From ba2677061aa0872f742a8f4b7327e2878f461df6 Mon Sep 17 00:00:00 2001
From: Henrik Lundin <henrik.lundin@webrtc.org>
Date: Wed, 16 Feb 2022 15:15:12 +0000
Subject: [PATCH] Add fuzzer test for G722 and fix a fuzzer problem

The problem was fixed by implementing the methid PacketDuration() in
AudioDecoderG722StereoImpl, which catches the issue in
AudioDecoder::Decode().


Bug: chromium:1280851
Change-Id: I31f974b9999f3c1c62b0e5dc39bb3e56a9a9388d
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/251842
Reviewed-by: Minyue Li <minyue@webrtc.org>
Commit-Queue: Henrik Lundin <henrik.lundin@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#36034}
---
 .../codecs/g722/audio_decoder_g722.cc         |  6 +++
 .../codecs/g722/audio_decoder_g722.h          |  1 +
 test/fuzzers/BUILD.gn                         |  8 ++++
 test/fuzzers/audio_decoder_g722_fuzzer.cc     | 39 +++++++++++++++++++
 4 files changed, 54 insertions(+)
 create mode 100644 test/fuzzers/audio_decoder_g722_fuzzer.cc

diff --git a/modules/audio_coding/codecs/g722/audio_decoder_g722.cc b/modules/audio_coding/codecs/g722/audio_decoder_g722.cc
index f02ca7f896..c21ab9341f 100644
--- a/modules/audio_coding/codecs/g722/audio_decoder_g722.cc
+++ b/modules/audio_coding/codecs/g722/audio_decoder_g722.cc
@@ -114,6 +114,12 @@ int AudioDecoderG722StereoImpl::DecodeInternal(const uint8_t* encoded,
   return static_cast<int>(ret);
 }
 
+int AudioDecoderG722StereoImpl::PacketDuration(const uint8_t* encoded,
+                                               size_t encoded_len) const {
+  // 1/2 encoded byte per sample per channel.
+  return static_cast<int>(2 * encoded_len / Channels());
+}
+
 int AudioDecoderG722StereoImpl::SampleRateHz() const {
   return 16000;
 }
diff --git a/modules/audio_coding/codecs/g722/audio_decoder_g722.h b/modules/audio_coding/codecs/g722/audio_decoder_g722.h
index 39e9e630be..5872fad5de 100644
--- a/modules/audio_coding/codecs/g722/audio_decoder_g722.h
+++ b/modules/audio_coding/codecs/g722/audio_decoder_g722.h
@@ -57,6 +57,7 @@ class AudioDecoderG722StereoImpl final : public AudioDecoder {
   std::vector<ParseResult> ParsePayload(rtc::Buffer&& payload,
                                         uint32_t timestamp) override;
   int SampleRateHz() const override;
+  int PacketDuration(const uint8_t* encoded, size_t encoded_len) const override;
   size_t Channels() const override;
 
  protected:
diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn
index a5e2e44ff1..cc8b312ab3 100644
--- a/test/fuzzers/BUILD.gn
+++ b/test/fuzzers/BUILD.gn
@@ -259,6 +259,14 @@ rtc_library("audio_decoder_fuzzer") {
   absl_deps = [ "//third_party/abseil-cpp/absl/types:optional" ]
 }
 
+webrtc_fuzzer_test("audio_decoder_g722_fuzzer") {
+  sources = [ "audio_decoder_g722_fuzzer.cc" ]
+  deps = [
+    ":audio_decoder_fuzzer",
+    "../../modules/audio_coding:g722",
+  ]
+}
+
 webrtc_fuzzer_test("audio_decoder_ilbc_fuzzer") {
   sources = [ "audio_decoder_ilbc_fuzzer.cc" ]
   deps = [
diff --git a/test/fuzzers/audio_decoder_g722_fuzzer.cc b/test/fuzzers/audio_decoder_g722_fuzzer.cc
new file mode 100644
index 0000000000..08599aa333
--- /dev/null
+++ b/test/fuzzers/audio_decoder_g722_fuzzer.cc
@@ -0,0 +1,39 @@
+/*
+ *  Copyright (c) 2022 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "modules/audio_coding/codecs/g722/audio_decoder_g722.h"
+#include "test/fuzzers/audio_decoder_fuzzer.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  if (size > 10000 || size < 1) {
+    return;
+  }
+
+  std::unique_ptr<AudioDecoder> dec;
+  size_t num_channels;
+  if (data[0] % 2) {
+    dec = std::make_unique<AudioDecoderG722Impl>();
+    num_channels = 1;
+  } else {
+    dec = std::make_unique<AudioDecoderG722StereoImpl>();
+    num_channels = 2;
+  }
+  // Allocate a maximum output size of 100 ms.
+  const int sample_rate_hz = dec->SampleRateHz();
+  const size_t allocated_ouput_size_samples =
+      sample_rate_hz / 10 * num_channels;
+  std::unique_ptr<int16_t[]> output =
+      std::make_unique<int16_t[]>(allocated_ouput_size_samples);
+  FuzzAudioDecoder(
+      DecoderFunctionType::kNormalDecode, data, size, dec.get(), sample_rate_hz,
+      allocated_ouput_size_samples * sizeof(int16_t), output.get());
+}
+}  // namespace webrtc