From bd1e853c199149bcb2a123d87b8f5340834c4ad7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?I=C3=B1aki=20Baz=20Castillo?= <ibc@aliax.net>
Date: Thu, 7 Mar 2024 13:54:40 +0100
Subject: [PATCH 1/9] Fuzzer codecs
### Details
- Add fuzzer for audio and video codecs (for those we can parse).
---
doc/Fuzzer.md | 7 ++++
.../include/RTC/Codecs/FuzzerCodecs.hpp | 17 +++++++++
...k-492806f087e0c9fe99127b57f379ba946befc35c | 1 +
...k-d54bc342b7d2ee881a9ba853289e831b93375e2d | Bin 0 -> 4 bytes
worker/fuzzer/src/RTC/Codecs/FuzzerCodecs.cpp | 15 ++++++++
worker/fuzzer/src/fuzzer.cpp | 34 ++++++++++++------
worker/meson.build | 1 +
7 files changed, 65 insertions(+), 10 deletions(-)
create mode 100644 worker/fuzzer/include/RTC/Codecs/FuzzerCodecs.hpp
create mode 100644 worker/fuzzer/reports/leak-492806f087e0c9fe99127b57f379ba946befc35c
create mode 100644 worker/fuzzer/reports/leak-d54bc342b7d2ee881a9ba853289e831b93375e2d
create mode 100644 worker/fuzzer/src/RTC/Codecs/FuzzerCodecs.cpp
diff --git a/doc/Fuzzer.md b/doc/Fuzzer.md
index 0e94468faa..9514743f42 100644
--- a/doc/Fuzzer.md
+++ b/doc/Fuzzer.md
@@ -43,6 +43,7 @@ The mediasoup-worker fuzzer reads some custom environment variables to decide wh
- `MS_FUZZ_DTLS=1`: Enable DTLS fuzzer.
- `MS_FUZZ_RTP=1`: Enable RTP fuzzer.
- `MS_FUZZ_RTCP=1`: Enable RTCP fuzzer.
+- `MS_FUZZ_CODECS=1`: Enable audio/video codecs fuzzer.
- `MS_FUZZ_UTILS=1`: Enable C++ utils fuzzer.
- If none of them is given, then **all** fuzzers are enabled.
@@ -74,6 +75,12 @@ MS_FUZZ_RTP=1 LSAN_OPTIONS=verbosity=1:log_threads=1 ./out/Release/mediasoup-wor
MS_FUZZ_RTCP=1 LSAN_OPTIONS=verbosity=1:log_threads=1 ./out/Release/mediasoup-worker-fuzzer -artifact_prefix=fuzzer/reports/ -max_len=1400 fuzzer/new-corpus deps/webrtc-fuzzer-corpora/corpora/rtcp-corpus
```
+- Detect memory leaks and just fuzz audio/video codecs:
+
+```bash
+MS_FUZZ_CODECS=1 LSAN_OPTIONS=verbosity=1:log_threads=1 ./out/Release/mediasoup-worker-fuzzer -artifact_prefix=fuzzer/reports/ -max_len=1400 fuzzer/new-corpus
+```
+
- Detect memory leaks and just fuzz mediasoup-worker C++ utils:
```bash
diff --git a/worker/fuzzer/include/RTC/Codecs/FuzzerCodecs.hpp b/worker/fuzzer/include/RTC/Codecs/FuzzerCodecs.hpp
new file mode 100644
index 0000000000..456f5803d7
--- /dev/null
+++ b/worker/fuzzer/include/RTC/Codecs/FuzzerCodecs.hpp
@@ -0,0 +1,17 @@
+#ifndef MS_FUZZER_RTC_CODECS_HPP
+#define MS_FUZZER_RTC_CODECS_HPP
+
+#include "common.hpp"
+
+namespace Fuzzer
+{
+ namespace RTC
+ {
+ namespace Codecs
+ {
+ void Fuzz(const uint8_t* data, size_t len);
+ } // namespace Codecs
+ } // namespace RTC
+} // namespace Fuzzer
+
+#endif
diff --git a/worker/fuzzer/reports/leak-492806f087e0c9fe99127b57f379ba946befc35c b/worker/fuzzer/reports/leak-492806f087e0c9fe99127b57f379ba946befc35c
new file mode 100644
index 0000000000..a7f01535ab
--- /dev/null
+++ b/worker/fuzzer/reports/leak-492806f087e0c9fe99127b57f379ba946befc35c
@@ -0,0 +1 @@
+����
\ No newline at end of file
diff --git a/worker/fuzzer/reports/leak-d54bc342b7d2ee881a9ba853289e831b93375e2d b/worker/fuzzer/reports/leak-d54bc342b7d2ee881a9ba853289e831b93375e2d
new file mode 100644
index 0000000000000000000000000000000000000000..943cf8d7dfd854bb291e0d81dbb826b6fd7c63aa
GIT binary patch
literal 4
LcmZoU$G`vp1bzWi
literal 0
HcmV?d00001
diff --git a/worker/fuzzer/src/RTC/Codecs/FuzzerCodecs.cpp b/worker/fuzzer/src/RTC/Codecs/FuzzerCodecs.cpp
new file mode 100644
index 0000000000..1d950a4786
--- /dev/null
+++ b/worker/fuzzer/src/RTC/Codecs/FuzzerCodecs.cpp
@@ -0,0 +1,15 @@
+#include "RTC/Codecs/FuzzerCodecs.hpp"
+#include "RTC/Codecs/Opus.hpp"
+#include "RTC/Codecs/VP8.hpp"
+#include "RTC/Codecs/VP9.hpp"
+#include "RTC/Codecs/H264.hpp"
+#include "RTC/Codecs/H264_SVC.hpp"
+
+void Fuzzer::RTC::Codecs::Fuzz(const uint8_t* data, size_t len)
+{
+ ::RTC::Codecs::Opus::Parse(data, len);
+ ::RTC::Codecs::VP8::Parse(data, len);
+ ::RTC::Codecs::VP9::Parse(data, len);
+ ::RTC::Codecs::H264::Parse(data, len);
+ ::RTC::Codecs::H264_SVC::Parse(data, len);
+}
diff --git a/worker/fuzzer/src/fuzzer.cpp b/worker/fuzzer/src/fuzzer.cpp
index 403ef2c417..e8e2b24d4d 100644
--- a/worker/fuzzer/src/fuzzer.cpp
+++ b/worker/fuzzer/src/fuzzer.cpp
@@ -9,6 +9,7 @@
#include "LogLevel.hpp"
#include "Settings.hpp"
#include "Utils.hpp"
+#include "RTC/Codecs/FuzzerCodecs.hpp"
#include "RTC/DtlsTransport.hpp"
#include "RTC/FuzzerDtlsTransport.hpp"
#include "RTC/FuzzerRtpPacket.hpp"
@@ -23,11 +24,12 @@
#include <stddef.h>
#include <stdint.h>
-bool fuzzStun = false;
-bool fuzzDtls = false;
-bool fuzzRtp = false;
-bool fuzzRtcp = false;
-bool fuzzUtils = false;
+bool fuzzStun = false;
+bool fuzzDtls = false;
+bool fuzzRtp = false;
+bool fuzzRtcp = false;
+bool fuzzCodecs = false;
+bool fuzzUtils = false;
int Init();
@@ -62,6 +64,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t len)
Fuzzer::RTC::RTCP::Packet::Fuzz(data, len);
}
+ if (fuzzCodecs)
+ {
+ Fuzzer::RTC::Codecs::Fuzz(data, len);
+ }
+
if (fuzzUtils)
{
Fuzzer::Utils::Fuzz(data, len);
@@ -118,6 +125,12 @@ int Init()
fuzzRtcp = true;
}
+ if (std::getenv("MS_FUZZ_CODECS") && std::string(std::getenv("MS_FUZZ_CODECS")) == "1")
+ {
+ std::cout << "[fuzzer] codecs fuzzer enabled" << std::endl;
+
+ fuzzCodecs = true;
+ }
if (std::getenv("MS_FUZZ_UTILS") && std::string(std::getenv("MS_FUZZ_UTILS")) == "1")
{
std::cout << "[fuzzer] Utils fuzzer enabled" << std::endl;
@@ -128,11 +141,12 @@ int Init()
{
std::cout << "[fuzzer] all fuzzers enabled" << std::endl;
- fuzzStun = true;
- fuzzDtls = true;
- fuzzRtp = true;
- fuzzRtcp = true;
- fuzzUtils = true;
+ fuzzStun = true;
+ fuzzDtls = true;
+ fuzzRtp = true;
+ fuzzRtcp = true;
+ fuzzCodecs = true;
+ fuzzUtils = true;
}
Settings::configuration.logLevel = logLevel;
diff --git a/worker/meson.build b/worker/meson.build
index bc4ff9eb00..cb7ccc7e56 100644
--- a/worker/meson.build
+++ b/worker/meson.build
@@ -438,6 +438,7 @@ executable(
'fuzzer/src/RTC/FuzzerSeqManager.cpp',
'fuzzer/src/RTC/FuzzerStunPacket.cpp',
'fuzzer/src/RTC/FuzzerTrendCalculator.cpp',
+ 'fuzzer/src/RTC/Codecs/FuzzerCodecs.cpp',
'fuzzer/src/RTC/RTCP/FuzzerBye.cpp',
'fuzzer/src/RTC/RTCP/FuzzerFeedbackPs.cpp',
'fuzzer/src/RTC/RTCP/FuzzerFeedbackPsAfb.cpp',
From 1395ee311a0abc562ce69d84209f387f0eb4ad17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?I=C3=B1aki=20Baz=20Castillo?= <ibc@aliax.net>
Date: Thu, 7 Mar 2024 13:57:56 +0100
Subject: [PATCH 2/9] add new fuzzer reports
---
.../fuzzer/reports/leak-6dcd4ce23d88e2ee9568ba546c007c63d9131c1b | 1 +
.../fuzzer/reports/leak-b6589fc6ab0dc82cf12099d1c2d40ab994e8410c | 1 +
2 files changed, 2 insertions(+)
create mode 100644 worker/fuzzer/reports/leak-6dcd4ce23d88e2ee9568ba546c007c63d9131c1b
create mode 100644 worker/fuzzer/reports/leak-b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
diff --git a/worker/fuzzer/reports/leak-6dcd4ce23d88e2ee9568ba546c007c63d9131c1b b/worker/fuzzer/reports/leak-6dcd4ce23d88e2ee9568ba546c007c63d9131c1b
new file mode 100644
index 0000000000..8c7e5a667f
--- /dev/null
+++ b/worker/fuzzer/reports/leak-6dcd4ce23d88e2ee9568ba546c007c63d9131c1b
@@ -0,0 +1 @@
+A
\ No newline at end of file
diff --git a/worker/fuzzer/reports/leak-b6589fc6ab0dc82cf12099d1c2d40ab994e8410c b/worker/fuzzer/reports/leak-b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
new file mode 100644
index 0000000000..c227083464
--- /dev/null
+++ b/worker/fuzzer/reports/leak-b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
@@ -0,0 +1 @@
+0
\ No newline at end of file
From c23c1acb72247e0c579673fbc8cef3a6bd50ed1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?I=C3=B1aki=20Baz=20Castillo?= <ibc@aliax.net>
Date: Thu, 7 Mar 2024 13:59:26 +0100
Subject: [PATCH 3/9] more reports
---
.../fuzzer/reports/leak-da4b9237bacccdf19c0760cab7aec4a8359010b0 | 1 +
1 file changed, 1 insertion(+)
create mode 100644 worker/fuzzer/reports/leak-da4b9237bacccdf19c0760cab7aec4a8359010b0
diff --git a/worker/fuzzer/reports/leak-da4b9237bacccdf19c0760cab7aec4a8359010b0 b/worker/fuzzer/reports/leak-da4b9237bacccdf19c0760cab7aec4a8359010b0
new file mode 100644
index 0000000000..d8263ee986
--- /dev/null
+++ b/worker/fuzzer/reports/leak-da4b9237bacccdf19c0760cab7aec4a8359010b0
@@ -0,0 +1 @@
+2
\ No newline at end of file
From 960a9d7f770087138723fde0216cdae0a8d7e2bb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?I=C3=B1aki=20Baz=20Castillo?= <ibc@aliax.net>
Date: Thu, 7 Mar 2024 15:51:33 +0100
Subject: [PATCH 4/9] a separate fuzzer for each codec
---
.../fuzzer/include/RTC/Codecs/FuzzerH264.hpp | 20 ++++++++++++++++++
.../include/RTC/Codecs/FuzzerH264_SVC.hpp | 20 ++++++++++++++++++
.../fuzzer/include/RTC/Codecs/FuzzerOpus.hpp | 20 ++++++++++++++++++
.../{FuzzerCodecs.hpp => FuzzerVP8.hpp} | 9 +++++---
.../fuzzer/include/RTC/Codecs/FuzzerVP9.hpp | 20 ++++++++++++++++++
...h-7e7caf72377ad55d353719f28febb5238eadfc9e | 1 +
...k-492806f087e0c9fe99127b57f379ba946befc35c | 1 -
...k-6dcd4ce23d88e2ee9568ba546c007c63d9131c1b | 1 -
...k-b6589fc6ab0dc82cf12099d1c2d40ab994e8410c | 1 -
...k-d54bc342b7d2ee881a9ba853289e831b93375e2d | Bin 4 -> 0 bytes
...k-da4b9237bacccdf19c0760cab7aec4a8359010b0 | 1 -
worker/fuzzer/src/RTC/Codecs/FuzzerCodecs.cpp | 15 -------------
worker/fuzzer/src/RTC/Codecs/FuzzerH264.cpp | 14 ++++++++++++
.../fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp | 14 ++++++++++++
worker/fuzzer/src/RTC/Codecs/FuzzerOpus.cpp | 14 ++++++++++++
worker/fuzzer/src/RTC/Codecs/FuzzerVP8.cpp | 14 ++++++++++++
worker/fuzzer/src/RTC/Codecs/FuzzerVP9.cpp | 14 ++++++++++++
worker/fuzzer/src/fuzzer.cpp | 14 +++++++++---
worker/meson.build | 6 +++++-
19 files changed, 173 insertions(+), 26 deletions(-)
create mode 100644 worker/fuzzer/include/RTC/Codecs/FuzzerH264.hpp
create mode 100644 worker/fuzzer/include/RTC/Codecs/FuzzerH264_SVC.hpp
create mode 100644 worker/fuzzer/include/RTC/Codecs/FuzzerOpus.hpp
rename worker/fuzzer/include/RTC/Codecs/{FuzzerCodecs.hpp => FuzzerVP8.hpp} (51%)
create mode 100644 worker/fuzzer/include/RTC/Codecs/FuzzerVP9.hpp
create mode 100644 worker/fuzzer/reports/crash-7e7caf72377ad55d353719f28febb5238eadfc9e
delete mode 100644 worker/fuzzer/reports/leak-492806f087e0c9fe99127b57f379ba946befc35c
delete mode 100644 worker/fuzzer/reports/leak-6dcd4ce23d88e2ee9568ba546c007c63d9131c1b
delete mode 100644 worker/fuzzer/reports/leak-b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
delete mode 100644 worker/fuzzer/reports/leak-d54bc342b7d2ee881a9ba853289e831b93375e2d
delete mode 100644 worker/fuzzer/reports/leak-da4b9237bacccdf19c0760cab7aec4a8359010b0
delete mode 100644 worker/fuzzer/src/RTC/Codecs/FuzzerCodecs.cpp
create mode 100644 worker/fuzzer/src/RTC/Codecs/FuzzerH264.cpp
create mode 100644 worker/fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp
create mode 100644 worker/fuzzer/src/RTC/Codecs/FuzzerOpus.cpp
create mode 100644 worker/fuzzer/src/RTC/Codecs/FuzzerVP8.cpp
create mode 100644 worker/fuzzer/src/RTC/Codecs/FuzzerVP9.cpp
diff --git a/worker/fuzzer/include/RTC/Codecs/FuzzerH264.hpp b/worker/fuzzer/include/RTC/Codecs/FuzzerH264.hpp
new file mode 100644
index 0000000000..21a2364365
--- /dev/null
+++ b/worker/fuzzer/include/RTC/Codecs/FuzzerH264.hpp
@@ -0,0 +1,20 @@
+#ifndef MS_FUZZER_RTC_CODECS_H264_HPP
+#define MS_FUZZER_RTC_CODECS_H264_HPP
+
+#include "common.hpp"
+
+namespace Fuzzer
+{
+ namespace RTC
+ {
+ namespace Codecs
+ {
+ namespace H264
+ {
+ void Fuzz(const uint8_t* data, size_t len);
+ }
+ } // namespace Codecs
+ } // namespace RTC
+} // namespace Fuzzer
+
+#endif
diff --git a/worker/fuzzer/include/RTC/Codecs/FuzzerH264_SVC.hpp b/worker/fuzzer/include/RTC/Codecs/FuzzerH264_SVC.hpp
new file mode 100644
index 0000000000..d72125dc5d
--- /dev/null
+++ b/worker/fuzzer/include/RTC/Codecs/FuzzerH264_SVC.hpp
@@ -0,0 +1,20 @@
+#ifndef MS_FUZZER_RTC_CODECS_H264_SVC_HPP
+#define MS_FUZZER_RTC_CODECS_H264_SVC_HPP
+
+#include "common.hpp"
+
+namespace Fuzzer
+{
+ namespace RTC
+ {
+ namespace Codecs
+ {
+ namespace H264_SVC
+ {
+ void Fuzz(const uint8_t* data, size_t len);
+ }
+ } // namespace Codecs
+ } // namespace RTC
+} // namespace Fuzzer
+
+#endif
diff --git a/worker/fuzzer/include/RTC/Codecs/FuzzerOpus.hpp b/worker/fuzzer/include/RTC/Codecs/FuzzerOpus.hpp
new file mode 100644
index 0000000000..2e52616600
--- /dev/null
+++ b/worker/fuzzer/include/RTC/Codecs/FuzzerOpus.hpp
@@ -0,0 +1,20 @@
+#ifndef MS_FUZZER_RTC_CODECS_OPUS_HPP
+#define MS_FUZZER_RTC_CODECS_OPUS_HPP
+
+#include "common.hpp"
+
+namespace Fuzzer
+{
+ namespace RTC
+ {
+ namespace Codecs
+ {
+ namespace Opus
+ {
+ void Fuzz(const uint8_t* data, size_t len);
+ }
+ } // namespace Codecs
+ } // namespace RTC
+} // namespace Fuzzer
+
+#endif
diff --git a/worker/fuzzer/include/RTC/Codecs/FuzzerCodecs.hpp b/worker/fuzzer/include/RTC/Codecs/FuzzerVP8.hpp
similarity index 51%
rename from worker/fuzzer/include/RTC/Codecs/FuzzerCodecs.hpp
rename to worker/fuzzer/include/RTC/Codecs/FuzzerVP8.hpp
index 456f5803d7..dfa87efec8 100644
--- a/worker/fuzzer/include/RTC/Codecs/FuzzerCodecs.hpp
+++ b/worker/fuzzer/include/RTC/Codecs/FuzzerVP8.hpp
@@ -1,5 +1,5 @@
-#ifndef MS_FUZZER_RTC_CODECS_HPP
-#define MS_FUZZER_RTC_CODECS_HPP
+#ifndef MS_FUZZER_RTC_CODECS_VP8_HPP
+#define MS_FUZZER_RTC_CODECS_VP8_HPP
#include "common.hpp"
@@ -9,7 +9,10 @@ namespace Fuzzer
{
namespace Codecs
{
- void Fuzz(const uint8_t* data, size_t len);
+ namespace VP8
+ {
+ void Fuzz(const uint8_t* data, size_t len);
+ }
} // namespace Codecs
} // namespace RTC
} // namespace Fuzzer
diff --git a/worker/fuzzer/include/RTC/Codecs/FuzzerVP9.hpp b/worker/fuzzer/include/RTC/Codecs/FuzzerVP9.hpp
new file mode 100644
index 0000000000..93743cbeae
--- /dev/null
+++ b/worker/fuzzer/include/RTC/Codecs/FuzzerVP9.hpp
@@ -0,0 +1,20 @@
+#ifndef MS_FUZZER_RTC_CODECS_VP9_HPP
+#define MS_FUZZER_RTC_CODECS_VP9_HPP
+
+#include "common.hpp"
+
+namespace Fuzzer
+{
+ namespace RTC
+ {
+ namespace Codecs
+ {
+ namespace VP9
+ {
+ void Fuzz(const uint8_t* data, size_t len);
+ }
+ } // namespace Codecs
+ } // namespace RTC
+} // namespace Fuzzer
+
+#endif
diff --git a/worker/fuzzer/reports/crash-7e7caf72377ad55d353719f28febb5238eadfc9e b/worker/fuzzer/reports/crash-7e7caf72377ad55d353719f28febb5238eadfc9e
new file mode 100644
index 0000000000..e570989278
--- /dev/null
+++ b/worker/fuzzer/reports/crash-7e7caf72377ad55d353719f28febb5238eadfc9e
@@ -0,0 +1 @@
+88�t
\ No newline at end of file
diff --git a/worker/fuzzer/reports/leak-492806f087e0c9fe99127b57f379ba946befc35c b/worker/fuzzer/reports/leak-492806f087e0c9fe99127b57f379ba946befc35c
deleted file mode 100644
index a7f01535ab..0000000000
--- a/worker/fuzzer/reports/leak-492806f087e0c9fe99127b57f379ba946befc35c
+++ /dev/null
@@ -1 +0,0 @@
-����
\ No newline at end of file
diff --git a/worker/fuzzer/reports/leak-6dcd4ce23d88e2ee9568ba546c007c63d9131c1b b/worker/fuzzer/reports/leak-6dcd4ce23d88e2ee9568ba546c007c63d9131c1b
deleted file mode 100644
index 8c7e5a667f..0000000000
--- a/worker/fuzzer/reports/leak-6dcd4ce23d88e2ee9568ba546c007c63d9131c1b
+++ /dev/null
@@ -1 +0,0 @@
-A
\ No newline at end of file
diff --git a/worker/fuzzer/reports/leak-b6589fc6ab0dc82cf12099d1c2d40ab994e8410c b/worker/fuzzer/reports/leak-b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
deleted file mode 100644
index c227083464..0000000000
--- a/worker/fuzzer/reports/leak-b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
+++ /dev/null
@@ -1 +0,0 @@
-0
\ No newline at end of file
diff --git a/worker/fuzzer/reports/leak-d54bc342b7d2ee881a9ba853289e831b93375e2d b/worker/fuzzer/reports/leak-d54bc342b7d2ee881a9ba853289e831b93375e2d
deleted file mode 100644
index 943cf8d7dfd854bb291e0d81dbb826b6fd7c63aa..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 4
LcmZoU$G`vp1bzWi
diff --git a/worker/fuzzer/reports/leak-da4b9237bacccdf19c0760cab7aec4a8359010b0 b/worker/fuzzer/reports/leak-da4b9237bacccdf19c0760cab7aec4a8359010b0
deleted file mode 100644
index d8263ee986..0000000000
--- a/worker/fuzzer/reports/leak-da4b9237bacccdf19c0760cab7aec4a8359010b0
+++ /dev/null
@@ -1 +0,0 @@
-2
\ No newline at end of file
diff --git a/worker/fuzzer/src/RTC/Codecs/FuzzerCodecs.cpp b/worker/fuzzer/src/RTC/Codecs/FuzzerCodecs.cpp
deleted file mode 100644
index 1d950a4786..0000000000
--- a/worker/fuzzer/src/RTC/Codecs/FuzzerCodecs.cpp
+++ /dev/null
@@ -1,15 +0,0 @@
-#include "RTC/Codecs/FuzzerCodecs.hpp"
-#include "RTC/Codecs/Opus.hpp"
-#include "RTC/Codecs/VP8.hpp"
-#include "RTC/Codecs/VP9.hpp"
-#include "RTC/Codecs/H264.hpp"
-#include "RTC/Codecs/H264_SVC.hpp"
-
-void Fuzzer::RTC::Codecs::Fuzz(const uint8_t* data, size_t len)
-{
- ::RTC::Codecs::Opus::Parse(data, len);
- ::RTC::Codecs::VP8::Parse(data, len);
- ::RTC::Codecs::VP9::Parse(data, len);
- ::RTC::Codecs::H264::Parse(data, len);
- ::RTC::Codecs::H264_SVC::Parse(data, len);
-}
diff --git a/worker/fuzzer/src/RTC/Codecs/FuzzerH264.cpp b/worker/fuzzer/src/RTC/Codecs/FuzzerH264.cpp
new file mode 100644
index 0000000000..48404e41e8
--- /dev/null
+++ b/worker/fuzzer/src/RTC/Codecs/FuzzerH264.cpp
@@ -0,0 +1,14 @@
+#include "RTC/Codecs/FuzzerH264.hpp"
+#include "RTC/Codecs/H264.hpp"
+
+void Fuzzer::RTC::Codecs::H264::Fuzz(const uint8_t* data, size_t len)
+{
+ ::RTC::Codecs::H264::PayloadDescriptor* descriptor = ::RTC::Codecs::H264::Parse(data, len);
+
+ if (!descriptor)
+ {
+ return;
+ }
+
+ delete descriptor;
+}
diff --git a/worker/fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp b/worker/fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp
new file mode 100644
index 0000000000..b0af2e6012
--- /dev/null
+++ b/worker/fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp
@@ -0,0 +1,14 @@
+#include "RTC/Codecs/FuzzerH264_SVC.hpp"
+#include "RTC/Codecs/H264_SVC.hpp"
+
+void Fuzzer::RTC::Codecs::H264_SVC::Fuzz(const uint8_t* data, size_t len)
+{
+ ::RTC::Codecs::H264_SVC::PayloadDescriptor* descriptor = ::RTC::Codecs::H264_SVC::Parse(data, len);
+
+ if (!descriptor)
+ {
+ return;
+ }
+
+ delete descriptor;
+}
diff --git a/worker/fuzzer/src/RTC/Codecs/FuzzerOpus.cpp b/worker/fuzzer/src/RTC/Codecs/FuzzerOpus.cpp
new file mode 100644
index 0000000000..188762c8b8
--- /dev/null
+++ b/worker/fuzzer/src/RTC/Codecs/FuzzerOpus.cpp
@@ -0,0 +1,14 @@
+#include "RTC/Codecs/FuzzerOpus.hpp"
+#include "RTC/Codecs/Opus.hpp"
+
+void Fuzzer::RTC::Codecs::Opus::Fuzz(const uint8_t* data, size_t len)
+{
+ ::RTC::Codecs::Opus::PayloadDescriptor* descriptor = ::RTC::Codecs::Opus::Parse(data, len);
+
+ if (!descriptor)
+ {
+ return;
+ }
+
+ delete descriptor;
+}
diff --git a/worker/fuzzer/src/RTC/Codecs/FuzzerVP8.cpp b/worker/fuzzer/src/RTC/Codecs/FuzzerVP8.cpp
new file mode 100644
index 0000000000..a628bd5e11
--- /dev/null
+++ b/worker/fuzzer/src/RTC/Codecs/FuzzerVP8.cpp
@@ -0,0 +1,14 @@
+#include "RTC/Codecs/FuzzerVP8.hpp"
+#include "RTC/Codecs/VP8.hpp"
+
+void Fuzzer::RTC::Codecs::VP8::Fuzz(const uint8_t* data, size_t len)
+{
+ ::RTC::Codecs::VP8::PayloadDescriptor* descriptor = ::RTC::Codecs::VP8::Parse(data, len);
+
+ if (!descriptor)
+ {
+ return;
+ }
+
+ delete descriptor;
+}
diff --git a/worker/fuzzer/src/RTC/Codecs/FuzzerVP9.cpp b/worker/fuzzer/src/RTC/Codecs/FuzzerVP9.cpp
new file mode 100644
index 0000000000..c10a177a79
--- /dev/null
+++ b/worker/fuzzer/src/RTC/Codecs/FuzzerVP9.cpp
@@ -0,0 +1,14 @@
+#include "RTC/Codecs/FuzzerVP9.hpp"
+#include "RTC/Codecs/VP9.hpp"
+
+void Fuzzer::RTC::Codecs::VP9::Fuzz(const uint8_t* data, size_t len)
+{
+ ::RTC::Codecs::VP9::PayloadDescriptor* descriptor = ::RTC::Codecs::VP9::Parse(data, len);
+
+ if (!descriptor)
+ {
+ return;
+ }
+
+ delete descriptor;
+}
diff --git a/worker/fuzzer/src/fuzzer.cpp b/worker/fuzzer/src/fuzzer.cpp
index e8e2b24d4d..d51422b103 100644
--- a/worker/fuzzer/src/fuzzer.cpp
+++ b/worker/fuzzer/src/fuzzer.cpp
@@ -9,7 +9,11 @@
#include "LogLevel.hpp"
#include "Settings.hpp"
#include "Utils.hpp"
-#include "RTC/Codecs/FuzzerCodecs.hpp"
+#include "RTC/Codecs/FuzzerH264.hpp"
+#include "RTC/Codecs/FuzzerH264_SVC.hpp"
+#include "RTC/Codecs/FuzzerOpus.hpp"
+#include "RTC/Codecs/FuzzerVP8.hpp"
+#include "RTC/Codecs/FuzzerVP9.hpp"
#include "RTC/DtlsTransport.hpp"
#include "RTC/FuzzerDtlsTransport.hpp"
#include "RTC/FuzzerRtpPacket.hpp"
@@ -66,7 +70,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t len)
if (fuzzCodecs)
{
- Fuzzer::RTC::Codecs::Fuzz(data, len);
+ Fuzzer::RTC::Codecs::Opus::Fuzz(data, len);
+ Fuzzer::RTC::Codecs::VP8::Fuzz(data, len);
+ Fuzzer::RTC::Codecs::VP9::Fuzz(data, len);
+ Fuzzer::RTC::Codecs::H264::Fuzz(data, len);
+ Fuzzer::RTC::Codecs::H264_SVC::Fuzz(data, len);
}
if (fuzzUtils)
@@ -137,7 +145,7 @@ int Init()
fuzzUtils = true;
}
- if (!fuzzStun && !fuzzDtls && !fuzzRtcp && !fuzzRtp && !fuzzUtils)
+ if (!fuzzStun && !fuzzDtls && !fuzzRtp && !fuzzRtcp && !fuzzCodecs && !fuzzUtils)
{
std::cout << "[fuzzer] all fuzzers enabled" << std::endl;
diff --git a/worker/meson.build b/worker/meson.build
index cb7ccc7e56..f4d24f5958 100644
--- a/worker/meson.build
+++ b/worker/meson.build
@@ -438,7 +438,11 @@ executable(
'fuzzer/src/RTC/FuzzerSeqManager.cpp',
'fuzzer/src/RTC/FuzzerStunPacket.cpp',
'fuzzer/src/RTC/FuzzerTrendCalculator.cpp',
- 'fuzzer/src/RTC/Codecs/FuzzerCodecs.cpp',
+ 'fuzzer/src/RTC/Codecs/FuzzerOpus.cpp',
+ 'fuzzer/src/RTC/Codecs/FuzzerVP8.cpp',
+ 'fuzzer/src/RTC/Codecs/FuzzerVP9.cpp',
+ 'fuzzer/src/RTC/Codecs/FuzzerH264.cpp',
+ 'fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp',
'fuzzer/src/RTC/RTCP/FuzzerBye.cpp',
'fuzzer/src/RTC/RTCP/FuzzerFeedbackPs.cpp',
'fuzzer/src/RTC/RTCP/FuzzerFeedbackPsAfb.cpp',
From d203472da7a256cda49b1423317fdf87689f1221 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?I=C3=B1aki=20Baz=20Castillo?= <ibc@aliax.net>
Date: Thu, 7 Mar 2024 15:58:36 +0100
Subject: [PATCH 5/9] add report crash
---
.../crash-9cc885b84ba02d766f422c6512ead3808ded0189 | Bin 0 -> 4 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 worker/fuzzer/reports/crash-9cc885b84ba02d766f422c6512ead3808ded0189
diff --git a/worker/fuzzer/reports/crash-9cc885b84ba02d766f422c6512ead3808ded0189 b/worker/fuzzer/reports/crash-9cc885b84ba02d766f422c6512ead3808ded0189
new file mode 100644
index 0000000000000000000000000000000000000000..e450f03ee831d124112a2d8b13460847777e845a
GIT binary patch
literal 4
LcmcCuVK4yz0VDu%
literal 0
HcmV?d00001
From e7757ee47d4a1f2b24f048860eab5855efe3d0eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?I=C3=B1aki=20Baz=20Castillo?= <ibc@aliax.net>
Date: Thu, 7 Mar 2024 16:02:09 +0100
Subject: [PATCH 6/9] cosmetic
---
worker/src/RTC/Codecs/H264_SVC.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/worker/src/RTC/Codecs/H264_SVC.cpp b/worker/src/RTC/Codecs/H264_SVC.cpp
index f67b1fae86..bb9065b704 100644
--- a/worker/src/RTC/Codecs/H264_SVC.cpp
+++ b/worker/src/RTC/Codecs/H264_SVC.cpp
@@ -166,7 +166,10 @@ namespace RTC
// Single NAL unit packet.
// IDR (instantaneous decoding picture).
case 5:
+ {
payloadDescriptor->isKeyFrame = true;
+ }
+
case 1:
{
payloadDescriptor->slIndex = 0;
@@ -177,6 +180,7 @@ namespace RTC
break;
}
+
case 14:
case 20:
{
@@ -210,6 +214,7 @@ namespace RTC
break;
}
+
case 7:
{
payloadDescriptor->isKeyFrame = isStartBit ? true : false;
From 532274fc050411eec5a3f8b0ae6625bf1d0c8f02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?I=C3=B1aki=20Baz=20Castillo?= <ibc@aliax.net>
Date: Thu, 7 Mar 2024 16:55:12 +0100
Subject: [PATCH 7/9] cosmetic
---
worker/include/RTC/Codecs/H264.hpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/worker/include/RTC/Codecs/H264.hpp b/worker/include/RTC/Codecs/H264.hpp
index 788c86aa0e..8fda3227de 100644
--- a/worker/include/RTC/Codecs/H264.hpp
+++ b/worker/include/RTC/Codecs/H264.hpp
@@ -28,6 +28,7 @@ namespace RTC
uint8_t tid{ 0 }; // Temporal layer id.
uint8_t lid{ 0 }; // Spatial layer id.
uint8_t tl0picidx{ 0 }; // TL0PICIDX
+
// Parsed values.
bool hasLid{ false };
bool hasTid{ false };
From dd0136fce3f99806c161dae3783dce174dd876c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?I=C3=B1aki=20Baz=20Castillo?= <ibc@aliax.net>
Date: Thu, 7 Mar 2024 17:12:53 +0100
Subject: [PATCH 8/9] Fix AddressSanitizer: heap-buffer-overflow in H264_SVC
---
worker/src/RTC/Codecs/H264_SVC.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/worker/src/RTC/Codecs/H264_SVC.cpp b/worker/src/RTC/Codecs/H264_SVC.cpp
index bb9065b704..199efec1ad 100644
--- a/worker/src/RTC/Codecs/H264_SVC.cpp
+++ b/worker/src/RTC/Codecs/H264_SVC.cpp
@@ -184,6 +184,11 @@ namespace RTC
case 14:
case 20:
{
+ if (len <= 1)
+ {
+ return nullptr;
+ }
+
size_t offset{ 1 };
uint8_t byte = data[offset];
From fe406b92e51176abe9348cb1c125ddd730c4d20c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?I=C3=B1aki=20Baz=20Castillo?= <ibc@aliax.net>
Date: Thu, 7 Mar 2024 17:25:02 +0100
Subject: [PATCH 9/9] cosmetic
---
worker/src/RTC/Codecs/H264_SVC.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/worker/src/RTC/Codecs/H264_SVC.cpp b/worker/src/RTC/Codecs/H264_SVC.cpp
index 199efec1ad..05e43ec318 100644
--- a/worker/src/RTC/Codecs/H264_SVC.cpp
+++ b/worker/src/RTC/Codecs/H264_SVC.cpp
@@ -227,6 +227,7 @@ namespace RTC
break;
}
}
+
return payloadDescriptor;
}