Chromium Code Reviews Chromium Code Reviews
Issue 1607173003:
Fuzzer tests for AudioDecoder's DecodeRedundant and IncomingPacket (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master| Index: webrtc/test/fuzzers/audio_decoder_fuzzer.cc |
| diff --git a/webrtc/test/fuzzers/audio_decoder_fuzzer.cc b/webrtc/test/fuzzers/audio_decoder_fuzzer.cc |
| index fb5adb6cd8e55ca236138a00e762d75b5151cde5..e58c3ffa4becdee5d383a9c01df8d3d7f204075e 100644 |
| --- a/webrtc/test/fuzzers/audio_decoder_fuzzer.cc |
| +++ b/webrtc/test/fuzzers/audio_decoder_fuzzer.cc |
| @@ -10,15 +10,43 @@ |
| #include "webrtc/test/fuzzers/audio_decoder_fuzzer.h" |
| +#include <limits> |
| + |
| #include "webrtc/base/checks.h" |
| +#include "webrtc/base/optional.h" |
| #include "webrtc/modules/audio_coding/codecs/audio_decoder.h" |
| namespace webrtc { |
| namespace { |
| +rtc::Optional<uint64_t> ParseInt(const uint8_t* data, size_t size, size_t N) { |
| + RTC_CHECK_LE(N, sizeof(uint64_t)); |
| + RTC_CHECK_GT(N, static_cast<size_t>(0)); |
| + if (size < N) |
| + return rtc::Optional<uint64_t>(); |
| + uint64_t val = 0; |
|
pbos-webrtc
2016/01/21 15:31:24
Actually can you use webrtc::ByteReader instead? J
hlundin-webrtc
2016/01/22 13:58:56
That works. Except there is a bug in ByteReader. F
|
| + for (size_t i = 0; i < N; ++i) { |
| + val = (val << 8) + data[i]; |
| + } |
| + return rtc::Optional<uint64_t>(val); |
| +} |
| + |
| size_t PacketSizeFromTwoBytes(const uint8_t* data, size_t size) { |
| - if (size < 2) |
| - return 0; |
| - return static_cast<size_t>((data[0] << 8) + data[1]); |
| + rtc::Optional<uint64_t> val = ParseInt(data, size, 2); |
| + return val ? static_cast<size_t>(*val) : 0; |
| +} |
| + |
| +template <typename T> |
| +T ReadIntCheckedAndIncrement(const uint8_t** data, size_t* size) { |
| + static_assert(std::numeric_limits<T>::is_integer, "Type must be an integer."); |
| + static_assert(sizeof(T) <= sizeof(uint64_t), |
| + "Cannot read wider than uint64_t."); |
| + const size_t N = sizeof(T); |
| + rtc::Optional<uint64_t> val = ParseInt(*data, *size, N); |
| + RTC_CHECK(val); |
| + *data += N; |
| + RTC_DCHECK_GE(*size, N); // Make extra sure we don't wrap *size. |
| + *size -= N; |
| + return static_cast<T>(*val); |
| } |
| } // namespace |
| @@ -35,7 +63,7 @@ void FuzzAudioDecoder(const uint8_t* data, |
| const uint8_t* data_ptr = data; |
| size_t remaining_size = size; |
| size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size); |
| - while (packet_len != 0 && packet_len <= remaining_size - 2) { |
| + while (packet_len != 0 && packet_len + 2 <= remaining_size) { |
| data_ptr += 2; |
| remaining_size -= 2; |
| AudioDecoder::SpeechType speech_type; |
| @@ -46,4 +74,55 @@ void FuzzAudioDecoder(const uint8_t* data, |
| packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size); |
| } |
| } |
| + |
| +// This function is identical to FuzzAudioDecoder above, with the distinction |
| +// that it call DecodeRedundant instead of Decode. |
| +void FuzzAudioDecoderRedundant(const uint8_t* data, |
| + size_t size, |
| + AudioDecoder* decoder, |
| + int sample_rate_hz, |
| + size_t max_decoded_bytes, |
| + int16_t* decoded) { |
| + const uint8_t* data_ptr = data; |
| + size_t remaining_size = size; |
| + size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size); |
| + while (packet_len != 0 && packet_len + 2 <= remaining_size) { |
| + data_ptr += 2; |
| + remaining_size -= 2; |
| + AudioDecoder::SpeechType speech_type; |
| + decoder->DecodeRedundant(data_ptr, packet_len, sample_rate_hz, |
| + max_decoded_bytes, decoded, &speech_type); |
| + data_ptr += packet_len; |
| + remaining_size -= packet_len; |
| + packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size); |
| + } |
| +} |
| + |
| +// This function is similar to FuzzAudioDecoder, but also reads fuzzed data into |
| +// RTP header values. The fuzzed data and values are sent to the decoder's |
| +// IncomingPacket method. |
| +void FuzzAudioDecoderIncomingPacket(const uint8_t* data, |
| + size_t size, |
| + AudioDecoder* decoder) { |
| + const uint8_t* data_ptr = data; |
| + size_t remaining_size = size; |
| + size_t packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size); |
| + // Sum length of rtp_sequence_number, rtp_timestamp, and arrival_timestamp. |
| + const size_t header_len = sizeof(uint16_t) + 2 * sizeof(uint32_t); |
| + while (packet_len != 0 && packet_len + 2 + header_len <= remaining_size) { |
| + data_ptr += 2; |
| + remaining_size -= 2; |
| + const uint16_t rtp_sequence_number = |
| + ReadIntCheckedAndIncrement<uint16_t>(&data_ptr, &remaining_size); |
| + const uint32_t rtp_timestamp = |
| + ReadIntCheckedAndIncrement<uint32_t>(&data_ptr, &remaining_size); |
| + const uint32_t arrival_timestamp = |
| + ReadIntCheckedAndIncrement<uint32_t>(&data_ptr, &remaining_size); |
| + decoder->IncomingPacket(data_ptr, packet_len, rtp_sequence_number, |
| + rtp_timestamp, arrival_timestamp); |
| + data_ptr += packet_len; |
| + remaining_size -= packet_len; |
| + packet_len = PacketSizeFromTwoBytes(data_ptr, remaining_size); |
| + } |
| +} |
| } // namespace webrtc |
