Create a fuzzer for ComfortNoiseDecoder
The fuzzer will hammer on the UpdateSid and Generate methods of
ComfortNoiseDecoder.
The change also includes a fix to an issue in WebRtcSpl_FilterAR, which
was immediately found by running the fuzzer locally.
Bug: none
Change-Id: I5283427cb27844fb953e2caa35423ea873aca2ff
Reviewed-on: https://webrtc-review.googlesource.com/28100
Commit-Queue: Henrik Lundin <henrik.lundin@webrtc.org>
Reviewed-by: Sam Zackrisson <saza@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21134}
diff --git a/common_audio/signal_processing/filter_ar.c b/common_audio/signal_processing/filter_ar.c
index 621fef5..49d5d61 100644
--- a/common_audio/signal_processing/filter_ar.c
+++ b/common_audio/signal_processing/filter_ar.c
@@ -29,7 +29,7 @@
int16_t* filtered_low,
size_t filtered_low_length)
{
- int32_t o;
+ int64_t o;
int32_t oLOW;
size_t i, j, stop;
const int16_t* x_ptr = &x[0];
diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn
index f88b47d..0aee276 100644
--- a/test/fuzzers/BUILD.gn
+++ b/test/fuzzers/BUILD.gn
@@ -328,12 +328,12 @@
"neteq_signal_fuzzer.cc",
]
deps = [
+ ":fuzz_data_helper",
"../../api:array_view",
"../../modules/audio_coding:neteq",
"../../modules/audio_coding:neteq_test_tools",
"../../modules/audio_coding:neteq_tools_minimal",
"../../modules/audio_coding:pcm16b",
- "../../modules/rtp_rtcp:rtp_rtcp_format",
"../../rtc_base:rtc_base_approved",
"../../rtc_base:rtc_base_tests_utils",
]
@@ -416,3 +416,27 @@
"../../rtc_base:rtc_base_approved",
]
}
+
+webrtc_fuzzer_test("comfort_noise_decoder_fuzzer") {
+ sources = [
+ "comfort_noise_decoder_fuzzer.cc",
+ ]
+ deps = [
+ ":fuzz_data_helper",
+ "../../api:array_view",
+ "../../modules/audio_coding:cng",
+ "../../rtc_base:rtc_base_approved",
+ ]
+}
+
+rtc_static_library("fuzz_data_helper") {
+ sources = [
+ "fuzz_data_helper.cc",
+ "fuzz_data_helper.h",
+ ]
+ deps = [
+ "../../api:array_view",
+ "../../modules/rtp_rtcp:rtp_rtcp_format",
+ ]
+ visibility = [ ":*" ] # Only targets in this file can depend on this.
+}
diff --git a/test/fuzzers/comfort_noise_decoder_fuzzer.cc b/test/fuzzers/comfort_noise_decoder_fuzzer.cc
new file mode 100644
index 0000000..3033f20
--- /dev/null
+++ b/test/fuzzers/comfort_noise_decoder_fuzzer.cc
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2017 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "api/array_view.h"
+#include "modules/audio_coding/codecs/cng/webrtc_cng.h"
+#include "rtc_base/buffer.h"
+#include "test/fuzzers/fuzz_data_helper.h"
+
+namespace webrtc {
+namespace test {
+namespace {
+
+void FuzzOneInputTest(rtc::ArrayView<const uint8_t> data) {
+ FuzzDataHelper fuzz_data(data);
+ ComfortNoiseDecoder cng_decoder;
+
+ while (1) {
+ if (!fuzz_data.CanReadBytes(1))
+ break;
+ const uint8_t sid_frame_len = fuzz_data.Read<uint8_t>();
+ auto sid_frame = fuzz_data.ReadByteArray(sid_frame_len);
+ if (sid_frame.empty())
+ break;
+ cng_decoder.UpdateSid(sid_frame);
+ if (!fuzz_data.CanReadBytes(3))
+ break;
+ constexpr bool kTrueOrFalse[] = {true, false};
+ const bool new_period = fuzz_data.SelectOneOf(kTrueOrFalse);
+ constexpr size_t kOutputSizes[] = {80, 160, 320, 480};
+ const size_t output_size = fuzz_data.SelectOneOf(kOutputSizes);
+ const size_t num_generate_calls = fuzz_data.Read<uint8_t>();
+ rtc::BufferT<int16_t> output(output_size);
+ for (size_t i = 0; i < num_generate_calls; ++i) {
+ cng_decoder.Generate(output, new_period);
+ }
+ }
+}
+
+} // namespace
+} // namespace test
+
+void FuzzOneInput(const uint8_t* data, size_t size) {
+ test::FuzzOneInputTest(rtc::ArrayView<const uint8_t>(data, size));
+}
+
+} // namespace webrtc
diff --git a/test/fuzzers/fuzz_data_helper.cc b/test/fuzzers/fuzz_data_helper.cc
new file mode 100644
index 0000000..866f7bc
--- /dev/null
+++ b/test/fuzzers/fuzz_data_helper.cc
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2017 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "test/fuzzers/fuzz_data_helper.h"
+
+namespace webrtc {
+namespace test {
+
+FuzzDataHelper::FuzzDataHelper(rtc::ArrayView<const uint8_t> data)
+ : data_(data) {}
+
+} // namespace test
+} // namespace webrtc
diff --git a/test/fuzzers/fuzz_data_helper.h b/test/fuzzers/fuzz_data_helper.h
new file mode 100644
index 0000000..fb64bfe
--- /dev/null
+++ b/test/fuzzers/fuzz_data_helper.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 2017 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#ifndef TEST_FUZZERS_FUZZ_DATA_HELPER_H_
+#define TEST_FUZZERS_FUZZ_DATA_HELPER_H_
+
+#include <limits>
+
+#include "api/array_view.h"
+#include "modules/rtp_rtcp/source/byte_io.h"
+
+namespace webrtc {
+namespace test {
+
+// Helper class to take care of the fuzzer input, read from it, and keep track
+// of when the end of the data has been reached.
+class FuzzDataHelper {
+ public:
+ explicit FuzzDataHelper(rtc::ArrayView<const uint8_t> data);
+
+ // Returns true if n bytes can be read.
+ bool CanReadBytes(size_t n) const { return data_ix_ + n <= data_.size(); }
+
+ // Reads and returns data of type T.
+ template <typename T>
+ T Read() {
+ RTC_CHECK(CanReadBytes(sizeof(T)));
+ T x = ByteReader<T>::ReadLittleEndian(&data_[data_ix_]);
+ data_ix_ += sizeof(T);
+ return x;
+ }
+
+ // Reads and returns data of type T. Returns default_value if not enough
+ // fuzzer input remains to read a T.
+ template <typename T>
+ T ReadOrDefaultValue(T default_value) {
+ if (!CanReadBytes(sizeof(T))) {
+ return default_value;
+ }
+ return Read<T>();
+ }
+
+ // Like ReadOrDefaultValue, but replaces the value 0 with default_value.
+ template <typename T>
+ T ReadOrDefaultValueNotZero(T default_value) {
+ static_assert(std::is_integral<T>::value, "");
+ T x = ReadOrDefaultValue(default_value);
+ return x == 0 ? default_value : x;
+ }
+
+ // Returns one of the elements from the provided input array. The selection
+ // is based on the fuzzer input data. If not enough fuzzer data is available,
+ // the method will return the first element in the input array. The reason for
+ // not flagging this as an error is to allow the method to be called from
+ // class constructors, and in constructors we typically do not handle
+ // errors. The code will work anyway, and the fuzzer will likely see that
+ // providing more data will actually make this method return something else.
+ template <typename T, size_t N>
+ T SelectOneOf(const T (&select_from)[N]) {
+ static_assert(N <= std::numeric_limits<uint8_t>::max(), "");
+ // Read an index between 0 and select_from.size() - 1 from the fuzzer data.
+ uint8_t index = ReadOrDefaultValue<uint8_t>(0) % N;
+ return select_from[index];
+ }
+
+ rtc::ArrayView<const uint8_t> ReadByteArray(size_t bytes) {
+ if (!CanReadBytes(bytes)) {
+ return rtc::ArrayView<const uint8_t>(nullptr, 0);
+ }
+ const size_t index_to_return = data_ix_;
+ data_ix_ += bytes;
+ return data_.subview(index_to_return, bytes);
+ }
+
+ private:
+ rtc::ArrayView<const uint8_t> data_;
+ size_t data_ix_ = 0;
+};
+
+} // namespace test
+} // namespace webrtc
+
+#endif // TEST_FUZZERS_FUZZ_DATA_HELPER_H_
diff --git a/test/fuzzers/neteq_signal_fuzzer.cc b/test/fuzzers/neteq_signal_fuzzer.cc
index f0b7911..28f2a1b 100644
--- a/test/fuzzers/neteq_signal_fuzzer.cc
+++ b/test/fuzzers/neteq_signal_fuzzer.cc
@@ -18,75 +18,19 @@
#include "modules/audio_coding/neteq/tools/audio_checksum.h"
#include "modules/audio_coding/neteq/tools/encode_neteq_input.h"
#include "modules/audio_coding/neteq/tools/neteq_test.h"
-#include "modules/rtp_rtcp/source/byte_io.h"
#include "rtc_base/numerics/safe_conversions.h"
#include "rtc_base/random.h"
+#include "test/fuzzers/fuzz_data_helper.h"
namespace webrtc {
namespace test {
namespace {
-// Helper class to take care of the fuzzer input, read from it, and keep track
-// of when the end of the data has been reached.
-class FuzzData {
- public:
- explicit FuzzData(rtc::ArrayView<const uint8_t> data) : data_(data) {}
-
- // Returns true if n bytes can be read.
- bool CanReadBytes(size_t n) const { return data_ix_ + n <= data_.size(); }
-
- // Reads and returns data of type T.
- template <typename T>
- T Read() {
- RTC_CHECK(CanReadBytes(sizeof(T)));
- T x = ByteReader<T>::ReadLittleEndian(&data_[data_ix_]);
- data_ix_ += sizeof(T);
- return x;
- }
-
- // Reads and returns data of type T. Returns default_value if not enough
- // fuzzer input remains to read a T.
- template <typename T>
- T ReadOrDefaultValue(T default_value) {
- if (!CanReadBytes(sizeof(T))) {
- return default_value;
- }
- return Read<T>();
- }
-
- // Like ReadOrDefaultValue, but replaces the value 0 with default_value.
- template <typename T>
- T ReadOrDefaultValueNotZero(T default_value) {
- static_assert(std::is_integral<T>::value, "");
- T x = ReadOrDefaultValue(default_value);
- return x == 0 ? default_value : x;
- }
-
- // Returns one of the elements from the provided input array. The selection
- // is based on the fuzzer input data. If not enough fuzzer data is available,
- // the method will return the first element in the input array. The reason for
- // not flaggin this as an error is that the method is called from the
- // FuzzSignalInput constructor, and in constructors we typically do not handle
- // errors. The code will work anyway, and the fuzzer will likely see that
- // providing more data will actually make this method return something else.
- template <typename T>
- T SelectOneOf(rtc::ArrayView<const T> select_from) {
- RTC_CHECK_LE(select_from.size(), std::numeric_limits<uint8_t>::max());
- // Read an index between 0 and select_from.size() - 1 from the fuzzer data.
- uint8_t index = ReadOrDefaultValue<uint8_t>(0) % select_from.size();
- return select_from[index];
- }
-
- private:
- rtc::ArrayView<const uint8_t> data_;
- size_t data_ix_ = 0;
-};
-
// Generate a mixture of sine wave and gaussian noise.
class SineAndNoiseGenerator : public EncodeNetEqInput::Generator {
public:
// The noise generator is seeded with a value from the fuzzer data, but 0 is
// avoided (since it is not allowed by the Random class).
- SineAndNoiseGenerator(int sample_rate_hz, FuzzData* fuzz_data)
+ SineAndNoiseGenerator(int sample_rate_hz, FuzzDataHelper* fuzz_data)
: sample_rate_hz_(sample_rate_hz),
fuzz_data_(*fuzz_data),
noise_generator_(fuzz_data_.ReadOrDefaultValueNotZero<uint64_t>(1)) {}
@@ -117,13 +61,13 @@
const double kPi = std::acos(-1);
std::vector<int16_t> samples_;
double phase_ = 0.0;
- FuzzData& fuzz_data_;
+ FuzzDataHelper& fuzz_data_;
Random noise_generator_;
};
class FuzzSignalInput : public NetEqInput {
public:
- explicit FuzzSignalInput(FuzzData* fuzz_data,
+ explicit FuzzSignalInput(FuzzDataHelper* fuzz_data,
int sample_rate,
uint8_t payload_type)
: fuzz_data_(*fuzz_data) {
@@ -141,8 +85,7 @@
// call to NetEq::GetAudio. 10 ms is nominal, 9 and 11 ms will both lead to
// clock drift (in different directions).
constexpr int output_event_periods[] = {9, 10, 11};
- output_event_period_ms_ =
- fuzz_data_.SelectOneOf(rtc::ArrayView<const int>(output_event_periods));
+ output_event_period_ms_ = fuzz_data_.SelectOneOf(output_event_periods);
}
rtc::Optional<int64_t> NextPacketTime() const override {
@@ -188,7 +131,7 @@
private:
bool ended_ = false;
- FuzzData& fuzz_data_;
+ FuzzDataHelper& fuzz_data_;
std::unique_ptr<EncodeNetEqInput> input_;
std::unique_ptr<PacketData> packet_;
int64_t next_output_event_ms_ = 0;
@@ -199,13 +142,12 @@
void FuzzOneInputTest(const uint8_t* data, size_t size) {
if (size < 1)
return;
- FuzzData fuzz_data(rtc::ArrayView<const uint8_t>(data, size));
+ FuzzDataHelper fuzz_data(rtc::ArrayView<const uint8_t>(data, size));
// Allowed sample rates and payload types used in the test.
std::pair<int, uint8_t> rate_types[] = {
{8000, 93}, {16000, 94}, {32000, 95}, {48000, 96}};
- const auto rate_type = fuzz_data.SelectOneOf(
- rtc::ArrayView<const std::pair<int, uint8_t>>(rate_types));
+ const auto rate_type = fuzz_data.SelectOneOf(rate_types);
const int sample_rate = rate_type.first;
const uint8_t payload_type = rate_type.second;