diff options
Diffstat (limited to 'webrtc/test/fuzzers')
-rw-r--r-- | webrtc/test/fuzzers/BUILD.gn | 115 | ||||
-rw-r--r-- | webrtc/test/fuzzers/OWNERS | 1 | ||||
-rw-r--r-- | webrtc/test/fuzzers/audio_decoder_fuzzer.cc | 49 | ||||
-rw-r--r-- | webrtc/test/fuzzers/audio_decoder_fuzzer.h | 31 | ||||
-rw-r--r-- | webrtc/test/fuzzers/audio_decoder_ilbc_fuzzer.cc | 22 | ||||
-rw-r--r-- | webrtc/test/fuzzers/audio_decoder_isac_fuzzer.cc | 22 | ||||
-rw-r--r-- | webrtc/test/fuzzers/audio_decoder_isacfix_fuzzer.cc | 22 | ||||
-rw-r--r-- | webrtc/test/fuzzers/audio_decoder_opus_fuzzer.cc | 23 | ||||
-rw-r--r-- | webrtc/test/fuzzers/h264_depacketizer_fuzzer.cc | 18 | ||||
-rw-r--r-- | webrtc/test/fuzzers/producer_fec_fuzzer.cc | 60 | ||||
-rw-r--r-- | webrtc/test/fuzzers/vp8_depacketizer_fuzzer.cc | 18 | ||||
-rw-r--r-- | webrtc/test/fuzzers/vp8_qp_parser_fuzzer.cc | 17 | ||||
-rw-r--r-- | webrtc/test/fuzzers/vp9_depacketizer_fuzzer.cc | 18 | ||||
-rw-r--r-- | webrtc/test/fuzzers/webrtc_fuzzer.gni | 28 | ||||
-rw-r--r-- | webrtc/test/fuzzers/webrtc_fuzzer_main.cc | 41 |
15 files changed, 485 insertions, 0 deletions
diff --git a/webrtc/test/fuzzers/BUILD.gn b/webrtc/test/fuzzers/BUILD.gn new file mode 100644 index 0000000000..6a43548ec9 --- /dev/null +++ b/webrtc/test/fuzzers/BUILD.gn @@ -0,0 +1,115 @@ +# Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. +# +# Use of this source code is governed by a BSD-style license +# that can be found in the LICENSE file in the root of the source +# tree. An additional intellectual property rights grant can be found +# in the file PATENTS. All contributing project authors may +# be found in the AUTHORS file in the root of the source tree. + +import("//build/config/features.gni") +import("webrtc_fuzzer.gni") + +static_library("webrtc_fuzzer_main") { + public_configs = [ "../..:common_inherited_config" ] + sources = [ + "webrtc_fuzzer_main.cc", + ] + deps = [ + "../../system_wrappers:field_trial_default", + "../../system_wrappers:metrics_default", + "//testing/libfuzzer:libfuzzer_main", + ] +} + +webrtc_fuzzer_test("h264_depacketizer_fuzzer") { + sources = [ + "h264_depacketizer_fuzzer.cc", + ] + deps = [ + "../../modules/rtp_rtcp", + ] +} + +webrtc_fuzzer_test("vp8_depacketizer_fuzzer") { + sources = [ + "vp8_depacketizer_fuzzer.cc", + ] + deps = [ + "../../modules/rtp_rtcp", + ] +} + +webrtc_fuzzer_test("vp9_depacketizer_fuzzer") { + sources = [ + "vp9_depacketizer_fuzzer.cc", + ] + deps = [ + "../../modules/rtp_rtcp", + ] +} + +webrtc_fuzzer_test("vp8_qp_parser_fuzzer") { + sources = [ + "vp8_qp_parser_fuzzer.cc", + ] + deps = [ + "../../modules/video_coding/", + ] +} + +webrtc_fuzzer_test("producer_fec_fuzzer") { + sources = [ + "producer_fec_fuzzer.cc", + ] + deps = [ + "../../modules/rtp_rtcp/", + ] +} + +source_set("audio_decoder_fuzzer") { + public_configs = [ "../..:common_inherited_config" ] + sources = [ + "audio_decoder_fuzzer.cc", + "audio_decoder_fuzzer.h", + ] +} + +webrtc_fuzzer_test("audio_decoder_ilbc_fuzzer") { + sources = [ + "audio_decoder_ilbc_fuzzer.cc", + ] + deps = [ + ":audio_decoder_fuzzer", + "../../modules/audio_coding:ilbc", + ] +} + +webrtc_fuzzer_test("audio_decoder_isac_fuzzer") { + sources = [ + "audio_decoder_isac_fuzzer.cc", + ] + deps = [ + ":audio_decoder_fuzzer", + "../../modules/audio_coding:isac", + ] +} + +webrtc_fuzzer_test("audio_decoder_isacfix_fuzzer") { + sources = [ + "audio_decoder_isacfix_fuzzer.cc", + ] + deps = [ + ":audio_decoder_fuzzer", + "../../modules/audio_coding:isac_fix", + ] +} + +webrtc_fuzzer_test("audio_decoder_opus_fuzzer") { + sources = [ + "audio_decoder_opus_fuzzer.cc", + ] + deps = [ + ":audio_decoder_fuzzer", + "../../modules/audio_coding:webrtc_opus", + ] +} diff --git a/webrtc/test/fuzzers/OWNERS b/webrtc/test/fuzzers/OWNERS new file mode 100644 index 0000000000..6782b61fca --- /dev/null +++ b/webrtc/test/fuzzers/OWNERS @@ -0,0 +1 @@ +pbos@webrtc.org diff --git a/webrtc/test/fuzzers/audio_decoder_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_fuzzer.cc new file mode 100644 index 0000000000..fb5adb6cd8 --- /dev/null +++ b/webrtc/test/fuzzers/audio_decoder_fuzzer.cc @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#include "webrtc/test/fuzzers/audio_decoder_fuzzer.h" + +#include "webrtc/base/checks.h" +#include "webrtc/modules/audio_coding/codecs/audio_decoder.h" + +namespace webrtc { +namespace { +size_t PacketSizeFromTwoBytes(const uint8_t* data, size_t size) { + if (size < 2) + return 0; + return static_cast<size_t>((data[0] << 8) + data[1]); +} +} // namespace + +// This function reads two bytes from the beginning of |data|, interprets them +// as the first packet length, and reads this many bytes if available. The +// payload is inserted into the decoder, and the process continues until no more +// data is available. +void FuzzAudioDecoder(const uint8_t* data, + size_t size, + AudioDecoder* decoder, + int sample_rate_hz, + size_t max_decoded_bytes, + int16_t* decoded) { + const uint8_t* data_ptr = data; + size_t remaining_size = size; + size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size); + while (packet_len != 0 && packet_len <= remaining_size - 2) { + data_ptr += 2; + remaining_size -= 2; + AudioDecoder::SpeechType speech_type; + decoder->Decode(data_ptr, packet_len, sample_rate_hz, max_decoded_bytes, + decoded, &speech_type); + data_ptr += packet_len; + remaining_size -= packet_len; + packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size); + } +} +} // namespace webrtc diff --git a/webrtc/test/fuzzers/audio_decoder_fuzzer.h b/webrtc/test/fuzzers/audio_decoder_fuzzer.h new file mode 100644 index 0000000000..cdd8574300 --- /dev/null +++ b/webrtc/test/fuzzers/audio_decoder_fuzzer.h @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#ifndef WEBRTC_TEST_FUZZERS_AUDIO_DECODER_FUZZER_H_ +#define WEBRTC_TEST_FUZZERS_AUDIO_DECODER_FUZZER_H_ + +#include <stddef.h> + +#include "webrtc/typedefs.h" + +namespace webrtc { + +class AudioDecoder; + +void FuzzAudioDecoder(const uint8_t* data, + size_t size, + AudioDecoder* decoder, + int sample_rate_hz, + size_t max_decoded_bytes, + int16_t* decoded); + +} // namespace webrtc + +#endif // WEBRTC_TEST_FUZZERS_AUDIO_DECODER_FUZZER_H_ diff --git a/webrtc/test/fuzzers/audio_decoder_ilbc_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_ilbc_fuzzer.cc new file mode 100644 index 0000000000..d2a87f0cb6 --- /dev/null +++ b/webrtc/test/fuzzers/audio_decoder_ilbc_fuzzer.cc @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#include "webrtc/modules/audio_coding/codecs/ilbc/audio_decoder_ilbc.h" +#include "webrtc/test/fuzzers/audio_decoder_fuzzer.h" + +namespace webrtc { +void FuzzOneInput(const uint8_t* data, size_t size) { + AudioDecoderIlbc dec; + static const int kSampleRateHz = 8000; + static const size_t kAllocatedOuputSizeSamples = kSampleRateHz / 10; + int16_t output[kAllocatedOuputSizeSamples]; + FuzzAudioDecoder(data, size, &dec, kSampleRateHz, sizeof(output), output); +} +} // namespace webrtc diff --git a/webrtc/test/fuzzers/audio_decoder_isac_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_isac_fuzzer.cc new file mode 100644 index 0000000000..984cfda398 --- /dev/null +++ b/webrtc/test/fuzzers/audio_decoder_isac_fuzzer.cc @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#include "webrtc/modules/audio_coding/codecs/isac/main/include/audio_decoder_isac.h" +#include "webrtc/test/fuzzers/audio_decoder_fuzzer.h" + +namespace webrtc { +void FuzzOneInput(const uint8_t* data, size_t size) { + AudioDecoderIsac dec(nullptr); + const int sample_rate_hz = size % 2 == 0 ? 16000 : 32000; // 16 or 32 kHz. + static const size_t kAllocatedOuputSizeSamples = 32000 / 10; // 100 ms. + int16_t output[kAllocatedOuputSizeSamples]; + FuzzAudioDecoder(data, size, &dec, sample_rate_hz, sizeof(output), output); +} +} // namespace webrtc diff --git a/webrtc/test/fuzzers/audio_decoder_isacfix_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_isacfix_fuzzer.cc new file mode 100644 index 0000000000..83fb8c2d62 --- /dev/null +++ b/webrtc/test/fuzzers/audio_decoder_isacfix_fuzzer.cc @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#include "webrtc/modules/audio_coding/codecs/isac/fix/include/audio_decoder_isacfix.h" +#include "webrtc/test/fuzzers/audio_decoder_fuzzer.h" + +namespace webrtc { +void FuzzOneInput(const uint8_t* data, size_t size) { + AudioDecoderIsacFix dec(nullptr); + static const int kSampleRateHz = 16000; + static const size_t kAllocatedOuputSizeSamples = 16000 / 10; // 100 ms. + int16_t output[kAllocatedOuputSizeSamples]; + FuzzAudioDecoder(data, size, &dec, kSampleRateHz, sizeof(output), output); +} +} // namespace webrtc diff --git a/webrtc/test/fuzzers/audio_decoder_opus_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_opus_fuzzer.cc new file mode 100644 index 0000000000..3d70ec507d --- /dev/null +++ b/webrtc/test/fuzzers/audio_decoder_opus_fuzzer.cc @@ -0,0 +1,23 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#include "webrtc/modules/audio_coding/codecs/opus/audio_decoder_opus.h" +#include "webrtc/test/fuzzers/audio_decoder_fuzzer.h" + +namespace webrtc { +void FuzzOneInput(const uint8_t* data, size_t size) { + const size_t channels = (size % 2) + 1; // 1 or 2 channels. + AudioDecoderOpus dec(channels); + const int kSampleRateHz = 48000; + const size_t kAllocatedOuputSizeSamples = kSampleRateHz / 10; // 100 ms. + int16_t output[kAllocatedOuputSizeSamples]; + FuzzAudioDecoder(data, size, &dec, kSampleRateHz, sizeof(output), output); +} +} // namespace webrtc diff --git a/webrtc/test/fuzzers/h264_depacketizer_fuzzer.cc b/webrtc/test/fuzzers/h264_depacketizer_fuzzer.cc new file mode 100644 index 0000000000..ca73d9495f --- /dev/null +++ b/webrtc/test/fuzzers/h264_depacketizer_fuzzer.cc @@ -0,0 +1,18 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ +#include "webrtc/modules/rtp_rtcp/source/rtp_format_h264.h" + +namespace webrtc { +void FuzzOneInput(const uint8_t* data, size_t size) { + RtpDepacketizerH264 depacketizer; + RtpDepacketizer::ParsedPayload parsed_payload; + depacketizer.Parse(&parsed_payload, data, size); +} +} // namespace webrtc diff --git a/webrtc/test/fuzzers/producer_fec_fuzzer.cc b/webrtc/test/fuzzers/producer_fec_fuzzer.cc new file mode 100644 index 0000000000..7322fed4bf --- /dev/null +++ b/webrtc/test/fuzzers/producer_fec_fuzzer.cc @@ -0,0 +1,60 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ +#include "webrtc/base/checks.h" +#include "webrtc/base/scoped_ptr.h" +#include "webrtc/modules/rtp_rtcp/source/byte_io.h" +#include "webrtc/modules/rtp_rtcp/source/producer_fec.h" + +namespace webrtc { + +void FuzzOneInput(const uint8_t* data, size_t size) { + ForwardErrorCorrection fec; + ProducerFec producer(&fec); + size_t i = 0; + if (size < 4) + return; + FecProtectionParams params = {data[i++] % 128, data[i++] % 1, + static_cast<int>(data[i++] % 10), + kFecMaskBursty}; + producer.SetFecParameters(¶ms, 0); + uint16_t seq_num = data[i++]; + + while (i + 3 < size) { + size_t rtp_header_length = data[i++] % 10 + 12; + size_t payload_size = data[i++] % 10; + if (i + payload_size + rtp_header_length + 2 > size) + break; + rtc::scoped_ptr<uint8_t[]> packet( + new uint8_t[payload_size + rtp_header_length]); + memcpy(packet.get(), &data[i], payload_size + rtp_header_length); + ByteWriter<uint16_t>::WriteBigEndian(&packet[2], seq_num++); + i += payload_size + rtp_header_length; + // Make sure sequence numbers are increasing. + const int kRedPayloadType = 98; + rtc::scoped_ptr<RedPacket> red_packet(producer.BuildRedPacket( + packet.get(), payload_size, rtp_header_length, kRedPayloadType)); + bool protect = static_cast<bool>(data[i++] % 2); + if (protect) { + producer.AddRtpPacketAndGenerateFec(packet.get(), payload_size, + rtp_header_length); + } + uint16_t num_fec_packets = producer.NumAvailableFecPackets(); + std::vector<RedPacket*> fec_packets; + if (num_fec_packets > 0) { + fec_packets = + producer.GetFecPackets(kRedPayloadType, 99, 100, rtp_header_length); + RTC_CHECK_EQ(num_fec_packets, fec_packets.size()); + } + for (RedPacket* fec_packet : fec_packets) { + delete fec_packet; + } + } +} +} // namespace webrtc diff --git a/webrtc/test/fuzzers/vp8_depacketizer_fuzzer.cc b/webrtc/test/fuzzers/vp8_depacketizer_fuzzer.cc new file mode 100644 index 0000000000..d048372456 --- /dev/null +++ b/webrtc/test/fuzzers/vp8_depacketizer_fuzzer.cc @@ -0,0 +1,18 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ +#include "webrtc/modules/rtp_rtcp/source/rtp_format_vp8.h" + +namespace webrtc { +void FuzzOneInput(const uint8_t* data, size_t size) { + RtpDepacketizerVp8 depacketizer; + RtpDepacketizer::ParsedPayload parsed_payload; + depacketizer.Parse(&parsed_payload, data, size); +} +} // namespace webrtc diff --git a/webrtc/test/fuzzers/vp8_qp_parser_fuzzer.cc b/webrtc/test/fuzzers/vp8_qp_parser_fuzzer.cc new file mode 100644 index 0000000000..5135f1a471 --- /dev/null +++ b/webrtc/test/fuzzers/vp8_qp_parser_fuzzer.cc @@ -0,0 +1,17 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ +#include "webrtc/modules/video_coding/utility/vp8_header_parser.h" + +namespace webrtc { +void FuzzOneInput(const uint8_t* data, size_t size) { + int qp; + vp8::GetQp(data, size, &qp); +} +} // namespace webrtc diff --git a/webrtc/test/fuzzers/vp9_depacketizer_fuzzer.cc b/webrtc/test/fuzzers/vp9_depacketizer_fuzzer.cc new file mode 100644 index 0000000000..02a7cc0f81 --- /dev/null +++ b/webrtc/test/fuzzers/vp9_depacketizer_fuzzer.cc @@ -0,0 +1,18 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ +#include "webrtc/modules/rtp_rtcp/source/rtp_format_vp9.h" + +namespace webrtc { +void FuzzOneInput(const uint8_t* data, size_t size) { + RtpDepacketizerVp9 depacketizer; + RtpDepacketizer::ParsedPayload parsed_payload; + depacketizer.Parse(&parsed_payload, data, size); +} +} // namespace webrtc diff --git a/webrtc/test/fuzzers/webrtc_fuzzer.gni b/webrtc/test/fuzzers/webrtc_fuzzer.gni new file mode 100644 index 0000000000..d264392c07 --- /dev/null +++ b/webrtc/test/fuzzers/webrtc_fuzzer.gni @@ -0,0 +1,28 @@ +# Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. +# +# Use of this source code is governed by a BSD-style license +# that can be found in the LICENSE file in the root of the source +# tree. An additional intellectual property rights grant can be found +# in the file PATENTS. All contributing project authors may +# be found in the AUTHORS file in the root of the source tree. + +import("//testing/test.gni") + +template("webrtc_fuzzer_test") { + assert(defined(invoker.sources), "Need sources in $target_name.") + + test(target_name) { + forward_variables_from(invoker, [ "sources" ]) + deps = [ + ":webrtc_fuzzer_main", + ] + if (defined(invoker.deps)) { + deps += invoker.deps + } + if (is_clang) { + # Suppress warnings from Chrome's Clang plugins. + # See http://code.google.com/p/webrtc/issues/detail?id=163 for details. + configs -= [ "//build/config/clang:find_bad_constructs" ] + } + } +} diff --git a/webrtc/test/fuzzers/webrtc_fuzzer_main.cc b/webrtc/test/fuzzers/webrtc_fuzzer_main.cc new file mode 100644 index 0000000000..50a513c094 --- /dev/null +++ b/webrtc/test/fuzzers/webrtc_fuzzer_main.cc @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2015 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +// This file is intended to provide a common interface for fuzzing functions. +// It's intended to set sane defaults, such as removing logging for further +// fuzzing efficiency. + +#include "webrtc/base/logging.h" + +namespace { +bool g_initialized = false; +void InitializeWebRtcFuzzDefaults() { + if (g_initialized) + return; + + // Remove default logging to prevent huge slowdowns. + // TODO(pbos): Disable in Chromium: http://crbug.com/561667 +#if !defined(WEBRTC_CHROMIUM_BUILD) + rtc::LogMessage::LogToDebug(rtc::LS_NONE); +#endif // !defined(WEBRTC_CHROMIUM_BUILD) + + g_initialized = true; +} +} + +namespace webrtc { +extern void FuzzOneInput(const uint8_t* data, size_t size); +} // namespace webrtc + +extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { + InitializeWebRtcFuzzDefaults(); + webrtc::FuzzOneInput(data, size); + return 0; +} |