From d4bcdad26349ab9e03c065442ab7d5d13e166800 Mon Sep 17 00:00:00 2001 From: katrielc Date: Thu, 23 Jun 2016 03:50:39 -0700 Subject: [PATCH] Add a libfuzzer for RtpHeaderParser. NOTRY=true Review-Url: https://codereview.webrtc.org/2062103002 Cr-Commit-Position: refs/heads/master@{#13271} --- .../rtp_rtcp/include/rtp_rtcp_defines.h | 1 + webrtc/modules/rtp_rtcp/source/rtp_sender.cc | 1 + webrtc/test/fuzzers/BUILD.gn | 9 ++++ webrtc/test/fuzzers/rtp_header_fuzzer.cc | 43 +++++++++++++++++++ 4 files changed, 54 insertions(+) create mode 100644 webrtc/test/fuzzers/rtp_header_fuzzer.cc diff --git a/webrtc/modules/rtp_rtcp/include/rtp_rtcp_defines.h b/webrtc/modules/rtp_rtcp/include/rtp_rtcp_defines.h index 05320f72e1..90f7784bfb 100644 --- a/webrtc/modules/rtp_rtcp/include/rtp_rtcp_defines.h +++ b/webrtc/modules/rtp_rtcp/include/rtp_rtcp_defines.h @@ -68,6 +68,7 @@ enum RTPExtensionType { kRtpExtensionVideoRotation, kRtpExtensionTransportSequenceNumber, kRtpExtensionPlayoutDelay, + kRtpExtensionNumberOfExtensions, }; enum RTCPAppSubTypes { kAppSubtypeBwe = 0x00 }; diff --git a/webrtc/modules/rtp_rtcp/source/rtp_sender.cc b/webrtc/modules/rtp_rtcp/source/rtp_sender.cc index 9b6b72ae1f..4ee2524abc 100644 --- a/webrtc/modules/rtp_rtcp/source/rtp_sender.cc +++ b/webrtc/modules/rtp_rtcp/source/rtp_sender.cc @@ -286,6 +286,7 @@ int32_t RTPSender::RegisterRtpHeaderExtension(RTPExtensionType type, case kRtpExtensionTransportSequenceNumber: return rtp_header_extension_map_.Register(type, id); case kRtpExtensionNone: + case kRtpExtensionNumberOfExtensions: LOG(LS_ERROR) << "Invalid RTP extension type for registration"; return -1; } diff --git a/webrtc/test/fuzzers/BUILD.gn b/webrtc/test/fuzzers/BUILD.gn index 7d318f1796..c1b9ed9985 100644 --- a/webrtc/test/fuzzers/BUILD.gn +++ b/webrtc/test/fuzzers/BUILD.gn @@ -99,6 +99,15 @@ webrtc_fuzzer_test("rtp_packet_fuzzer") { seed_corpus = "corpora/rtp-corpus" } +webrtc_fuzzer_test("rtp_header_fuzzer") { + sources = [ + "rtp_header_fuzzer.cc", + ] + deps = [ + "../../modules/rtp_rtcp/", + ] +} + source_set("audio_decoder_fuzzer") { public_configs = [ "../..:common_inherited_config" ] sources = [ diff --git a/webrtc/test/fuzzers/rtp_header_fuzzer.cc b/webrtc/test/fuzzers/rtp_header_fuzzer.cc new file mode 100644 index 0000000000..fcc737728c --- /dev/null +++ b/webrtc/test/fuzzers/rtp_header_fuzzer.cc @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2016 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#include + +#include "webrtc/modules/rtp_rtcp/source/rtp_packet_received.h" +#include "webrtc/modules/rtp_rtcp/include/rtp_rtcp_defines.h" +#include "webrtc/modules/rtp_rtcp/source/rtp_utility.h" + +namespace webrtc { +void FuzzOneInput(const uint8_t* data, size_t size) { + if (size <= 1) + return; + + // We decide which header extensions to register by reading one byte + // from the beginning of |data| and interpreting it as a bitmask + // over the RTPExtensionType enum. That byte shouldn't also be part + // of the packet, so we adjust |data| and |size| to remove it. + std::bitset<8> extensionMask(data[0]); + data++; + size--; + + RtpPacketReceived::ExtensionManager extensions; + for (int i = 1; i <= kRtpExtensionNumberOfExtensions; i++) { + // Skip i=0 which is kRtpExtensionNone i.e. not an actual extension. + if (extensionMask[i]) { + // We use i as the ID; it's used in negotiation so not relevant. + extensions.Register(static_cast(i), i); + } + } + + RTPHeader rtp_header; + RtpUtility::RtpHeaderParser rtp_parser(data, size); + rtp_parser.Parse(&rtp_header, &extensions); +} +} // namespace webrtc