diff options
author | Treehugger Robot <treehugger-gerrit@google.com> | 2020-12-12 03:34:53 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-12-12 03:34:53 +0000 |
commit | a57ebb8300fd4b30755d53c3aa2647147ab6dd40 (patch) | |
tree | 0e8e353ca70311624a91d9e0ade503e057372dff | |
parent | 3209055706f7233a6aa25a51de635d5dbfedf853 (diff) | |
parent | 8fb71d456f1c28c9e730da1de355338608f4f6d4 (diff) | |
download | libwebm-a57ebb8300fd4b30755d53c3aa2647147ab6dd40.tar.gz |
Merge "ANDROID: Add simple fuzzing targets for video and video+audio encoding." am: 5fdfb920c6 am: 47d91ab99b am: 8fb71d456f
Original change: https://android-review.googlesource.com/c/platform/external/libwebm/+/1506861
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: Ib47a0cda6aca7c485571d3ae3a24e0a8a3ec5ec5
-rw-r--r-- | fuzzing/Android.bp | 43 | ||||
-rw-r--r-- | fuzzing/common.cpp | 58 | ||||
-rw-r--r-- | fuzzing/common.h | 39 | ||||
-rw-r--r-- | fuzzing/mkvmuxer_one_video_audio_track.cpp | 71 | ||||
-rw-r--r-- | fuzzing/mkvmuxer_one_video_track.cpp | 54 |
5 files changed, 265 insertions, 0 deletions
diff --git a/fuzzing/Android.bp b/fuzzing/Android.bp new file mode 100644 index 0000000..50da3e3 --- /dev/null +++ b/fuzzing/Android.bp @@ -0,0 +1,43 @@ +// +// Copyright (C) 2020 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +cc_library { + name: "libwebm_mkvmuxer_fuzzer_common", + srcs: ["common.cpp"], + shared_libs: ["libwebm_mkvmuxer"], + host_supported: true, +} + +cc_defaults { + name: "libwebm_mkvmuxer_fuzzer_defaults", + shared_libs: [ + "libwebm_mkvmuxer_fuzzer_common", + "libwebm_mkvmuxer", + ], + host_supported: true, + fuzz_config: { componentid: 46263 }, +} + +cc_fuzz { + name: "libwebm_mkvmuxer_fuzzer_one_video_track", + srcs: ["mkvmuxer_one_video_track.cpp"], + defaults: ["libwebm_mkvmuxer_fuzzer_defaults"], +} + +cc_fuzz { + name: "libwebm_mkvmuxer_fuzzer_one_video_audio_track", + srcs: ["mkvmuxer_one_video_audio_track.cpp"], + defaults: ["libwebm_mkvmuxer_fuzzer_defaults"], +} diff --git a/fuzzing/common.cpp b/fuzzing/common.cpp new file mode 100644 index 0000000..5709673 --- /dev/null +++ b/fuzzing/common.cpp @@ -0,0 +1,58 @@ +// +// Copyright (C) 2020 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include "fuzzing/common.h" + +using mkvmuxer::int32; +using mkvmuxer::int64; +using mkvmuxer::uint32; +using mkvmuxer::uint64; + +DiscardingMkvWriter::DiscardingMkvWriter() : position_(0), checksum_(0) {} + +int32 DiscardingMkvWriter::Write(const void* buf, uint32 len) { + auto data = static_cast<const uint8_t*>(buf); + for (uint32 i = 0; i < len; i++) { + // Force reads on all data in buf so ASAN can validate it + checksum_ += data[i]; + } + position_ += len; + return 0; +} + +int64 DiscardingMkvWriter::Position() const { + return position_; +} + +int32 DiscardingMkvWriter::Position(int64 position) { + position_ = position; + return 0; +} + +bool DiscardingMkvWriter::Seekable() const { + return true; +} + +void DiscardingMkvWriter::ElementStartNotify(uint64, int64) { +} + +std::vector<uint8_t> FuzzerRandomLengthBytes(FuzzedDataProvider& fdp) { + // https://github.com/google/fuzzing/blob/master/docs/split-inputs.md#main-concepts + // ConsumeRandomLengthString is a good source of data, but we have to remove + // the null terminator to not hide off-by-one access errors. + std::string str = fdp.ConsumeRandomLengthString(); + std::vector<uint8_t> data(str.begin(), str.end()); + return data; +} diff --git a/fuzzing/common.h b/fuzzing/common.h new file mode 100644 index 0000000..b0f498e --- /dev/null +++ b/fuzzing/common.h @@ -0,0 +1,39 @@ +// +// Copyright (C) 2020 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#pragma once + +#include <stdint.h> +#include <vector> + +#include "mkvmuxer/mkvmuxer.h" +#include "fuzzer/FuzzedDataProvider.h" + +class DiscardingMkvWriter : public mkvmuxer::IMkvWriter { +public: + DiscardingMkvWriter(); + + mkvmuxer::int32 Write(const void* buf, mkvmuxer::uint32 len) override; + mkvmuxer::int64 Position() const override; + mkvmuxer::int32 Position(mkvmuxer::int64 position) override; + bool Seekable() const override; + void ElementStartNotify(mkvmuxer::uint64, mkvmuxer::int64) override; + +private: + mkvmuxer::int64 position_; + mkvmuxer::int64 checksum_; +}; + +std::vector<uint8_t> FuzzerRandomLengthBytes(FuzzedDataProvider&); diff --git a/fuzzing/mkvmuxer_one_video_audio_track.cpp b/fuzzing/mkvmuxer_one_video_audio_track.cpp new file mode 100644 index 0000000..b51788a --- /dev/null +++ b/fuzzing/mkvmuxer_one_video_audio_track.cpp @@ -0,0 +1,71 @@ +// +// Copyright (C) 2020 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include <stddef.h> +#include <stdint.h> + +#include <sstream> + +#include "fuzzer/FuzzedDataProvider.h" +#include "mkvmuxer/mkvmuxer.h" +#include "fuzzing/common.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fdp(data, size); + + mkvmuxer::Segment segment; + DiscardingMkvWriter writer; + segment.Init(&writer); + + auto width = fdp.ConsumeIntegral<int32_t>(); + auto height = fdp.ConsumeIntegral<int32_t>(); + + uint64_t video_track_number = segment.AddVideoTrack(width, height, 0); + + if (video_track_number == 0) { + return 0; + } + + auto sample_rate = fdp.ConsumeIntegral<int32_t>(); + auto channels = fdp.ConsumeIntegral<int32_t>(); + + uint64_t audio_track_number = segment.AddAudioTrack(sample_rate, channels, 0); + + if (audio_track_number == 0) { + return 0; + } + + while (fdp.remaining_bytes() > 0) { + auto video_frame = FuzzerRandomLengthBytes(fdp); + segment.AddFrame( + video_frame.data(), + video_frame.size(), + video_track_number, + fdp.ConsumeIntegral<uint64_t>(), + fdp.ConsumeBool()); + + auto audio_frame = FuzzerRandomLengthBytes(fdp); + segment.AddFrame( + audio_frame.data(), + audio_frame.size(), + audio_track_number, + fdp.ConsumeIntegral<uint64_t>(), + fdp.ConsumeBool()); + } + + segment.Finalize(); + + return 0; +} diff --git a/fuzzing/mkvmuxer_one_video_track.cpp b/fuzzing/mkvmuxer_one_video_track.cpp new file mode 100644 index 0000000..b4f1bdc --- /dev/null +++ b/fuzzing/mkvmuxer_one_video_track.cpp @@ -0,0 +1,54 @@ +// +// Copyright (C) 2020 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include <stddef.h> +#include <stdint.h> + +#include <sstream> + +#include "fuzzer/FuzzedDataProvider.h" +#include "mkvmuxer/mkvmuxer.h" +#include "fuzzing/common.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fdp(data, size); + + mkvmuxer::Segment segment; + DiscardingMkvWriter writer; + segment.Init(&writer); + + int width = fdp.ConsumeIntegral<int>(); + int height = fdp.ConsumeIntegral<int>(); + + uint64_t video_track_number = segment.AddVideoTrack(width, height, 0); + + if (video_track_number == 0) { + return 0; + } + + while (fdp.remaining_bytes() > 0) { + auto frame = FuzzerRandomLengthBytes(fdp); + segment.AddFrame( + frame.data(), + frame.size(), + video_track_number, + fdp.ConsumeIntegral<uint64_t>(), + fdp.ConsumeBool()); + } + + segment.Finalize(); + + return 0; +} |