versatica · ibc · Mar 8, 2024 · Mar 7, 2024 · Mar 7, 2024 · Mar 7, 2024
diff --git a/doc/Fuzzer.md b/doc/Fuzzer.md
@@ -43,6 +43,7 @@ The mediasoup-worker fuzzer reads some custom environment variables to decide wh
 - `MS_FUZZ_DTLS=1`: Enable DTLS fuzzer.
 - `MS_FUZZ_RTP=1`: Enable RTP fuzzer.
 - `MS_FUZZ_RTCP=1`: Enable RTCP fuzzer.
+- `MS_FUZZ_CODECS=1`: Enable audio/video codecs fuzzer.
 - `MS_FUZZ_UTILS=1`: Enable C++ utils fuzzer.
 - If none of them is given, then **all** fuzzers are enabled.
 
@@ -74,6 +75,12 @@ MS_FUZZ_RTP=1 LSAN_OPTIONS=verbosity=1:log_threads=1 ./out/Release/mediasoup-wor
 MS_FUZZ_RTCP=1 LSAN_OPTIONS=verbosity=1:log_threads=1 ./out/Release/mediasoup-worker-fuzzer -artifact_prefix=fuzzer/reports/ -max_len=1400 fuzzer/new-corpus deps/webrtc-fuzzer-corpora/corpora/rtcp-corpus
 ```
 
+- Detect memory leaks and just fuzz audio/video codecs:
+
+```bash
+MS_FUZZ_CODECS=1 LSAN_OPTIONS=verbosity=1:log_threads=1 ./out/Release/mediasoup-worker-fuzzer -artifact_prefix=fuzzer/reports/ -max_len=1400 fuzzer/new-corpus
+```
+
 - Detect memory leaks and just fuzz mediasoup-worker C++ utils:
 
 ```bash

diff --git a/worker/fuzzer/include/RTC/Codecs/FuzzerH264.hpp b/worker/fuzzer/include/RTC/Codecs/FuzzerH264.hpp
@@ -0,0 +1,20 @@
+#ifndef MS_FUZZER_RTC_CODECS_H264_HPP
+#define MS_FUZZER_RTC_CODECS_H264_HPP
+
+#include "common.hpp"
+
+namespace Fuzzer
+{
+	namespace RTC
+	{
+		namespace Codecs
+		{
+			namespace H264
+			{
+				void Fuzz(const uint8_t* data, size_t len);
+			}
+		} // namespace Codecs
+	}   // namespace RTC
+} // namespace Fuzzer
+
+#endif
diff --git a/worker/fuzzer/include/RTC/Codecs/FuzzerH264_SVC.hpp b/worker/fuzzer/include/RTC/Codecs/FuzzerH264_SVC.hpp
@@ -0,0 +1,20 @@
+#ifndef MS_FUZZER_RTC_CODECS_H264_SVC_HPP
+#define MS_FUZZER_RTC_CODECS_H264_SVC_HPP
+
+#include "common.hpp"
+
+namespace Fuzzer
+{
+	namespace RTC
+	{
+		namespace Codecs
+		{
+			namespace H264_SVC
+			{
+				void Fuzz(const uint8_t* data, size_t len);
+			}
+		} // namespace Codecs
+	}   // namespace RTC
+} // namespace Fuzzer
+
+#endif
diff --git a/worker/fuzzer/include/RTC/Codecs/FuzzerOpus.hpp b/worker/fuzzer/include/RTC/Codecs/FuzzerOpus.hpp
@@ -0,0 +1,20 @@
+#ifndef MS_FUZZER_RTC_CODECS_OPUS_HPP
+#define MS_FUZZER_RTC_CODECS_OPUS_HPP
+
+#include "common.hpp"
+
+namespace Fuzzer
+{
+	namespace RTC
+	{
+		namespace Codecs
+		{
+			namespace Opus
+			{
+				void Fuzz(const uint8_t* data, size_t len);
+			}
+		} // namespace Codecs
+	}   // namespace RTC
+} // namespace Fuzzer
+
+#endif
diff --git a/worker/fuzzer/include/RTC/Codecs/FuzzerVP8.hpp b/worker/fuzzer/include/RTC/Codecs/FuzzerVP8.hpp
@@ -0,0 +1,20 @@
+#ifndef MS_FUZZER_RTC_CODECS_VP8_HPP
+#define MS_FUZZER_RTC_CODECS_VP8_HPP
+
+#include "common.hpp"
+
+namespace Fuzzer
+{
+	namespace RTC
+	{
+		namespace Codecs
+		{
+			namespace VP8
+			{
+				void Fuzz(const uint8_t* data, size_t len);
+			}
+		} // namespace Codecs
+	}   // namespace RTC
+} // namespace Fuzzer
+
+#endif
diff --git a/worker/fuzzer/include/RTC/Codecs/FuzzerVP9.hpp b/worker/fuzzer/include/RTC/Codecs/FuzzerVP9.hpp
@@ -0,0 +1,20 @@
+#ifndef MS_FUZZER_RTC_CODECS_VP9_HPP
+#define MS_FUZZER_RTC_CODECS_VP9_HPP
+
+#include "common.hpp"
+
+namespace Fuzzer
+{
+	namespace RTC
+	{
+		namespace Codecs
+		{
+			namespace VP9
+			{
+				void Fuzz(const uint8_t* data, size_t len);
+			}
+		} // namespace Codecs
+	}   // namespace RTC
+} // namespace Fuzzer
+
+#endif
diff --git a/worker/fuzzer/reports/crash-7e7caf72377ad55d353719f28febb5238eadfc9e b/worker/fuzzer/reports/crash-7e7caf72377ad55d353719f28febb5238eadfc9e
@@ -0,0 +1 @@
+88t
diff --git a/worker/fuzzer/reports/crash-9cc885b84ba02d766f422c6512ead3808ded0189 b/worker/fuzzer/reports/crash-9cc885b84ba02d766f422c6512ead3808ded0189
diff --git a/worker/fuzzer/src/RTC/Codecs/FuzzerH264.cpp b/worker/fuzzer/src/RTC/Codecs/FuzzerH264.cpp
@@ -0,0 +1,14 @@
+#include "RTC/Codecs/FuzzerH264.hpp"
+#include "RTC/Codecs/H264.hpp"
+
+void Fuzzer::RTC::Codecs::H264::Fuzz(const uint8_t* data, size_t len)
+{
+	::RTC::Codecs::H264::PayloadDescriptor* descriptor = ::RTC::Codecs::H264::Parse(data, len);
+
+	if (!descriptor)
+	{
+		return;
+	}
+
+	delete descriptor;
+}
diff --git a/worker/fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp b/worker/fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp
@@ -0,0 +1,14 @@
+#include "RTC/Codecs/FuzzerH264_SVC.hpp"
+#include "RTC/Codecs/H264_SVC.hpp"
+
+void Fuzzer::RTC::Codecs::H264_SVC::Fuzz(const uint8_t* data, size_t len)
+{
+	::RTC::Codecs::H264_SVC::PayloadDescriptor* descriptor = ::RTC::Codecs::H264_SVC::Parse(data, len);
+
+	if (!descriptor)
+	{
+		return;
+	}
+
+	delete descriptor;
+}
diff --git a/worker/fuzzer/src/RTC/Codecs/FuzzerOpus.cpp b/worker/fuzzer/src/RTC/Codecs/FuzzerOpus.cpp
@@ -0,0 +1,14 @@
+#include "RTC/Codecs/FuzzerOpus.hpp"
+#include "RTC/Codecs/Opus.hpp"
+
+void Fuzzer::RTC::Codecs::Opus::Fuzz(const uint8_t* data, size_t len)
+{
+	::RTC::Codecs::Opus::PayloadDescriptor* descriptor = ::RTC::Codecs::Opus::Parse(data, len);
+
+	if (!descriptor)
+	{
+		return;
+	}
+
+	delete descriptor;
+}
diff --git a/worker/fuzzer/src/RTC/Codecs/FuzzerVP8.cpp b/worker/fuzzer/src/RTC/Codecs/FuzzerVP8.cpp
@@ -0,0 +1,14 @@
+#include "RTC/Codecs/FuzzerVP8.hpp"
+#include "RTC/Codecs/VP8.hpp"
+
+void Fuzzer::RTC::Codecs::VP8::Fuzz(const uint8_t* data, size_t len)
+{
+	::RTC::Codecs::VP8::PayloadDescriptor* descriptor = ::RTC::Codecs::VP8::Parse(data, len);
+
+	if (!descriptor)
+	{
+		return;
+	}
+
+	delete descriptor;
+}
diff --git a/worker/fuzzer/src/RTC/Codecs/FuzzerVP9.cpp b/worker/fuzzer/src/RTC/Codecs/FuzzerVP9.cpp
@@ -0,0 +1,14 @@
+#include "RTC/Codecs/FuzzerVP9.hpp"
+#include "RTC/Codecs/VP9.hpp"
+
+void Fuzzer::RTC::Codecs::VP9::Fuzz(const uint8_t* data, size_t len)
+{
+	::RTC::Codecs::VP9::PayloadDescriptor* descriptor = ::RTC::Codecs::VP9::Parse(data, len);
+
+	if (!descriptor)
+	{
+		return;
+	}
+
+	delete descriptor;
+}
diff --git a/worker/fuzzer/src/fuzzer.cpp b/worker/fuzzer/src/fuzzer.cpp
@@ -9,6 +9,11 @@
 #include "LogLevel.hpp"
 #include "Settings.hpp"
 #include "Utils.hpp"
+#include "RTC/Codecs/FuzzerH264.hpp"
+#include "RTC/Codecs/FuzzerH264_SVC.hpp"
+#include "RTC/Codecs/FuzzerOpus.hpp"
+#include "RTC/Codecs/FuzzerVP8.hpp"
+#include "RTC/Codecs/FuzzerVP9.hpp"
 #include "RTC/DtlsTransport.hpp"
 #include "RTC/FuzzerDtlsTransport.hpp"
 #include "RTC/FuzzerRtpPacket.hpp"
@@ -23,11 +28,12 @@
 #include <stddef.h>
 #include <stdint.h>
 
-bool fuzzStun  = false;
-bool fuzzDtls  = false;
-bool fuzzRtp   = false;
-bool fuzzRtcp  = false;
-bool fuzzUtils = false;
+bool fuzzStun   = false;
+bool fuzzDtls   = false;
+bool fuzzRtp    = false;
+bool fuzzRtcp   = false;
+bool fuzzCodecs = false;
+bool fuzzUtils  = false;
 
 int Init();
 
@@ -62,6 +68,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t len)
 		Fuzzer::RTC::RTCP::Packet::Fuzz(data, len);
 	}
 
+	if (fuzzCodecs)
+	{
+		Fuzzer::RTC::Codecs::Opus::Fuzz(data, len);
+		Fuzzer::RTC::Codecs::VP8::Fuzz(data, len);
+		Fuzzer::RTC::Codecs::VP9::Fuzz(data, len);
+		Fuzzer::RTC::Codecs::H264::Fuzz(data, len);
+		Fuzzer::RTC::Codecs::H264_SVC::Fuzz(data, len);
+	}
+
 	if (fuzzUtils)
 	{
 		Fuzzer::Utils::Fuzz(data, len);
@@ -118,21 +133,28 @@ int Init()
 
 		fuzzRtcp = true;
 	}
+	if (std::getenv("MS_FUZZ_CODECS") && std::string(std::getenv("MS_FUZZ_CODECS")) == "1")
+	{
+		std::cout << "[fuzzer] codecs fuzzer enabled" << std::endl;
+
+		fuzzCodecs = true;
+	}
 	if (std::getenv("MS_FUZZ_UTILS") && std::string(std::getenv("MS_FUZZ_UTILS")) == "1")
 	{
 		std::cout << "[fuzzer] Utils fuzzer enabled" << std::endl;
 
 		fuzzUtils = true;
 	}
-	if (!fuzzStun && !fuzzDtls && !fuzzRtcp && !fuzzRtp && !fuzzUtils)
+	if (!fuzzStun && !fuzzDtls && !fuzzRtp && !fuzzRtcp && !fuzzCodecs && !fuzzUtils)
 	{
 		std::cout << "[fuzzer] all fuzzers enabled" << std::endl;
 
-		fuzzStun  = true;
-		fuzzDtls  = true;
-		fuzzRtp   = true;
-		fuzzRtcp  = true;
-		fuzzUtils = true;
+		fuzzStun   = true;
+		fuzzDtls   = true;
+		fuzzRtp    = true;
+		fuzzRtcp   = true;
+		fuzzCodecs = true;
+		fuzzUtils  = true;
 	}
 
 	Settings::configuration.logLevel = logLevel;

diff --git a/worker/include/RTC/Codecs/H264.hpp b/worker/include/RTC/Codecs/H264.hpp
@@ -28,6 +28,7 @@ namespace RTC
 				uint8_t tid{ 0 };       // Temporal layer id.
 				uint8_t lid{ 0 };       // Spatial layer id.
 				uint8_t tl0picidx{ 0 }; // TL0PICIDX
+
 				// Parsed values.
 				bool hasLid{ false };
 				bool hasTid{ false };

diff --git a/worker/meson.build b/worker/meson.build
@@ -438,6 +438,11 @@ executable(
     'fuzzer/src/RTC/FuzzerSeqManager.cpp',
     'fuzzer/src/RTC/FuzzerStunPacket.cpp',
     'fuzzer/src/RTC/FuzzerTrendCalculator.cpp',
+    'fuzzer/src/RTC/Codecs/FuzzerOpus.cpp',
+    'fuzzer/src/RTC/Codecs/FuzzerVP8.cpp',
+    'fuzzer/src/RTC/Codecs/FuzzerVP9.cpp',
+    'fuzzer/src/RTC/Codecs/FuzzerH264.cpp',
+    'fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp',
     'fuzzer/src/RTC/RTCP/FuzzerBye.cpp',
     'fuzzer/src/RTC/RTCP/FuzzerFeedbackPs.cpp',
     'fuzzer/src/RTC/RTCP/FuzzerFeedbackPsAfb.cpp',

diff --git a/worker/src/RTC/Codecs/H264_SVC.cpp b/worker/src/RTC/Codecs/H264_SVC.cpp
@@ -166,7 +166,10 @@ namespace RTC
 				// Single NAL unit packet.
 				// IDR (instantaneous decoding picture).
 				case 5:
+				{
 					payloadDescriptor->isKeyFrame = true;
+				}
+
 				case 1:
 				{
 					payloadDescriptor->slIndex = 0;
@@ -177,9 +180,15 @@ namespace RTC
 
 					break;
 				}
+
 				case 14:
 				case 20:
 				{
+					if (len <= 1)
+					{
+						return nullptr;
+					}
+
 					size_t offset{ 1 };
 					uint8_t byte = data[offset];
 
@@ -210,13 +219,15 @@ namespace RTC
 
 					break;
 				}
+
 				case 7:
 				{
 					payloadDescriptor->isKeyFrame = isStartBit ? true : false;
 
 					break;
 				}
 			}
+
 			return payloadDescriptor;
 		}