Reland of https://codereview.webrtc.org/2044523002.
Landing these in WebRTC under a guard so they don't build in
Chromium. The guard can be removed once Chromium has migrated to use the
new GN targets.
BUG=webrtc:6081
NOTRY=true
Review-Url: https://codereview.webrtc.org/2117183005
Cr-Commit-Position: refs/heads/master@{#13397}
diff --git a/webrtc/test/fuzzers/BUILD.gn b/webrtc/test/fuzzers/BUILD.gn
index 9179d05..9839a46 100644
--- a/webrtc/test/fuzzers/BUILD.gn
+++ b/webrtc/test/fuzzers/BUILD.gn
@@ -189,4 +189,36 @@
"../../media:media",
]
}
+
+ webrtc_fuzzer_test("sdp_parser_fuzzer") {
+ sources = [
+ "sdp_parser_fuzzer.cc",
+ ]
+ deps = [
+ "../../api:libjingle_peerconnection",
+ ]
+ seed_corpus = "corpora/sdp-corpus"
+ }
+
+ webrtc_fuzzer_test("stun_parser_fuzzer") {
+ sources = [
+ "stun_parser_fuzzer.cc",
+ ]
+ deps = [
+ "../../p2p:rtc_p2p",
+ ]
+ seed_corpus = "corpora/stun-corpus"
+ dict = "corpora/stun.tokens"
+ }
+
+ webrtc_fuzzer_test("stun_validator_fuzzer") {
+ sources = [
+ "stun_validator_fuzzer.cc",
+ ]
+ deps = [
+ "../../p2p:rtc_p2p",
+ ]
+ seed_corpus = "corpora/stun-corpus"
+ dict = "corpora/stun.tokens"
+ }
}
diff --git a/webrtc/test/fuzzers/sdp_parser_fuzzer.cc b/webrtc/test/fuzzers/sdp_parser_fuzzer.cc
new file mode 100644
index 0000000..f21c991
--- /dev/null
+++ b/webrtc/test/fuzzers/sdp_parser_fuzzer.cc
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2016 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "webrtc/api/jsepsessiondescription.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+ std::string message(reinterpret_cast<const char*>(data), size);
+ webrtc::SdpParseError error;
+
+ std::unique_ptr<webrtc::SessionDescriptionInterface> sdp(
+ CreateSessionDescription("offer", message, &error));
+}
+
+} // namespace webrtc
diff --git a/webrtc/test/fuzzers/stun_parser_fuzzer.cc b/webrtc/test/fuzzers/stun_parser_fuzzer.cc
new file mode 100644
index 0000000..02f10b1
--- /dev/null
+++ b/webrtc/test/fuzzers/stun_parser_fuzzer.cc
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2016 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "webrtc/p2p/base/stun.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+ const char* message = reinterpret_cast<const char*>(data);
+
+ // Normally we'd check the integrity first, but those checks are
+ // fuzzed separately in stun_validator_fuzzer.cc. We still want to
+ // fuzz this target since the integrity checks could be forged by a
+ // malicious adversary who receives a call.
+ std::unique_ptr<cricket::IceMessage> stun_msg(new cricket::IceMessage());
+ rtc::ByteBufferReader buf(message, size);
+ stun_msg->Read(&buf);
+}
+} // namespace webrtc
diff --git a/webrtc/test/fuzzers/stun_validator_fuzzer.cc b/webrtc/test/fuzzers/stun_validator_fuzzer.cc
new file mode 100644
index 0000000..1f919f5
--- /dev/null
+++ b/webrtc/test/fuzzers/stun_validator_fuzzer.cc
@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2016 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "webrtc/p2p/base/stun.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+ const char* message = reinterpret_cast<const char*>(data);
+
+ cricket::StunMessage::ValidateFingerprint(message, size);
+ cricket::StunMessage::ValidateMessageIntegrity(message, size, "");
+}
+} // namespace webrtc