projects: Add GStreamer (#905)

* projects: Add GStreamer

This is an initial fuzzer which goes over ogg/theora/vorbis files
using the discoverer process

* gstreamer/build.sh: Cleanup file

* gstreamer/Dockerfile: Update copyright date

* gstreamer: Update project.yaml

Use the security mailing list as the primary contact
Remove explicit sanitizer listing

* gstreamer: Simplify base fuzzer

Removed almost all outputting

I am the original author of the code this is taken for, relicensing
an ultra-simplified version of my original code to Apache.

* gstreamer: Cleanup of build file and dockerfile

* gstreamer: Code minimization and avoid leaks

Data provided by the fuzzer shouldn't be freed (but the wrapping
GstBuffer should).

Avoid logging by default

* gstreamer: Download corpus in Dockerfile

And extract in build.sh

* gstreamer: Move code to repository and more cleanups

Remove custom LDFLAGS (not needed)
Use fuzzing target code from upstream repository

3 files changed, 143 insertions, 0 deletions

diff --git a/projects/gstreamer/Dockerfile b/projects/gstreamer/Dockerfile
new file mode 100644
index 000000000..da67b6f8a
--- /dev/null
+++ b/projects/gstreamer/Dockerfile
@@ -0,0 +1,40 @@
+# Copyright 2017 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder
+MAINTAINER bilboed@bilboed.com
+# Install the build dependencies
+
+# install the minimum
+
+RUN sed -i '/^#\sdeb-src /s/^#//' "/etc/apt/sources.list" && \
+   apt-get update && \
+   apt-get install -y make autoconf automake libtool build-essential \
+    autopoint pkg-config bison flex gettext libglib2.0-dev libffi-dev liblzma-dev \
+    libvorbis-dev libtheora-dev libogg-dev git-annex
+
+# Checkout all development repositories
+#RUN for i in orc  gstreamer gst-plugins-base gst-plugins-good gst-plugins-bad gst-plugins-ugly gst-libav; do git clone --depth 1 --recursive https://anongit.freedesktop.org/git/gstreamer/$i $i; done  
+RUN \
+  git clone --depth 1 --recursive https://anongit.freedesktop.org/git/gstreamer/orc orc && \
+  git clone --depth 1 --recursive https://anongit.freedesktop.org/git/gstreamer/gstreamer gstreamer && \
+  git clone --depth 1 --recursive https://anongit.freedesktop.org/git/gstreamer/gst-plugins-base gst-plugins-base && \
+  git clone --depth 1 --recursive https://anongit.freedesktop.org/git/gstreamer/gst-ci gst-ci
+
+ADD https://people.freedesktop.org/~bilboed/gst-discoverer_seed_corpus.zip $SRC
+
+WORKDIR gstreamer
+COPY build.sh $SRC/
diff --git a/projects/gstreamer/build.sh b/projects/gstreamer/build.sh
new file mode 100755
index 000000000..dc1a5c4f9
--- /dev/null
+++ b/projects/gstreamer/build.sh
@@ -0,0 +1,97 @@
+#!/bin/bash -eu
+# Copyright 2017 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+echo "CFLAGS" $CFLAGS
+echo "CXXFLAGS" $CXXFLAGS
+PREFIX=$WORK/prefix
+PLUGIN_DIR=$PREFIX/lib/gstreamer-1.0
+export PKG_CONFIG_PATH=$PREFIX/lib/pkgconfig
+mkdir -p $PREFIX
+cd $WORK
+
+# Minimize gst-debug level/code
+export CFLAGS="$CFLAGS -DGST_LEVEL_MAX=2"
+
+for i in orc gstreamer gst-plugins-base;
+do
+    mkdir -p $i
+    cd $i
+    $SRC/$i/autogen.sh --prefix=$PREFIX --disable-shared --enable-static --disable-examples \
+		       --disable-gtk-doc --disable-introspection --enable-static-plugins \
+		       --disable-gst-tracer-hooks --disable-registry
+    make -j$(nproc)
+    make install
+    cd ..
+done
+
+#finally build the binary \o/
+BUILD_CFLAGS="$CFLAGS `pkg-config --static --cflags glib-2.0 gstreamer-1.0 gstreamer-pbutils-1.0 gstreamer-video-1.0 gstreamer-audio-1.0 gstreamer-app-1.0 orc-0.4`"
+
+# List of dependencies libraries we grab from pkg-config
+# Should also include dependencies of dependencies (ex: libvorbis depends on libogg)
+
+PKG_DEPS="glib-2.0 gstreamer-1.0 gstreamer-pbutils-1.0 gstreamer-video-1.0 gstreamer-audio-1.0 orc-0.4 \
+  gstreamer-riff-1.0 gstreamer-tag-1.0 gstreamer-app-1.0 zlib \
+  ogg vorbis vorbisenc theoraenc theoradec theora"
+
+# List of all plugins to include
+PLUGINS="$PLUGIN_DIR/libgstcoreelements.a \
+       $PLUGIN_DIR/libgsttypefindfunctions.a \
+       $PLUGIN_DIR/libgstplayback.a \
+       $PLUGIN_DIR/libgstapp.a \
+       $PLUGIN_DIR/libgstvorbis.a \
+       $PLUGIN_DIR/libgsttheora.a \
+       $PLUGIN_DIR/libgstogg.a"
+
+# We want to statically link everything, except for shared libraries that are present on
+# the base image. Those need to be specified beforehad and explicitely linked dynamically
+# If any of the static dependencies require a pre-installed shared library, you need
+# to add that library to the following list
+PREDEPS_LDFLAGS="-Wl,-Bdynamic -ldl -lm -pthread -lrt -lpthread"
+
+# The libraries we want to statically link to
+# This includes dependencies of the gst plugins
+BUILD_LDFLAGS="-Wl,-static `pkg-config --static --libs $PKG_DEPS`"
+
+echo
+echo "PREDEPS_LDFLAGS" $PREDEPS_LDFLAGS
+echo
+echo "BUILD_LDFLAGS" $BUILD_LDFLAGS
+echo
+echo ">>>> BUILDING gst-discoverer.o"
+echo
+
+$CC $CFLAGS $BUILD_CFLAGS -c $SRC/gst-ci/fuzzing/gst-discoverer.c -o $SRC/gst-ci/fuzzing/gst-discoverer.o
+
+echo
+echo ">>>> LINKING"
+echo
+
+$CXX $CXXFLAGS \
+      -o $OUT/gst-discoverer \
+      $PREDEPS_LDFLAGS \
+      $SRC/gst-ci/fuzzing/gst-discoverer.o \
+      $PLUGINS \
+      $BUILD_LDFLAGS \
+      $LIB_FUZZING_ENGINE \
+      -Wl,-Bdynamic
+
+echo
+echo ">>>> Installing OGG corpus"
+echo
+
+cp $SRC/*_seed_corpus.zip $OUT
diff --git a/projects/gstreamer/project.yaml b/projects/gstreamer/project.yaml
new file mode 100644
index 000000000..6280d00b8
--- /dev/null
+++ b/projects/gstreamer/project.yaml
@@ -0,0 +1,6 @@
+homepage: "https://gstreamer.freedesktop.org/"
+primary_contact: "gstreamer-security@lists.freedesktop.org"
+auto_ccs:
+ - "bilboed@bilboed.com"
+
+