From bb0044eb9038e0212203ebc92b3899aff36d3f83 Mon Sep 17 00:00:00 2001 From: Philipp Hancke Date: Wed, 10 Jan 2024 12:51:18 +0200 Subject: [PATCH] add VP8/VP9 packetization fuzzers and ensure consistent behavior on empty input. BUG=webrtc:15755 Change-Id: Id70ab5d55251b4dd10eed8ab67ea8e75545a7a8d Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/332740 Reviewed-by: Danil Chapovalov Reviewed-by: Harald Alvestrand Commit-Queue: Philipp Hancke Cr-Commit-Position: refs/heads/main@{#41502} --- modules/rtp_rtcp/source/rtp_format_vp8.cc | 4 +- .../source/rtp_format_vp8_unittest.cc | 12 +++ modules/rtp_rtcp/source/rtp_format_vp9.cc | 5 +- .../source/rtp_format_vp9_unittest.cc | 5 ++ .../source/rtp_packetizer_av1_unittest.cc | 6 ++ test/fuzzers/BUILD.gn | 20 +++++ test/fuzzers/rtp_format_vp8_fuzzer.cc | 73 +++++++++++++++++++ test/fuzzers/rtp_format_vp9_fuzzer.cc | 73 +++++++++++++++++++ 8 files changed, 195 insertions(+), 3 deletions(-) create mode 100644 test/fuzzers/rtp_format_vp8_fuzzer.cc create mode 100644 test/fuzzers/rtp_format_vp9_fuzzer.cc diff --git a/modules/rtp_rtcp/source/rtp_format_vp8.cc b/modules/rtp_rtcp/source/rtp_format_vp8.cc index ae5f4e50a4..34b3fd9d2f 100644 --- a/modules/rtp_rtcp/source/rtp_format_vp8.cc +++ b/modules/rtp_rtcp/source/rtp_format_vp8.cc @@ -63,7 +63,9 @@ RtpPacketizerVp8::RtpPacketizerVp8(rtc::ArrayView payload, const RTPVideoHeaderVP8& hdr_info) : hdr_(BuildHeader(hdr_info)), remaining_payload_(payload) { limits.max_payload_len -= hdr_.size(); - payload_sizes_ = SplitAboutEqually(payload.size(), limits); + if (!payload.empty()) { + payload_sizes_ = SplitAboutEqually(payload.size(), limits); + } current_packet_ = payload_sizes_.begin(); } diff --git a/modules/rtp_rtcp/source/rtp_format_vp8_unittest.cc b/modules/rtp_rtcp/source/rtp_format_vp8_unittest.cc index 7934ff8ea9..cab7fc4422 100644 --- a/modules/rtp_rtcp/source/rtp_format_vp8_unittest.cc +++ b/modules/rtp_rtcp/source/rtp_format_vp8_unittest.cc @@ -21,6 +21,18 @@ namespace { constexpr RtpPacketizer::PayloadSizeLimits kNoSizeLimits; +TEST(RtpPacketizerVp8Test, EmptyPayload) { + RTPVideoHeaderVP8 hdr_info; + hdr_info.InitRTPVideoHeaderVP8(); + hdr_info.pictureId = 200; + RtpFormatVp8TestHelper helper(&hdr_info, /*payload_len=*/30); + + RtpPacketizer::PayloadSizeLimits limits; + limits.max_payload_len = 12; // Small enough to produce 4 packets. + RtpPacketizerVp8 packetizer({}, limits, hdr_info); + EXPECT_EQ(packetizer.NumPackets(), 0u); +} + TEST(RtpPacketizerVp8Test, ResultPacketsAreAlmostEqualSize) { RTPVideoHeaderVP8 hdr_info; hdr_info.InitRTPVideoHeaderVP8(); diff --git a/modules/rtp_rtcp/source/rtp_format_vp9.cc b/modules/rtp_rtcp/source/rtp_format_vp9.cc index 15e059e85c..66b784705b 100644 --- a/modules/rtp_rtcp/source/rtp_format_vp9.cc +++ b/modules/rtp_rtcp/source/rtp_format_vp9.cc @@ -319,8 +319,9 @@ RtpPacketizerVp9::RtpPacketizerVp9(rtc::ArrayView payload, limits.max_payload_len -= header_size_; limits.first_packet_reduction_len += first_packet_extra_header_size_; limits.single_packet_reduction_len += first_packet_extra_header_size_; - - payload_sizes_ = SplitAboutEqually(payload.size(), limits); + if (!payload.empty()) { + payload_sizes_ = SplitAboutEqually(payload.size(), limits); + } current_packet_ = payload_sizes_.begin(); } diff --git a/modules/rtp_rtcp/source/rtp_format_vp9_unittest.cc b/modules/rtp_rtcp/source/rtp_format_vp9_unittest.cc index e18b8a803f..948bcf3bdb 100644 --- a/modules/rtp_rtcp/source/rtp_format_vp9_unittest.cc +++ b/modules/rtp_rtcp/source/rtp_format_vp9_unittest.cc @@ -186,6 +186,11 @@ class RtpPacketizerVp9Test : public ::testing::Test { } }; +TEST_F(RtpPacketizerVp9Test, EmptyPayload) { + RTPVideoHeader video_header; + VideoRtpDepacketizerVp9::ParseRtpPayload({}, &video_header); +} + TEST_F(RtpPacketizerVp9Test, TestEqualSizedMode_OnePacket) { const size_t kFrameSize = 25; const size_t kPacketSize = 26; diff --git a/modules/rtp_rtcp/source/rtp_packetizer_av1_unittest.cc b/modules/rtp_rtcp/source/rtp_packetizer_av1_unittest.cc index 2151a59295..83a2be24ea 100644 --- a/modules/rtp_rtcp/source/rtp_packetizer_av1_unittest.cc +++ b/modules/rtp_rtcp/source/rtp_packetizer_av1_unittest.cc @@ -99,6 +99,12 @@ Av1Frame ReassembleFrame(rtc::ArrayView rtp_payloads) { return Av1Frame(VideoRtpDepacketizerAv1().AssembleFrame(payloads)); } +TEST(RtpPacketizerAv1Test, EmptyPayload) { + RtpPacketizer::PayloadSizeLimits limits; + RtpPacketizerAv1 packetizer({}, limits, VideoFrameType::kVideoFrameKey, true); + EXPECT_EQ(packetizer.NumPackets(), 0u); +} + TEST(RtpPacketizerAv1Test, PacketizeOneObuWithoutSizeAndExtension) { auto kFrame = BuildAv1Frame({Av1Obu(kAv1ObuTypeFrame) .WithoutSize() diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn index 85156add49..083c20c6f4 100644 --- a/test/fuzzers/BUILD.gn +++ b/test/fuzzers/BUILD.gn @@ -248,6 +248,26 @@ webrtc_fuzzer_test("rtp_format_h264_fuzzer") { ] } +webrtc_fuzzer_test("rtp_format_vp8_fuzzer") { + sources = [ "rtp_format_vp8_fuzzer.cc" ] + deps = [ + "../../api/video:video_frame_type", + "../../modules/rtp_rtcp:rtp_rtcp", + "../../modules/rtp_rtcp:rtp_rtcp_format", + "../../rtc_base:checks", + ] +} + +webrtc_fuzzer_test("rtp_format_vp9_fuzzer") { + sources = [ "rtp_format_vp9_fuzzer.cc" ] + deps = [ + "../../api/video:video_frame_type", + "../../modules/rtp_rtcp:rtp_rtcp", + "../../modules/rtp_rtcp:rtp_rtcp_format", + "../../rtc_base:checks", + ] +} + webrtc_fuzzer_test("receive_side_congestion_controller_fuzzer") { sources = [ "receive_side_congestion_controller_fuzzer.cc" ] deps = [ diff --git a/test/fuzzers/rtp_format_vp8_fuzzer.cc b/test/fuzzers/rtp_format_vp8_fuzzer.cc new file mode 100644 index 0000000000..c3c055de0f --- /dev/null +++ b/test/fuzzers/rtp_format_vp8_fuzzer.cc @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2024 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ +#include +#include + +#include "api/video/video_frame_type.h" +#include "modules/rtp_rtcp/source/rtp_format.h" +#include "modules/rtp_rtcp/source/rtp_format_vp8.h" +#include "modules/rtp_rtcp/source/rtp_packet_to_send.h" +#include "rtc_base/checks.h" +#include "test/fuzzers/fuzz_data_helper.h" + +namespace webrtc { +void FuzzOneInput(const uint8_t* data, size_t size) { + test::FuzzDataHelper fuzz_input(rtc::MakeArrayView(data, size)); + + RtpPacketizer::PayloadSizeLimits limits; + limits.max_payload_len = 1200; + // Read uint8_t to be sure reduction_lens are much smaller than + // max_payload_len and thus limits structure is valid. + limits.first_packet_reduction_len = fuzz_input.ReadOrDefaultValue(0); + limits.last_packet_reduction_len = fuzz_input.ReadOrDefaultValue(0); + limits.single_packet_reduction_len = + fuzz_input.ReadOrDefaultValue(0); + + RTPVideoHeaderVP8 hdr_info; + hdr_info.InitRTPVideoHeaderVP8(); + uint16_t picture_id = fuzz_input.ReadOrDefaultValue(0); + hdr_info.pictureId = + picture_id >= 0x8000 ? kNoPictureId : picture_id & 0x7fff; + + // Main function under test: RtpPacketizerVp8's constructor. + RtpPacketizerVp8 packetizer(fuzz_input.ReadByteArray(fuzz_input.BytesLeft()), + limits, hdr_info); + + size_t num_packets = packetizer.NumPackets(); + if (num_packets == 0) { + return; + } + // When packetization was successful, validate NextPacket function too. + // While at it, check that packets respect the payload size limits. + RtpPacketToSend rtp_packet(nullptr); + // Single packet. + if (num_packets == 1) { + RTC_CHECK(packetizer.NextPacket(&rtp_packet)); + RTC_CHECK_LE(rtp_packet.payload_size(), + limits.max_payload_len - limits.single_packet_reduction_len); + return; + } + // First packet. + RTC_CHECK(packetizer.NextPacket(&rtp_packet)); + RTC_CHECK_LE(rtp_packet.payload_size(), + limits.max_payload_len - limits.first_packet_reduction_len); + // Middle packets. + for (size_t i = 1; i < num_packets - 1; ++i) { + RTC_CHECK(packetizer.NextPacket(&rtp_packet)) + << "Failed to get packet#" << i; + RTC_CHECK_LE(rtp_packet.payload_size(), limits.max_payload_len) + << "Packet #" << i << " exceeds it's limit"; + } + // Last packet. + RTC_CHECK(packetizer.NextPacket(&rtp_packet)); + RTC_CHECK_LE(rtp_packet.payload_size(), + limits.max_payload_len - limits.last_packet_reduction_len); +} +} // namespace webrtc diff --git a/test/fuzzers/rtp_format_vp9_fuzzer.cc b/test/fuzzers/rtp_format_vp9_fuzzer.cc new file mode 100644 index 0000000000..3b5e67f697 --- /dev/null +++ b/test/fuzzers/rtp_format_vp9_fuzzer.cc @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2024 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ +#include +#include + +#include "api/video/video_frame_type.h" +#include "modules/rtp_rtcp/source/rtp_format.h" +#include "modules/rtp_rtcp/source/rtp_format_vp9.h" +#include "modules/rtp_rtcp/source/rtp_packet_to_send.h" +#include "rtc_base/checks.h" +#include "test/fuzzers/fuzz_data_helper.h" + +namespace webrtc { +void FuzzOneInput(const uint8_t* data, size_t size) { + test::FuzzDataHelper fuzz_input(rtc::MakeArrayView(data, size)); + + RtpPacketizer::PayloadSizeLimits limits; + limits.max_payload_len = 1200; + // Read uint8_t to be sure reduction_lens are much smaller than + // max_payload_len and thus limits structure is valid. + limits.first_packet_reduction_len = fuzz_input.ReadOrDefaultValue(0); + limits.last_packet_reduction_len = fuzz_input.ReadOrDefaultValue(0); + limits.single_packet_reduction_len = + fuzz_input.ReadOrDefaultValue(0); + + RTPVideoHeaderVP9 hdr_info; + hdr_info.InitRTPVideoHeaderVP9(); + uint16_t picture_id = fuzz_input.ReadOrDefaultValue(0); + hdr_info.picture_id = + picture_id >= 0x8000 ? kNoPictureId : picture_id & 0x7fff; + + // Main function under test: RtpPacketizerVp9's constructor. + RtpPacketizerVp9 packetizer(fuzz_input.ReadByteArray(fuzz_input.BytesLeft()), + limits, hdr_info); + + size_t num_packets = packetizer.NumPackets(); + if (num_packets == 0) { + return; + } + // When packetization was successful, validate NextPacket function too. + // While at it, check that packets respect the payload size limits. + RtpPacketToSend rtp_packet(nullptr); + // Single packet. + if (num_packets == 1) { + RTC_CHECK(packetizer.NextPacket(&rtp_packet)); + RTC_CHECK_LE(rtp_packet.payload_size(), + limits.max_payload_len - limits.single_packet_reduction_len); + return; + } + // First packet. + RTC_CHECK(packetizer.NextPacket(&rtp_packet)); + RTC_CHECK_LE(rtp_packet.payload_size(), + limits.max_payload_len - limits.first_packet_reduction_len); + // Middle packets. + for (size_t i = 1; i < num_packets - 1; ++i) { + RTC_CHECK(packetizer.NextPacket(&rtp_packet)) + << "Failed to get packet#" << i; + RTC_CHECK_LE(rtp_packet.payload_size(), limits.max_payload_len) + << "Packet #" << i << " exceeds it's limit"; + } + // Last packet. + RTC_CHECK(packetizer.NextPacket(&rtp_packet)); + RTC_CHECK_LE(rtp_packet.payload_size(), + limits.max_payload_len - limits.last_packet_reduction_len); +} +} // namespace webrtc