FuzzDataHelper helper(rtc::ArrayView<const uint8_t>(data, size));
 
   while (helper.BytesLeft()) {
-    // The RTPVideoHeader is a complex type, so overwriting it with random data
-    // will put it in an invalid state. Therefore we save/restore it.
+    // Complex types (e.g. non-POD-like types) can't be bit-wise fuzzed with
+    // random data or it will put them in an invalid state. We therefore backup
+    // their byte-patterns before the fuzzing and restore them after.
     uint8_t video_header_backup[sizeof(packet.video_header)];
     memcpy(&video_header_backup, &packet.video_header,
            sizeof(packet.video_header));
-
     uint8_t generic_descriptor_backup[sizeof(packet.generic_descriptor)];
     memcpy(&generic_descriptor_backup, &packet.generic_descriptor,
            sizeof(packet.generic_descriptor));
+    uint8_t packet_info_backup[sizeof(packet.packet_info)];
+    memcpy(&packet_info_backup, &packet.packet_info,
+           sizeof(packet.packet_info));
 
     helper.CopyTo(&packet);
 
     memcpy(&packet.video_header, &video_header_backup,
            sizeof(packet.video_header));
-
     memcpy(&packet.generic_descriptor, &generic_descriptor_backup,
            sizeof(packet.generic_descriptor));
+    memcpy(&packet.packet_info, &packet_info_backup,
+           sizeof(packet.packet_info));
 
     // The packet buffer owns the payload of the packet.
     uint8_t payload_size;