Fixing fuzzer by backing up and restoring `packet_info`.
This change fixes `packet_buffer_fuzzer` so that it doesn't attempt to fuzz `std::vector`.
Bug: chromium:977309 chromium:977411 chromium:977421 chromium:977422 chromium:977454 chromium:977455 chromium:977477 chromium:977457
Change-Id: I0845d7f53008606c2a8b5943ef58fd35a9eb1085
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/143171
Reviewed-by: Sam Zackrisson <saza@webrtc.org>
Reviewed-by: Benjamin Wright <benwright@webrtc.org>
Commit-Queue: Benjamin Wright <benwright@webrtc.org>
Commit-Queue: Chen Xing <chxg@google.com>
Cr-Commit-Position: refs/heads/master@{#28344}
diff --git a/test/fuzzers/packet_buffer_fuzzer.cc b/test/fuzzers/packet_buffer_fuzzer.cc
index 709c14c..f8067b7 100644
--- a/test/fuzzers/packet_buffer_fuzzer.cc
+++ b/test/fuzzers/packet_buffer_fuzzer.cc
@@ -32,23 +32,27 @@
test::FuzzDataHelper helper(rtc::ArrayView<const uint8_t>(data, size));
while (helper.BytesLeft()) {
- // The RTPVideoHeader is a complex type, so overwriting it with random data
- // will put it in an invalid state. Therefore we save/restore it.
+ // Complex types (e.g. non-POD-like types) can't be bit-wise fuzzed with
+ // random data or it will put them in an invalid state. We therefore backup
+ // their byte-patterns before the fuzzing and restore them after.
uint8_t video_header_backup[sizeof(packet.video_header)];
memcpy(&video_header_backup, &packet.video_header,
sizeof(packet.video_header));
-
uint8_t generic_descriptor_backup[sizeof(packet.generic_descriptor)];
memcpy(&generic_descriptor_backup, &packet.generic_descriptor,
sizeof(packet.generic_descriptor));
+ uint8_t packet_info_backup[sizeof(packet.packet_info)];
+ memcpy(&packet_info_backup, &packet.packet_info,
+ sizeof(packet.packet_info));
helper.CopyTo(&packet);
memcpy(&packet.video_header, &video_header_backup,
sizeof(packet.video_header));
-
memcpy(&packet.generic_descriptor, &generic_descriptor_backup,
sizeof(packet.generic_descriptor));
+ memcpy(&packet.packet_info, &packet_info_backup,
+ sizeof(packet.packet_info));
// The packet buffer owns the payload of the packet.
uint8_t payload_size;