15 files changed, 485 insertions, 0 deletions
diff --git a/webrtc/test/fuzzers/BUILD.gn b/webrtc/test/fuzzers/BUILD.gn
new file mode 100644
index 0000000000..6a43548ec9
--- /dev/null
+++ b/webrtc/test/fuzzers/BUILD.gn
@@ -0,0 +1,115 @@
+# Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+#
+# Use of this source code is governed by a BSD-style license
+# that can be found in the LICENSE file in the root of the source
+# tree. An additional intellectual property rights grant can be found
+# in the file PATENTS.  All contributing project authors may
+# be found in the AUTHORS file in the root of the source tree.
+
+import("//build/config/features.gni")
+import("webrtc_fuzzer.gni")
+
+static_library("webrtc_fuzzer_main") {
+  public_configs = [ "../..:common_inherited_config" ]
+  sources = [
+    "webrtc_fuzzer_main.cc",
+  ]
+  deps = [
+    "../../system_wrappers:field_trial_default",
+    "../../system_wrappers:metrics_default",
+    "//testing/libfuzzer:libfuzzer_main",
+  ]
+}
+
+webrtc_fuzzer_test("h264_depacketizer_fuzzer") {
+  sources = [
+    "h264_depacketizer_fuzzer.cc",
+  ]
+  deps = [
+    "../../modules/rtp_rtcp",
+  ]
+}
+
+webrtc_fuzzer_test("vp8_depacketizer_fuzzer") {
+  sources = [
+    "vp8_depacketizer_fuzzer.cc",
+  ]
+  deps = [
+    "../../modules/rtp_rtcp",
+  ]
+}
+
+webrtc_fuzzer_test("vp9_depacketizer_fuzzer") {
+  sources = [
+    "vp9_depacketizer_fuzzer.cc",
+  ]
+  deps = [
+    "../../modules/rtp_rtcp",
+  ]
+}
+
+webrtc_fuzzer_test("vp8_qp_parser_fuzzer") {
+  sources = [
+    "vp8_qp_parser_fuzzer.cc",
+  ]
+  deps = [
+    "../../modules/video_coding/",
+  ]
+}
+
+webrtc_fuzzer_test("producer_fec_fuzzer") {
+  sources = [
+    "producer_fec_fuzzer.cc",
+  ]
+  deps = [
+    "../../modules/rtp_rtcp/",
+  ]
+}
+
+source_set("audio_decoder_fuzzer") {
+  public_configs = [ "../..:common_inherited_config" ]
+  sources = [
+    "audio_decoder_fuzzer.cc",
+    "audio_decoder_fuzzer.h",
+  ]
+}
+
+webrtc_fuzzer_test("audio_decoder_ilbc_fuzzer") {
+  sources = [
+    "audio_decoder_ilbc_fuzzer.cc",
+  ]
+  deps = [
+    ":audio_decoder_fuzzer",
+    "../../modules/audio_coding:ilbc",
+  ]
+}
+
+webrtc_fuzzer_test("audio_decoder_isac_fuzzer") {
+  sources = [
+    "audio_decoder_isac_fuzzer.cc",
+  ]
+  deps = [
+    ":audio_decoder_fuzzer",
+    "../../modules/audio_coding:isac",
+  ]
+}
+
+webrtc_fuzzer_test("audio_decoder_isacfix_fuzzer") {
+  sources = [
+    "audio_decoder_isacfix_fuzzer.cc",
+  ]
+  deps = [
+    ":audio_decoder_fuzzer",
+    "../../modules/audio_coding:isac_fix",
+  ]
+}
+
+webrtc_fuzzer_test("audio_decoder_opus_fuzzer") {
+  sources = [
+    "audio_decoder_opus_fuzzer.cc",
+  ]
+  deps = [
+    ":audio_decoder_fuzzer",
+    "../../modules/audio_coding:webrtc_opus",
+  ]
+}
diff --git a/webrtc/test/fuzzers/OWNERS b/webrtc/test/fuzzers/OWNERS
new file mode 100644
index 0000000000..6782b61fca
--- /dev/null
+++ b/webrtc/test/fuzzers/OWNERS
@@ -0,0 +1 @@
+pbos@webrtc.org
diff --git a/webrtc/test/fuzzers/audio_decoder_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_fuzzer.cc
new file mode 100644
index 0000000000..fb5adb6cd8
--- /dev/null
+++ b/webrtc/test/fuzzers/audio_decoder_fuzzer.cc
@@ -0,0 +1,49 @@
+/*
+ *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "webrtc/test/fuzzers/audio_decoder_fuzzer.h"
+
+#include "webrtc/base/checks.h"
+#include "webrtc/modules/audio_coding/codecs/audio_decoder.h"
+
+namespace webrtc {
+namespace {
+size_t PacketSizeFromTwoBytes(const uint8_t* data, size_t size) {
+  if (size < 2)
+    return 0;
+  return static_cast<size_t>((data[0] << 8) + data[1]);
+}
+}  // namespace
+
+// This function reads two bytes from the beginning of |data|, interprets them
+// as the first packet length, and reads this many bytes if available. The
+// payload is inserted into the decoder, and the process continues until no more
+// data is available.
+void FuzzAudioDecoder(const uint8_t* data,
+                      size_t size,
+                      AudioDecoder* decoder,
+                      int sample_rate_hz,
+                      size_t max_decoded_bytes,
+                      int16_t* decoded) {
+  const uint8_t* data_ptr = data;
+  size_t remaining_size = size;
+  size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  while (packet_len != 0 && packet_len <= remaining_size - 2) {
+    data_ptr += 2;
+    remaining_size -= 2;
+    AudioDecoder::SpeechType speech_type;
+    decoder->Decode(data_ptr, packet_len, sample_rate_hz, max_decoded_bytes,
+                    decoded, &speech_type);
+    data_ptr += packet_len;
+    remaining_size -= packet_len;
+    packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  }
+}
+}  // namespace webrtc
diff --git a/webrtc/test/fuzzers/audio_decoder_fuzzer.h b/webrtc/test/fuzzers/audio_decoder_fuzzer.h
new file mode 100644
index 0000000000..cdd8574300
--- /dev/null
+++ b/webrtc/test/fuzzers/audio_decoder_fuzzer.h
@@ -0,0 +1,31 @@
+/*
+ *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#ifndef WEBRTC_TEST_FUZZERS_AUDIO_DECODER_FUZZER_H_
+#define WEBRTC_TEST_FUZZERS_AUDIO_DECODER_FUZZER_H_
+
+#include <stddef.h>
+
+#include "webrtc/typedefs.h"
+
+namespace webrtc {
+
+class AudioDecoder;
+
+void FuzzAudioDecoder(const uint8_t* data,
+                      size_t size,
+                      AudioDecoder* decoder,
+                      int sample_rate_hz,
+                      size_t max_decoded_bytes,
+                      int16_t* decoded);
+
+}  // namespace webrtc
+
+#endif  // WEBRTC_TEST_FUZZERS_AUDIO_DECODER_FUZZER_H_
diff --git a/webrtc/test/fuzzers/audio_decoder_ilbc_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_ilbc_fuzzer.cc
new file mode 100644
index 0000000000..d2a87f0cb6
--- /dev/null
+++ b/webrtc/test/fuzzers/audio_decoder_ilbc_fuzzer.cc
@@ -0,0 +1,22 @@
+/*
+ *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "webrtc/modules/audio_coding/codecs/ilbc/audio_decoder_ilbc.h"
+#include "webrtc/test/fuzzers/audio_decoder_fuzzer.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  AudioDecoderIlbc dec;
+  static const int kSampleRateHz = 8000;
+  static const size_t kAllocatedOuputSizeSamples = kSampleRateHz / 10;
+  int16_t output[kAllocatedOuputSizeSamples];
+  FuzzAudioDecoder(data, size, &dec, kSampleRateHz, sizeof(output), output);
+}
+}  // namespace webrtc
diff --git a/webrtc/test/fuzzers/audio_decoder_isac_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_isac_fuzzer.cc
new file mode 100644
index 0000000000..984cfda398
--- /dev/null
+++ b/webrtc/test/fuzzers/audio_decoder_isac_fuzzer.cc
@@ -0,0 +1,22 @@
+/*
+ *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "webrtc/modules/audio_coding/codecs/isac/main/include/audio_decoder_isac.h"
+#include "webrtc/test/fuzzers/audio_decoder_fuzzer.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  AudioDecoderIsac dec(nullptr);
+  const int sample_rate_hz = size % 2 == 0 ? 16000 : 32000;     // 16 or 32 kHz.
+  static const size_t kAllocatedOuputSizeSamples = 32000 / 10;  // 100 ms.
+  int16_t output[kAllocatedOuputSizeSamples];
+  FuzzAudioDecoder(data, size, &dec, sample_rate_hz, sizeof(output), output);
+}
+}  // namespace webrtc
diff --git a/webrtc/test/fuzzers/audio_decoder_isacfix_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_isacfix_fuzzer.cc
new file mode 100644
index 0000000000..83fb8c2d62
--- /dev/null
+++ b/webrtc/test/fuzzers/audio_decoder_isacfix_fuzzer.cc
@@ -0,0 +1,22 @@
+/*
+ *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "webrtc/modules/audio_coding/codecs/isac/fix/include/audio_decoder_isacfix.h"
+#include "webrtc/test/fuzzers/audio_decoder_fuzzer.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  AudioDecoderIsacFix dec(nullptr);
+  static const int kSampleRateHz = 16000;
+  static const size_t kAllocatedOuputSizeSamples = 16000 / 10;  // 100 ms.
+  int16_t output[kAllocatedOuputSizeSamples];
+  FuzzAudioDecoder(data, size, &dec, kSampleRateHz, sizeof(output), output);
+}
+}  // namespace webrtc
diff --git a/webrtc/test/fuzzers/audio_decoder_opus_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_opus_fuzzer.cc
new file mode 100644
index 0000000000..3d70ec507d
--- /dev/null
+++ b/webrtc/test/fuzzers/audio_decoder_opus_fuzzer.cc
@@ -0,0 +1,23 @@
+/*
+ *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "webrtc/modules/audio_coding/codecs/opus/audio_decoder_opus.h"
+#include "webrtc/test/fuzzers/audio_decoder_fuzzer.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  const size_t channels = (size % 2) + 1;  // 1 or 2 channels.
+  AudioDecoderOpus dec(channels);
+  const int kSampleRateHz = 48000;
+  const size_t kAllocatedOuputSizeSamples = kSampleRateHz / 10;  // 100 ms.
+  int16_t output[kAllocatedOuputSizeSamples];
+  FuzzAudioDecoder(data, size, &dec, kSampleRateHz, sizeof(output), output);
+}
+}  // namespace webrtc
diff --git a/webrtc/test/fuzzers/h264_depacketizer_fuzzer.cc b/webrtc/test/fuzzers/h264_depacketizer_fuzzer.cc
new file mode 100644
index 0000000000..ca73d9495f
--- /dev/null
+++ b/webrtc/test/fuzzers/h264_depacketizer_fuzzer.cc
@@ -0,0 +1,18 @@
+/*
+ *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+#include "webrtc/modules/rtp_rtcp/source/rtp_format_h264.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  RtpDepacketizerH264 depacketizer;
+  RtpDepacketizer::ParsedPayload parsed_payload;
+  depacketizer.Parse(&parsed_payload, data, size);
+}
+}  // namespace webrtc
diff --git a/webrtc/test/fuzzers/producer_fec_fuzzer.cc b/webrtc/test/fuzzers/producer_fec_fuzzer.cc
new file mode 100644
index 0000000000..7322fed4bf
--- /dev/null
+++ b/webrtc/test/fuzzers/producer_fec_fuzzer.cc
@@ -0,0 +1,60 @@
+/*
+ *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+#include "webrtc/base/checks.h"
+#include "webrtc/base/scoped_ptr.h"
+#include "webrtc/modules/rtp_rtcp/source/byte_io.h"
+#include "webrtc/modules/rtp_rtcp/source/producer_fec.h"
+
+namespace webrtc {
+
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  ForwardErrorCorrection fec;
+  ProducerFec producer(&fec);
+  size_t i = 0;
+  if (size < 4)
+    return;
+  FecProtectionParams params = {data[i++] % 128, data[i++] % 1,
+                                static_cast<int>(data[i++] % 10),
+                                kFecMaskBursty};
+  producer.SetFecParameters(&params, 0);
+  uint16_t seq_num = data[i++];
+
+  while (i + 3 < size) {
+    size_t rtp_header_length = data[i++] % 10 + 12;
+    size_t payload_size = data[i++] % 10;
+    if (i + payload_size + rtp_header_length + 2 > size)
+      break;
+    rtc::scoped_ptr<uint8_t[]> packet(
+        new uint8_t[payload_size + rtp_header_length]);
+    memcpy(packet.get(), &data[i], payload_size + rtp_header_length);
+    ByteWriter<uint16_t>::WriteBigEndian(&packet[2], seq_num++);
+    i += payload_size + rtp_header_length;
+    // Make sure sequence numbers are increasing.
+    const int kRedPayloadType = 98;
+    rtc::scoped_ptr<RedPacket> red_packet(producer.BuildRedPacket(
+        packet.get(), payload_size, rtp_header_length, kRedPayloadType));
+    bool protect = static_cast<bool>(data[i++] % 2);
+    if (protect) {
+      producer.AddRtpPacketAndGenerateFec(packet.get(), payload_size,
+                                          rtp_header_length);
+    }
+    uint16_t num_fec_packets = producer.NumAvailableFecPackets();
+    std::vector<RedPacket*> fec_packets;
+    if (num_fec_packets > 0) {
+      fec_packets =
+          producer.GetFecPackets(kRedPayloadType, 99, 100, rtp_header_length);
+      RTC_CHECK_EQ(num_fec_packets, fec_packets.size());
+    }
+    for (RedPacket* fec_packet : fec_packets) {
+      delete fec_packet;
+    }
+  }
+}
+}  // namespace webrtc
diff --git a/webrtc/test/fuzzers/vp8_depacketizer_fuzzer.cc b/webrtc/test/fuzzers/vp8_depacketizer_fuzzer.cc
new file mode 100644
index 0000000000..d048372456
--- /dev/null
+++ b/webrtc/test/fuzzers/vp8_depacketizer_fuzzer.cc
@@ -0,0 +1,18 @@
+/*
+ *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+#include "webrtc/modules/rtp_rtcp/source/rtp_format_vp8.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  RtpDepacketizerVp8 depacketizer;
+  RtpDepacketizer::ParsedPayload parsed_payload;
+  depacketizer.Parse(&parsed_payload, data, size);
+}
+}  // namespace webrtc
diff --git a/webrtc/test/fuzzers/vp8_qp_parser_fuzzer.cc b/webrtc/test/fuzzers/vp8_qp_parser_fuzzer.cc
new file mode 100644
index 0000000000..5135f1a471
--- /dev/null
+++ b/webrtc/test/fuzzers/vp8_qp_parser_fuzzer.cc
@@ -0,0 +1,17 @@
+/*
+ *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+#include "webrtc/modules/video_coding/utility/vp8_header_parser.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  int qp;
+  vp8::GetQp(data, size, &qp);
+}
+}  // namespace webrtc
diff --git a/webrtc/test/fuzzers/vp9_depacketizer_fuzzer.cc b/webrtc/test/fuzzers/vp9_depacketizer_fuzzer.cc
new file mode 100644
index 0000000000..02a7cc0f81
--- /dev/null
+++ b/webrtc/test/fuzzers/vp9_depacketizer_fuzzer.cc
@@ -0,0 +1,18 @@
+/*
+ *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+#include "webrtc/modules/rtp_rtcp/source/rtp_format_vp9.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  RtpDepacketizerVp9 depacketizer;
+  RtpDepacketizer::ParsedPayload parsed_payload;
+  depacketizer.Parse(&parsed_payload, data, size);
+}
+}  // namespace webrtc
diff --git a/webrtc/test/fuzzers/webrtc_fuzzer.gni b/webrtc/test/fuzzers/webrtc_fuzzer.gni
new file mode 100644
index 0000000000..d264392c07
--- /dev/null
+++ b/webrtc/test/fuzzers/webrtc_fuzzer.gni
@@ -0,0 +1,28 @@
+# Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+#
+# Use of this source code is governed by a BSD-style license
+# that can be found in the LICENSE file in the root of the source
+# tree. An additional intellectual property rights grant can be found
+# in the file PATENTS.  All contributing project authors may
+# be found in the AUTHORS file in the root of the source tree.
+
+import("//testing/test.gni")
+
+template("webrtc_fuzzer_test") {
+  assert(defined(invoker.sources), "Need sources in $target_name.")
+
+  test(target_name) {
+    forward_variables_from(invoker, [ "sources" ])
+    deps = [
+      ":webrtc_fuzzer_main",
+    ]
+    if (defined(invoker.deps)) {
+      deps += invoker.deps
+    }
+    if (is_clang) {
+      # Suppress warnings from Chrome's Clang plugins.
+      # See http://code.google.com/p/webrtc/issues/detail?id=163 for details.
+      configs -= [ "//build/config/clang:find_bad_constructs" ]
+    }
+  }
+}
diff --git a/webrtc/test/fuzzers/webrtc_fuzzer_main.cc b/webrtc/test/fuzzers/webrtc_fuzzer_main.cc
new file mode 100644
index 0000000000..50a513c094
--- /dev/null
+++ b/webrtc/test/fuzzers/webrtc_fuzzer_main.cc
@@ -0,0 +1,41 @@
+/*
+ *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+// This file is intended to provide a common interface for fuzzing functions.
+// It's intended to set sane defaults, such as removing logging for further
+// fuzzing efficiency.
+
+#include "webrtc/base/logging.h"
+
+namespace {
+bool g_initialized = false;
+void InitializeWebRtcFuzzDefaults() {
+  if (g_initialized)
+    return;
+
+  // Remove default logging to prevent huge slowdowns.
+  // TODO(pbos): Disable in Chromium: http://crbug.com/561667
+#if !defined(WEBRTC_CHROMIUM_BUILD)
+  rtc::LogMessage::LogToDebug(rtc::LS_NONE);
+#endif  // !defined(WEBRTC_CHROMIUM_BUILD)
+
+  g_initialized = true;
+}
+}
+
+namespace webrtc {
+extern void FuzzOneInput(const uint8_t* data, size_t size);
+}  // namespace webrtc
+
+extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
+  InitializeWebRtcFuzzDefaults();
+  webrtc::FuzzOneInput(data, size);
+  return 0;
+}