diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
commit | 26a029d407be480d791972afb5975cf62c9360a6 (patch) | |
tree | f435a8308119effd964b339f76abb83a57c29483 /third_party/libwebrtc/test/fuzzers/forward_error_correction_fuzzer.cc | |
parent | Initial commit. (diff) | |
download | firefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz firefox-26a029d407be480d791972afb5975cf62c9360a6.zip |
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'third_party/libwebrtc/test/fuzzers/forward_error_correction_fuzzer.cc')
-rw-r--r-- | third_party/libwebrtc/test/fuzzers/forward_error_correction_fuzzer.cc | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/third_party/libwebrtc/test/fuzzers/forward_error_correction_fuzzer.cc b/third_party/libwebrtc/test/fuzzers/forward_error_correction_fuzzer.cc new file mode 100644 index 0000000000..04a459bc71 --- /dev/null +++ b/third_party/libwebrtc/test/fuzzers/forward_error_correction_fuzzer.cc @@ -0,0 +1,119 @@ +/* + * Copyright (c) 2017 The WebRTC project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#include <memory> + +#include "api/scoped_refptr.h" +#include "modules/rtp_rtcp/source/byte_io.h" +#include "modules/rtp_rtcp/source/forward_error_correction.h" +#include "rtc_base/byte_buffer.h" + +namespace webrtc { + +namespace { +constexpr uint32_t kMediaSsrc = 100200300; +constexpr uint32_t kFecSsrc = 111222333; + +constexpr size_t kPacketSize = 50; +constexpr size_t kMaxPacketsInBuffer = 48; +} // namespace + +void FuzzOneInput(const uint8_t* data, size_t size) { + if (size > 5000) { + return; + } + // Object under test. + std::unique_ptr<ForwardErrorCorrection> fec = + ForwardErrorCorrection::CreateFlexfec(kFecSsrc, kMediaSsrc); + + // Entropy from fuzzer. + rtc::ByteBufferReader fuzz_buffer(reinterpret_cast<const char*>(data), size); + + // Initial stream state. + uint16_t media_seqnum; + if (!fuzz_buffer.ReadUInt16(&media_seqnum)) + return; + const uint16_t original_media_seqnum = media_seqnum; + uint16_t fec_seqnum; + if (!fuzz_buffer.ReadUInt16(&fec_seqnum)) + return; + + // Existing packets in the packet buffer. + ForwardErrorCorrection::RecoveredPacketList recovered_packets; + uint8_t num_existing_recovered_packets; + if (!fuzz_buffer.ReadUInt8(&num_existing_recovered_packets)) + return; + for (size_t i = 0; i < num_existing_recovered_packets % kMaxPacketsInBuffer; + ++i) { + ForwardErrorCorrection::RecoveredPacket* recovered_packet = + new ForwardErrorCorrection::RecoveredPacket(); + recovered_packet->pkt = rtc::scoped_refptr<ForwardErrorCorrection::Packet>( + new ForwardErrorCorrection::Packet()); + recovered_packet->pkt->data.SetSize(kPacketSize); + memset(recovered_packet->pkt->data.MutableData(), 0, kPacketSize); + recovered_packet->ssrc = kMediaSsrc; + recovered_packet->seq_num = media_seqnum++; + recovered_packets.emplace_back(recovered_packet); + } + + // New packets received from the network. + ForwardErrorCorrection::ReceivedPacket received_packet; + received_packet.pkt = rtc::scoped_refptr<ForwardErrorCorrection::Packet>( + new ForwardErrorCorrection::Packet()); + received_packet.pkt->data.SetSize(kPacketSize); + received_packet.pkt->data.EnsureCapacity(IP_PACKET_SIZE); + uint8_t* packet_buffer = received_packet.pkt->data.MutableData(); + uint8_t reordering; + uint16_t seq_num_diff; + uint8_t packet_type; + uint8_t packet_loss; + while (true) { + if (!fuzz_buffer.ReadBytes(reinterpret_cast<char*>(packet_buffer), + kPacketSize)) { + return; + } + if (!fuzz_buffer.ReadUInt8(&reordering)) + return; + if (!fuzz_buffer.ReadUInt16(&seq_num_diff)) + return; + if (!fuzz_buffer.ReadUInt8(&packet_type)) + return; + if (!fuzz_buffer.ReadUInt8(&packet_loss)) + return; + + if (reordering % 10 != 0) + seq_num_diff = 0; + + if (packet_type % 2 == 0) { + received_packet.is_fec = true; + received_packet.ssrc = kFecSsrc; + received_packet.seq_num = seq_num_diff + fec_seqnum++; + + // Overwrite parts of the FlexFEC header for fuzzing efficiency. + packet_buffer[0] = 0; // R, F bits. + ByteWriter<uint8_t>::WriteBigEndian(&packet_buffer[8], 1); // SSRCCount. + ByteWriter<uint32_t>::WriteBigEndian(&packet_buffer[12], + kMediaSsrc); // SSRC_i. + ByteWriter<uint16_t>::WriteBigEndian( + &packet_buffer[16], original_media_seqnum); // SN base_i. + } else { + received_packet.is_fec = false; + received_packet.ssrc = kMediaSsrc; + received_packet.seq_num = seq_num_diff + media_seqnum++; + } + + if (packet_loss % 10 == 0) + continue; + + fec->DecodeFec(received_packet, &recovered_packets); + } +} + +} // namespace webrtc |