Fuzzer tests for AudioDecoder's DecodeRedundant and IncomingPacket

webrtc/test/fuzzers/audio_decoder_fuzzer.cc

Index: webrtc/test/fuzzers/audio_decoder_fuzzer.cc
diff --git a/webrtc/test/fuzzers/audio_decoder_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_fuzzer.cc
index fb5adb6cd8e55ca236138a00e762d75b5151cde5..88362c145c3651d42d8e27eba744b333aae802e7 100644
--- a/webrtc/test/fuzzers/audio_decoder_fuzzer.cc
+++ b/webrtc/test/fuzzers/audio_decoder_fuzzer.cc
@@ -11,14 +11,39 @@
 #include "webrtc/test/fuzzers/audio_decoder_fuzzer.h"
 
 #include "webrtc/base/checks.h"
+#include "webrtc/base/optional.h"
 #include "webrtc/modules/audio_coding/codecs/audio_decoder.h"
 
 namespace webrtc {
 namespace {
+rtc::Optional<uint64_t> ReadNBytes(const uint8_t* data, size_t size, size_t N) {

[pbos-webrtc, 2016/01/20 13:16:36]

This sounds like memcpy, can you rename this to "ParseInt" or smth?

[hlundin-webrtc, 2016/01/21 15:18:51]

Sure can do. But it is not really memcpy, depending on platform endianness,
right?

+  RTC_CHECK_LE(N, sizeof(uint64_t));
+  RTC_CHECK_GT(N, static_cast<size_t>(0));
+  if (size < N)
+    return rtc::Optional<uint64_t>();
+  uint64_t val = 0;
+  for (size_t i = 0; i < N; ++i) {
+    val = (val << 8) + data[i];
+  }
+  return rtc::Optional<uint64_t>(val);
+}
+
 size_t PacketSizeFromTwoBytes(const uint8_t* data, size_t size) {
-  if (size < 2)
-    return 0;
-  return static_cast<size_t>((data[0] << 8) + data[1]);
+  rtc::Optional<uint64_t> val = ReadNBytes(data, size, 2);
+  return val ? static_cast<size_t>(*val) : 0;
+}
+
+template <typename T>
+T ReadTCheckedAndIncrement(const uint8_t** data, size_t* size) {

[pbos-webrtc, 2016/01/20 13:16:36]

Can we do something like ReadUint? this sounds like it'd read something more
generally, like a struct.

terelius@: Can we enforce that T is an integer type somehow:?

[terelius, 2016/01/20 13:47:27]

You could do a static_assert on std::numeric_limits<T>::is_integer which is true
for the built-in integer types including bool, but false for floating point
numbers and types which do not explicitly specialize numeric_limits.

Depending on what you want to allow and whether the C++11 type_traits library is
ok to use, I think std::is_fundamental might be better. As far as I can tell,
the existing code would work fine with floating point types too.

[terelius, 2016/01/20 13:50:06]

Hm, actually it won't. std::numeric_limits<T>::is_integer is probably the best
option then.

[hlundin-webrtc, 2016/01/21 15:18:51]

Done.

+  static_assert(sizeof(T) <= sizeof(uint64_t),
+                "Cannot read wider than uint64_t.");
+  const size_t N = sizeof(T);
+  rtc::Optional<uint64_t> val = ReadNBytes(*data, *size, N);
+  RTC_CHECK(val);
+  *data += N;
+  RTC_DCHECK_GE(*size, N);  // Make extra sure we don't wrap *size.
+  *size -= N;
+  return static_cast<T>(*val);
 }
 }  // namespace
 
@@ -35,7 +60,7 @@ void FuzzAudioDecoder(const uint8_t* data,
   const uint8_t* data_ptr = data;
   size_t remaining_size = size;
   size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
-  while (packet_len != 0 && packet_len <= remaining_size - 2) {
+  while (packet_len != 0 && packet_len + 2 <= remaining_size) {

[hlundin-webrtc, 2016/01/20 12:24:59]

(Turned out to be a bad idea to subtract from a size_t before knowing the value
of it...)

[pbos-webrtc, 2016/01/20 13:16:36]

:D

     data_ptr += 2;
     remaining_size -= 2;
     AudioDecoder::SpeechType speech_type;
@@ -46,4 +71,55 @@ void FuzzAudioDecoder(const uint8_t* data,
     packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
   }
 }
+
+// This function is identical to FuzzAudioDecoder above, with the distinction
+// that it call DecodeRedundant instead of Decode.
+void FuzzAudioDecoderRedundant(const uint8_t* data,
+                               size_t size,
+                               AudioDecoder* decoder,
+                               int sample_rate_hz,
+                               size_t max_decoded_bytes,
+                               int16_t* decoded) {
+  const uint8_t* data_ptr = data;
+  size_t remaining_size = size;
+  size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  while (packet_len != 0 && packet_len + 2 <= remaining_size) {
+    data_ptr += 2;
+    remaining_size -= 2;
+    AudioDecoder::SpeechType speech_type;
+    decoder->DecodeRedundant(data_ptr, packet_len, sample_rate_hz,
+                             max_decoded_bytes, decoded, &speech_type);
+    data_ptr += packet_len;
+    remaining_size -= packet_len;
+    packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  }
+}
+
+// This function is similar to FuzzAudioDecoder, but also reads fuzzed data into
+// RTP header values. The fuzzed data and values are sent to the decoder's
+// IncomingPacket method.
+void FuzzAudioDecoderIncomingPacket(const uint8_t* data,
+                                    size_t size,
+                                    AudioDecoder* decoder) {
+  const uint8_t* data_ptr = data;
+  size_t remaining_size = size;
+  size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  // Sum length of rtp_sequence_number, rtp_timestamp, and arrival_timestamp.
+  const size_t header_len = sizeof(uint16_t) + 2 * sizeof(uint32_t);
+  while (packet_len != 0 && packet_len + 2 + header_len <= remaining_size) {
+    data_ptr += 2;
+    remaining_size -= 2;
+    const uint16_t rtp_sequence_number =
+        ReadTCheckedAndIncrement<uint16_t>(&data_ptr, &remaining_size);
+    const uint32_t rtp_timestamp =
+        ReadTCheckedAndIncrement<uint32_t>(&data_ptr, &remaining_size);
+    const uint32_t arrival_timestamp =
+        ReadTCheckedAndIncrement<uint32_t>(&data_ptr, &remaining_size);
+    decoder->IncomingPacket(data_ptr, packet_len, rtp_sequence_number,
+                            rtp_timestamp, arrival_timestamp);
+    data_ptr += packet_len;
+    remaining_size -= packet_len;
+    packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size);
+  }
+}
 }  // namespace webrtc