diff options
author | Kris Alder <kalder@google.com> | 2020-04-09 16:19:32 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2020-04-09 16:19:32 +0000 |
commit | 662d97440093d0c89b3b94694892d779c3d92691 (patch) | |
tree | 497e65e6021153d8e4011e8ce45c2de95526e0c7 /fuzzer/README.md | |
parent | 13d520b193266a610f5ca6b07b0c0f039ddb21b5 (diff) | |
parent | d41cddf9e9f46a1596c19505967261140a5bd6f8 (diff) | |
download | fdk-aac-662d97440093d0c89b3b94694892d779c3d92691.tar.gz fdk-aac-662d97440093d0c89b3b94694892d779c3d92691.tar.bz2 fdk-aac-662d97440093d0c89b3b94694892d779c3d92691.zip |
Merge changes Iad37ae76,I4870251b,Icd937cad
* changes:
Added aac_dec_fuzzer
aacdec: Add host support
Stop using __DATE__/__TIME__ on all builds
Diffstat (limited to 'fuzzer/README.md')
-rw-r--r-- | fuzzer/README.md | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/fuzzer/README.md b/fuzzer/README.md new file mode 100644 index 0000000..d99bc75 --- /dev/null +++ b/fuzzer/README.md @@ -0,0 +1,59 @@ +# Fuzzer for libFraunhoferAAC decoder + +## Plugin Design Considerations +The fuzzer plugin for aac decoder is designed based on the understanding of the +codec and tries to achieve the following: + +##### Maximize code coverage + +This fuzzer makes use of the following config parameters: +1. Transport type (parameter name: `TRANSPORT_TYPE`) + +| Parameter| Valid Values| Configured Value| +|------------- |-------------| ----- | +| `TRANSPORT_TYPE` | 0.`TT_UNKNOWN ` 1.`TT_MP4_RAW ` 2.`TT_MP4_ADIF ` 3.`TT_MP4_ADTS ` 4.`TT_MP4_LATM_MCP1 ` 5.`TT_MP4_LATM_MCP0 ` 6.`TT_MP4_LOAS ` 7.`TT_DRM ` | `TT_MP4_ADIF ` | + +Note: Value of `TRANSPORT_TYPE` could be set to any of these values. +It is set to `TT_MP4_ADIF` in the fuzzer plugin. + +##### Maximize utilization of input data +The plugin feeds the entire input data to the codec using a loop. + * If the decode operation was successful, the input is advanced by an + offset calculated using valid bytes. + * If the decode operation was un-successful, the input is advanced by 1 byte + till it reaches a valid frame or end of stream. + +This ensures that the plugin tolerates any kind of input (empty, huge, +malformed, etc) and doesnt `exit()` on any input and thereby increasing the +chance of identifying vulnerabilities. + +## Build + +This describes steps to build aac_dec_fuzzer binary. + +## Android + +### Steps to build +Build the fuzzer +``` + $ mm -j$(nproc) aac_dec_fuzzer +``` + +### Steps to run +Create a directory CORPUS_DIR and copy some aac files to that folder. +Push this directory to device. + +To run on device +``` + $ adb sync data + $ adb shell /data/fuzz/arm64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR +``` +To run on host +``` + $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR +``` + +## References: + * http://llvm.org/docs/LibFuzzer.html + * https://github.com/google/oss-fuzz + |