Add fuzzer for ForwardErrorCorrection::DecodeFec.
Bug: webrtc:8481
Change-Id: I23aa59ffee542c1c0b31c82186876ccc21e28592
Reviewed-on: https://webrtc-review.googlesource.com/32305
Commit-Queue: Rasmus Brandt <brandtr@webrtc.org>
Reviewed-by: Henrik Lundin <henrik.lundin@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21248}
diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn
index 3f37767..475aeaa 100644
--- a/test/fuzzers/BUILD.gn
+++ b/test/fuzzers/BUILD.gn
@@ -96,6 +96,18 @@
]
}
+webrtc_fuzzer_test("forward_error_correction_fuzzer") {
+ sources = [
+ "forward_error_correction_fuzzer.cc",
+ ]
+ deps = [
+ "../../modules/rtp_rtcp",
+ "../../modules/rtp_rtcp:rtp_rtcp_format",
+ "../../rtc_base:rtc_base_approved",
+ ]
+ libfuzzer_options = [ "max_len=5000" ]
+}
+
webrtc_fuzzer_test("flexfec_header_reader_fuzzer") {
sources = [
"flexfec_header_reader_fuzzer.cc",
diff --git a/test/fuzzers/forward_error_correction_fuzzer.cc b/test/fuzzers/forward_error_correction_fuzzer.cc
new file mode 100644
index 0000000..9d5b872
--- /dev/null
+++ b/test/fuzzers/forward_error_correction_fuzzer.cc
@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2017 The WebRTC project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include <memory>
+
+#include "modules/rtp_rtcp/source/byte_io.h"
+#include "modules/rtp_rtcp/source/forward_error_correction.h"
+#include "rtc_base/bytebuffer.h"
+#include "rtc_base/scoped_ref_ptr.h"
+
+namespace webrtc {
+
+namespace {
+constexpr uint32_t kMediaSsrc = 100200300;
+constexpr uint32_t kFecSsrc = 111222333;
+
+constexpr size_t kPacketSize = 50;
+constexpr size_t kMaxPacketsInBuffer = 48;
+} // namespace
+
+void FuzzOneInput(const uint8_t* data, size_t size) {
+ // Object under test.
+ std::unique_ptr<ForwardErrorCorrection> fec =
+ ForwardErrorCorrection::CreateFlexfec(kFecSsrc, kMediaSsrc);
+
+ // Entropy from fuzzer.
+ rtc::ByteBufferReader fuzz_buffer(reinterpret_cast<const char*>(data), size);
+
+ // Initial stream state.
+ uint16_t media_seqnum;
+ if (!fuzz_buffer.ReadUInt16(&media_seqnum))
+ return;
+ const uint16_t original_media_seqnum = media_seqnum;
+ uint16_t fec_seqnum;
+ if (!fuzz_buffer.ReadUInt16(&fec_seqnum))
+ return;
+
+ // Existing packets in the packet buffer.
+ ForwardErrorCorrection::RecoveredPacketList recovered_packets;
+ uint8_t num_existing_recovered_packets;
+ if (!fuzz_buffer.ReadUInt8(&num_existing_recovered_packets))
+ return;
+ for (size_t i = 0; i < num_existing_recovered_packets % kMaxPacketsInBuffer;
+ ++i) {
+ ForwardErrorCorrection::RecoveredPacket* recovered_packet =
+ new ForwardErrorCorrection::RecoveredPacket();
+ recovered_packet->pkt = rtc::scoped_refptr<ForwardErrorCorrection::Packet>(
+ new ForwardErrorCorrection::Packet());
+ recovered_packet->pkt->length = kPacketSize;
+ recovered_packet->ssrc = kMediaSsrc;
+ recovered_packet->seq_num = media_seqnum++;
+ recovered_packets.emplace_back(recovered_packet);
+ }
+
+ // New packets received from the network.
+ ForwardErrorCorrection::ReceivedPacket received_packet;
+ received_packet.pkt = rtc::scoped_refptr<ForwardErrorCorrection::Packet>(
+ new ForwardErrorCorrection::Packet());
+ received_packet.pkt->length = kPacketSize;
+ uint8_t* packet_buffer = received_packet.pkt->data;
+ uint8_t reordering;
+ uint16_t seq_num_diff;
+ uint8_t packet_type;
+ uint8_t packet_loss;
+ while (true) {
+ if (!fuzz_buffer.ReadBytes(reinterpret_cast<char*>(packet_buffer),
+ kPacketSize)) {
+ return;
+ }
+ if (!fuzz_buffer.ReadUInt8(&reordering))
+ return;
+ if (!fuzz_buffer.ReadUInt16(&seq_num_diff))
+ return;
+ if (!fuzz_buffer.ReadUInt8(&packet_type))
+ return;
+ if (!fuzz_buffer.ReadUInt8(&packet_loss))
+ return;
+
+ if (reordering % 10 != 0)
+ seq_num_diff = 0;
+
+ if (packet_type % 2 == 0) {
+ received_packet.is_fec = true;
+ received_packet.ssrc = kFecSsrc;
+ received_packet.seq_num = seq_num_diff + fec_seqnum++;
+
+ // Overwrite parts of the FlexFEC header for fuzzing efficiency.
+ packet_buffer[0] = 0; // R, F bits.
+ ByteWriter<uint8_t>::WriteBigEndian(&packet_buffer[8], 1); // SSRCCount.
+ ByteWriter<uint32_t>::WriteBigEndian(&packet_buffer[12],
+ kMediaSsrc); // SSRC_i.
+ ByteWriter<uint16_t>::WriteBigEndian(
+ &packet_buffer[16], original_media_seqnum); // SN base_i.
+ } else {
+ received_packet.is_fec = false;
+ received_packet.ssrc = kMediaSsrc;
+ received_packet.seq_num = seq_num_diff + media_seqnum++;
+ }
+
+ if (packet_loss % 10 == 0)
+ continue;
+
+ fec->DecodeFec(received_packet, &recovered_packets);
+ }
+}
+
+} // namespace webrtc