diff options
author | Google AutoFuzz Team <security-tps@google.com> | 2021-11-08 21:55:07 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-08 15:55:07 -0500 |
commit | d0f46b554b06eea9c723e9af8272e1408d192d71 (patch) | |
tree | d7a6a684b939eff7f302045c0fc3bb5ad68ceff4 /projects/opus/opus_repacketizer_fuzzer.cc | |
parent | 7d4affc04b17bffc6fb603855e3834472172270f (diff) |
Add Google-written opus fuzzers (#6798)
Those fuzzers have been written and used internally with great results,
finding a couple of bugs, both in code and in design,
and have a code coverage of ~80% for the src/ folder,
and ~90% for both silk/ and celt/.
The fuzzers are put here and not upstream in libopus' repository,
because they are written in C++, and I'm not sure it's worth
the complexity of re-implementing FuzzedDataProvider
in C just for the sake of moving those files.
Co-authored-by: Julien Voisin <jvoisin@google.com>
Diffstat (limited to 'projects/opus/opus_repacketizer_fuzzer.cc')
-rw-r--r-- | projects/opus/opus_repacketizer_fuzzer.cc | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/projects/opus/opus_repacketizer_fuzzer.cc b/projects/opus/opus_repacketizer_fuzzer.cc new file mode 100644 index 00000000..724a5487 --- /dev/null +++ b/projects/opus/opus_repacketizer_fuzzer.cc @@ -0,0 +1,60 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include <fuzzer/FuzzedDataProvider.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> + +#include "opus.h" +#include "opus_types.h" + +#define MAX_PACKETOUT 32000 + +static opus_uint32 char_to_int(const unsigned char ch[4]) { + return ((opus_uint32)ch[0] << 24) | ((opus_uint32)ch[1] << 16) | + ((opus_uint32)ch[2] << 8) | (opus_uint32)ch[3]; +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fdp(data, size); + + unsigned char output_packet[MAX_PACKETOUT]; + OpusRepacketizer *rp = opus_repacketizer_create(); + opus_repacketizer_init(rp); + const size_t nb_packets_to_add = fdp.ConsumeIntegralInRange(1, 48); + const auto packets = fdp.ConsumeRemainingBytes<unsigned char>(); + + size_t start = 0; + for (size_t i = 0; i < nb_packets_to_add; i++) { + if (packets.size() - start < 4) { + break; + } + const size_t packet_length = char_to_int(packets.data() + start); + start += 4; + + if (packets.size() - start < packet_length || packet_length > 1500) { + break; + } + + opus_repacketizer_cat(rp, packets.data() + start, packet_length); + start += packet_length; + } + int foo = opus_repacketizer_out(rp, output_packet, MAX_PACKETOUT); + (void)foo; + + opus_repacketizer_destroy(rp); + + return 0; +} |