Fuzzer tests for AudioDecoder's DecodeRedundant and IncomingPacket

webrtc/test/fuzzers/audio_decoder_fuzzer.cc

 /*
  *  Copyright (c) 2015 The WebRTC project authors. All Rights Reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
 #include "webrtc/test/fuzzers/audio_decoder_fuzzer.h"
 
+#include <limits>
+
 #include "webrtc/base/checks.h"
+#include "webrtc/base/optional.h"
 #include "webrtc/modules/audio_coding/codecs/audio_decoder.h"
 
 namespace webrtc {
 namespace {
+rtc::Optional<uint64_t> ParseInt(const uint8_t* data, size_t size, size_t N) {
+  RTC_CHECK_LE(N, sizeof(uint64_t));
+  RTC_CHECK_GT(N, static_cast<size_t>(0));
+  if (size < N)
+    return rtc::Optional<uint64_t>();
+  uint64_t val = 0;

[pbos-webrtc, 2016/01/21 15:31:24]

Actually can you use webrtc::ByteReader instead? Just check that sizeof() is
fine to read first.

[hlundin-webrtc, 2016/01/22 13:58:56]

That works. Except there is a bug in ByteReader. Fixed in
https://codereview.webrtc.org/1615653011/, which obviously must land before this
CL.

+  for (size_t i = 0; i < N; ++i) {
+    val = (val << 8) + data[i];
+  }
+  return rtc::Optional<uint64_t>(val);
+}
+
 size_t PacketSizeFromTwoBytes(const uint8_t* data, size_t size) {
-  if (size < 2)
-    return 0;
-  return static_cast<size_t>((data[0] << 8) + data[1]);
+  rtc::Optional<uint64_t> val = ParseInt(data, size, 2);
+  return val ? static_cast<size_t>(*val) : 0;
+}
+
+template <typename T>
+T ReadIntCheckedAndIncrement(const uint8_t** data, size_t* size) {
+  static_assert(std::numeric_limits<T>::is_integer, "Type must be an integer.");
+  static_assert(sizeof(T) <= sizeof(uint64_t),
+                "Cannot read wider than uint64_t.");
+  const size_t N = sizeof(T);
+  rtc::Optional<uint64_t> val = ParseInt(*data, *size, N);
+  RTC_CHECK(val);
+  *data += N;
+  RTC_DCHECK_GE(*size, N);  // Make extra sure we don't wrap *size.
+  *size -= N;
+  return static_cast<T>(*val);
 }
 }  // namespace
 
 // This function reads two bytes from the beginning of |data|, interprets them
 // as the first packet length, and reads this many bytes if available. The
 // payload is inserted into the decoder, and the process continues until no more
 // data is available.
 void FuzzAudioDecoder(const uint8_t* data,
                       size_t size,
                       AudioDecoder* decoder,
                       int sample_rate_hz,
                       size_t max_decoded_bytes,
                       int16_t* decoded) {
   const uint8_t* data_ptr = data;
   size_t remaining_size = size;
   size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
-  while (packet_len != 0 && packet_len <= remaining_size - 2) {
+  while (packet_len != 0 && packet_len + 2 <= remaining_size) {
     data_ptr += 2;
     remaining_size -= 2;
     AudioDecoder::SpeechType speech_type;
     decoder->Decode(data_ptr, packet_len, sample_rate_hz, max_decoded_bytes,
                     decoded, &speech_type);
     data_ptr += packet_len;
     remaining_size -= packet_len;
     packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
   }
 }
+
+// This function is identical to FuzzAudioDecoder above, with the distinction
+// that it call DecodeRedundant instead of Decode.
+void FuzzAudioDecoderRedundant(const uint8_t* data,
+                               size_t size,
+                               AudioDecoder* decoder,
+                               int sample_rate_hz,
+                               size_t max_decoded_bytes,
+                               int16_t* decoded) {
+  const uint8_t* data_ptr = data;
+  size_t remaining_size = size;
+  size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  while (packet_len != 0 && packet_len + 2 <= remaining_size) {
+    data_ptr += 2;
+    remaining_size -= 2;
+    AudioDecoder::SpeechType speech_type;
+    decoder->DecodeRedundant(data_ptr, packet_len, sample_rate_hz,
+                             max_decoded_bytes, decoded, &speech_type);
+    data_ptr += packet_len;
+    remaining_size -= packet_len;
+    packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  }
+}
+
+// This function is similar to FuzzAudioDecoder, but also reads fuzzed data into
+// RTP header values. The fuzzed data and values are sent to the decoder's
+// IncomingPacket method.
+void FuzzAudioDecoderIncomingPacket(const uint8_t* data,
+                                    size_t size,
+                                    AudioDecoder* decoder) {
+  const uint8_t* data_ptr = data;
+  size_t remaining_size = size;
+  size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  // Sum length of rtp_sequence_number, rtp_timestamp, and arrival_timestamp.
+  const size_t header_len = sizeof(uint16_t) + 2 * sizeof(uint32_t);
+  while (packet_len != 0 && packet_len + 2 + header_len <= remaining_size) {
+    data_ptr += 2;
+    remaining_size -= 2;
+    const uint16_t rtp_sequence_number =
+        ReadIntCheckedAndIncrement<uint16_t>(&data_ptr, &remaining_size);
+    const uint32_t rtp_timestamp =
+        ReadIntCheckedAndIncrement<uint32_t>(&data_ptr, &remaining_size);
+    const uint32_t arrival_timestamp =
+        ReadIntCheckedAndIncrement<uint32_t>(&data_ptr, &remaining_size);
+    decoder->IncomingPacket(data_ptr, packet_len, rtp_sequence_number,
+                            rtp_timestamp, arrival_timestamp);
+    data_ptr += packet_len;
+    remaining_size -= packet_len;
+    packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  }
+}
 }  // namespace webrtc