diff options
-rw-r--r-- | Android.bp | 51 | ||||
-rw-r--r-- | METADATA | 3 | ||||
-rw-r--r-- | fuzzer/Android.bp | 82 | ||||
-rw-r--r-- | fuzzer/README.md | 150 | ||||
-rw-r--r-- | fuzzer/aac_dec_fuzzer.cpp | 141 | ||||
-rw-r--r-- | fuzzer/aac_enc_fuzzer.cpp | 479 |
6 files changed, 900 insertions, 6 deletions
@@ -1,6 +1,40 @@ +// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE +// CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE +// DEPENDING ON IT IN YOUR PROJECT. *** +package { + default_applicable_licenses: ["external_aac_license"], +} + +// Added automatically by a large-scale-change that took the approach of +// 'apply every license found to every target'. While this makes sure we respect +// every license restriction, it may not be entirely correct. +// +// e.g. GPL in an MIT project might only apply to the contrib/ directory. +// +// Please consider splitting the single license below into multiple licenses, +// taking care not to lose any license_kind information, and overriding the +// default license using the 'licenses: [...]' property on targets as needed. +// +// For unused files, consider creating a 'fileGroup' with "//visibility:private" +// to attach the license to, and including a comment whether the files may be +// used in the current project. +// See: http://go/android-license-faq +license { + name: "external_aac_license", + visibility: [":__subpackages__"], + license_kinds: [ + "SPDX-license-identifier-Apache-2.0", + "legacy_by_exception_only", // by exception only + ], + license_text: [ + "NOTICE", + ], +} + cc_library_static { name: "libFraunhoferAAC", vendor_available: true, + host_supported: true, srcs: [ "libAACdec/src/*.cpp", "libAACenc/src/*.cpp", @@ -26,13 +60,12 @@ cc_library_static { "-DSUPPRESS_BUILD_DATE_INFO", ], sanitize: { - misc_undefined:[ - "unsigned-integer-overflow", - "signed-integer-overflow", - "bounds", + misc_undefined: [ + "unsigned-integer-overflow", + "signed-integer-overflow", + "bounds", ], - // Enable CFI if this becomes a shared library. - // cfi: true, + cfi: true, }, shared_libs: [ "liblog", @@ -53,6 +86,12 @@ cc_library_static { "libSACenc/include", ], + target: { + darwin: { + enabled: false, + }, + }, + apex_available: [ "//apex_available:platform", "com.android.bluetooth.updatable", diff --git a/METADATA b/METADATA new file mode 100644 index 0000000..5c12860 --- /dev/null +++ b/METADATA @@ -0,0 +1,3 @@ +third_party { + license_type: BY_EXCEPTION_ONLY +} diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp new file mode 100644 index 0000000..6739798 --- /dev/null +++ b/fuzzer/Android.bp @@ -0,0 +1,82 @@ +/****************************************************************************** + * + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************************** + * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore + */ + +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "external_aac_license" + // to get the below license kinds: + // SPDX-license-identifier-Apache-2.0 + default_applicable_licenses: ["external_aac_license"], +} + +cc_defaults { + name: "aac_fuzz_defaults", + host_supported: true, + + static_libs: [ + "libFraunhoferAAC", + ], + + target: { + darwin: { + enabled: false, + }, + }, + + fuzz_config: { + cc: [ + "android-media-fuzzing-reports@google.com", + ], + componentid: 155276, + }, +} + +cc_fuzz { + name: "aac_dec_fuzzer", + + srcs: [ + "aac_dec_fuzzer.cpp", + ], + + static_libs: [ + "liblog", + ], + + defaults: [ + "aac_fuzz_defaults" + ], +} + +cc_fuzz { + name: "aac_enc_fuzzer", + + srcs: [ + "aac_enc_fuzzer.cpp", + ], + + defaults: [ + "aac_fuzz_defaults" + ], + + include_dirs: [ + "external/aac/libAACenc/" + ], +} diff --git a/fuzzer/README.md b/fuzzer/README.md new file mode 100644 index 0000000..b8cc260 --- /dev/null +++ b/fuzzer/README.md @@ -0,0 +1,150 @@ +# Fuzzer for libFraunhoferAAC decoder + +## Plugin Design Considerations +The fuzzer plugin for aac decoder is designed based on the understanding of the +codec and tries to achieve the following: + +##### Maximize code coverage + +This fuzzer makes use of the following config parameters: +1. Transport type (parameter name: `TRANSPORT_TYPE`) + +| Parameter| Valid Values| Configured Value| +|------------- |-------------| ----- | +| `TRANSPORT_TYPE` | 0.`TT_UNKNOWN ` 1.`TT_MP4_RAW ` 2.`TT_MP4_ADIF ` 3.`TT_MP4_ADTS ` 4.`TT_MP4_LATM_MCP1 ` 5.`TT_MP4_LATM_MCP0 ` 6.`TT_MP4_LOAS ` 7.`TT_DRM ` | `TT_MP4_ADIF ` | + +Note: Value of `TRANSPORT_TYPE` could be set to any of these values. +It is set to `TT_MP4_ADIF` in the fuzzer plugin. + +##### Maximize utilization of input data +The plugin feeds the entire input data to the codec using a loop. + * If the decode operation was successful, the input is advanced by an + offset calculated using valid bytes. + * If the decode operation was un-successful, the input is advanced by 1 byte + till it reaches a valid frame or end of stream. + +This ensures that the plugin tolerates any kind of input (empty, huge, +malformed, etc) and doesnt `exit()` on any input and thereby increasing the +chance of identifying vulnerabilities. + +## Build + +This describes steps to build aac_dec_fuzzer binary. + +## Android + +### Steps to build +Build the fuzzer +``` + $ mm -j$(nproc) aac_dec_fuzzer +``` + +### Steps to run +Create a directory CORPUS_DIR and copy some aac files to that folder. +Push this directory to device. + +To run on device +``` + $ adb sync data + $ adb shell /data/fuzz/arm64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR +``` +To run on host +``` + $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR +``` + +# Fuzzer for libFraunhoferAAC encoder + +## Plugin Design Considerations +The fuzzer plugin for aac encoder is designed based on the understanding of the +codec and tries to achieve the following: + +##### Maximize code coverage + +The configuration parameters are not hardcoded, but instead selected based on +incoming data. This ensures more code paths are reached by the fuzzer. + +Following arguments are passed to aacEncoder_SetParam to set the respective AACENC_PARAM parameter: + +| AACENC_PARAM param| Valid Values| Configured Value| +|-------------| ----- |----- | +|`AACENC_SBR_MODE` | `-1 ` `0 ` `1 ` `2 ` | Calculated using first byte of data | +|`AACENC_AOT` |`AOT_NONE ` `AOT_NULL_OBJECT ` `AOT_AAC_MAIN ` `AOT_AAC_LC ` `AOT_AAC_SSR ` `AOT_AAC_LTP ` `AOT_SBR ` `AOT_AAC_SCAL ` `AOT_TWIN_VQ ` `AOT_CELP ` `AOT_HVXC ` `AOT_RSVD_10 ` `AOT_RSVD_11 ` `AOT_TTSI ` `AOT_MAIN_SYNTH ` `AOT_WAV_TAB_SYNTH ` `AOT_GEN_MIDI ` `AOT_ALG_SYNTH_AUD_FX ` `AOT_ER_AAC_LC ` `AOT_RSVD_18 ` `AOT_ER_AAC_LTP ` `AOT_ER_AAC_SCAL ` `AOT_ER_TWIN_VQ ` `AOT_ER_BSAC ` `AOT_ER_AAC_LD ` `AOT_ER_CELP ` `AOT_ER_HVXC ` `AOT_ER_HILN ` `AOT_ER_PARA ` `AOT_RSVD_28 ` `AOT_PS ` `AOT_MPEGS ` `AOT_ESCAPE ` `AOT_MP3ONMP4_L1 ` `AOT_MP3ONMP4_L2 ` `AOT_MP3ONMP4_L3 ` `AOT_RSVD_35 ` `AOT_RSVD_36 ` `AOT_AAC_SLS ` `AOT_SLS ` `AOT_ER_AAC_ELD ` `AOT_USAC ` `AOT_SAOC ` `AOT_LD_MPEGS ` `AOT_MP2_AAC_LC ` `AOT_MP2_SBR ` `AOT_DRM_AAC ` `AOT_DRM_SBR ` `AOT_DRM_MPEG_PS ` `AOT_DRM_SURROUND ` `AOT_DRM_USAC ` | Calculated using second byte of data | +|`AACENC_SAMPLERATE` | `8000 ` `11025 ` `12000 ` `16000 ` `22050 ` `24000 ` `32000 ` `44100 ` `48000 ` `64000 ` `88200 ` `96000 `| Calculated using third byte of data | +|`AACENC_BITRATE` | In range `8000 ` to `960000 ` | Calculated using fourth, fifth and sixth byte of data | +|`AACENC_CHANNELMODE` | `MODE_1 ` `MODE_2 ` `MODE_1_2 ` `MODE_1_2_1 ` `MODE_1_2_2 ` `MODE_1_2_2_1 ` `MODE_1_2_2_2_1 ` `MODE_6_1 ` `MODE_7_1_BACK ` `MODE_7_1_TOP_FRONT ` `MODE_7_1_REAR_SURROUND ` `MODE_7_1_FRONT_CENTER ` `MODE_212 ` | Calculated using seventh byte of data | +|`AACENC_TRANSMUX` | `TT_MP4_RAW ` `TT_MP4_ADIF ` `TT_MP4_ADTS ` `TT_MP4_LATM_MCP1 ` `TT_MP4_LATM_MCP0 ` `TT_MP4_LOAS ` `TT_DRM ` | Calculated using eight byte of data |`AACENC_SBR_RATIO` |`-1 ` `0 ` `1 ` `2 ` | Calculated using ninth byte of data | +|`AACENC_BITRATEMODE` |`AACENC_BR_MODE_INVALID ` `AACENC_BR_MODE_CBR ` `AACENC_BR_MODE_VBR_1 ` `AACENC_BR_MODE_VBR_2 ` `AACENC_BR_MODE_VBR_3 ` `AACENC_BR_MODE_VBR_4 ` `AACENC_BR_MODE_VBR_5 ` `AACENC_BR_MODE_FF ` `AACENC_BR_MODE_SFR ` | Calculated using thirty-fourth byte of data | +|`AACENC_GRANULE_LENGTH` |`120 ` `128 ` `240 ` `256 ` `480 ` `512 ` `1024 ` | Calculated using thirty-fifth byte of data | +|`AACENC_CHANNELORDER` |`CH_ORDER_MPEG ` `CH_ORDER_WAV ` | Calculated using thirty-sixth byte of data | +|`AACENC_AFTERBURNER` |`0 ` `1 ` | Calculated using thirty-seventh byte of data | +|`AACENC_BANDWIDTH` |`0 ` `1` | Calculated using thirty-eigth byte of data | +|` AACENC_IDX_PEAK_BITRATE` | In range `8000 ` to `960000 ` | Calculated using thirty-ninth byte of data | +|` AACENC_HEADER_PERIOD` |In range `0 ` to `255 ` | Calculated using fortieth byte of data | +|` AACENC_SIGNALING_MODE` |`-1 ` `0 ` `1 ` `2 ` `3 ` | Calculated using forty-first byte of data | +|` AACENC_TPSUBFRAMES` |In range `0 ` to `255 ` | Calculated using forty-second byte of data | +|` AACENC_AUDIOMUXVER` |`-1 ` `0 ` `1 ` `2 ` | Calculated using forty-third byte of data | +|` AACENC_PROTECTION` |`0 ` `1 ` | Calculated using forty-fourth of data | +|`AACENC_ANCILLARY_BITRATE` |In range `0 ` to `960000 `| Calculated using forty-fifth byte of data | +|`AACENC_METADATA_MODE ` |`0 ` `1 ` `2 ` `3 ` | Calculated using forty-sixth byte of data | + +Following values are configured to set up the meta data represented by the class variable `mMetaData ` : + +| Variable name| Possible Values| Configured Value| +|------------- | ----- |----- | +| `drc_profile` | `AACENC_METADATA_DRC_NONE ` `AACENC_METADATA_DRC_FILMSTANDARD ` `AACENC_METADATA_DRC_FILMLIGHT ` `AACENC_METADATA_DRC_MUSICSTANDARD ` `AACENC_METADATA_DRC_MUSICLIGHT ` `AACENC_METADATA_DRC_SPEECH ` `AACENC_METADATA_DRC_NOT_PRESENT ` | Calculated using tenth byte of data | +| `comp_profile` | `AACENC_METADATA_DRC_NONE ` `AACENC_METADATA_DRC_FILMSTANDARD ` `AACENC_METADATA_DRC_FILMLIGHT ` `AACENC_METADATA_DRC_MUSICSTANDARD ` `AACENC_METADATA_DRC_MUSICLIGHT ` `AACENC_METADATA_DRC_SPEECH ` `AACENC_METADATA_DRC_NOT_PRESENT ` | Calculated using eleventh byte of data | +| `drc_TargetRefLevel` | In range `0 ` to `255 ` | Calculated using twelfth byte of data | +| `comp_TargetRefLevel` | In range `0 ` to `255 ` | Calculated using thirteenth byte of data | +| `prog_ref_level_present` | `0 ` `1 ` | Calculated using fourteenth byte of data | +| `prog_ref_level` | In range `0 ` to `255 ` | Calculated using fifteenth byte of data | +| `PCE_mixdown_idx_present` | `0 ` `1 ` | Calculated using sixteenth byte of data | +| `ETSI_DmxLvl_present` | `0 ` `1 ` | Calculated using seventeenth byte of data | +| `centerMixLevel` | In range `0 ` to `7 ` | Calculated using eighteenth byte of data | +| `surroundMixLevel` | In range `0 ` to `7 ` | Calculated using nineteenth byte of data | +| `dolbySurroundMode` | In range `0 ` to `2 ` | Calculated using twentieth byte of data | +| `drcPresentationMode` | In range `0 ` to `2 ` | Calculated using twenty-first byte of data | +| `extAncDataEnable` | `0 ` `1 ` | Calculated using twenty-second byte of data | +| `extDownmixLevelEnable` | `0 ` `1 ` | Calculated using twenty-third byte of data | +| `extDownmixLevel_A` | In range `0 ` to `7 ` | Calculated using twenty-fourth byte of data | +| `extDownmixLevel_B` | In range `0 ` to `7 ` | Calculated using twenty-fifth byte of data | +| `dmxGainEnable` | `0 ` `1 ` | Calculated using twenty-sixth byte of data | +| `dmxGain5` | In range `0 ` to `255 ` | Calculated using twenty-seventh byte of data | +| `dmxGain2` | In range `0 ` to `255 ` | Calculated using twenty-eighth byte of data | +| `lfeDmxEnable` | `0 ` `1 ` | Calculated using twenty-ninth byte of data | +| `lfeDmxLevel` | In range `0 ` to `15 ` | Calculated using thirtieth byte of data | + +Indexes `mInBufferIdx_1`, `mInBufferIdx_2` and `mInBufferIdx_3`(in range `0 ` to `2`) are calculated using the thirty-first, thirty-second and thirty-third byte respectively. + +##### Maximize utilization of input data +The plugin feeds the entire input data to the codec and continues with the encoding even on a failure. This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) and doesnt `exit()` on any input and thereby increasing the chance of identifying vulnerabilities. + +## Build + +This describes steps to build aac_enc_fuzzer binary. + +## Android + +### Steps to build +Build the fuzzer +``` + $ mm -j$(nproc) aac_enc_fuzzer +``` + +### Steps to run +Create a directory CORPUS_DIR and copy some raw files to that folder. +Push this directory to device. + +To run on device +``` + $ adb sync data + $ adb shell /data/fuzz/arm64/aac_enc_fuzzer/aac_enc_fuzzer CORPUS_DIR +``` +To run on host +``` + $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_enc_fuzzer/aac_enc_fuzzer CORPUS_DIR +``` + +## References: + * http://llvm.org/docs/LibFuzzer.html + * https://github.com/google/oss-fuzz diff --git a/fuzzer/aac_dec_fuzzer.cpp b/fuzzer/aac_dec_fuzzer.cpp new file mode 100644 index 0000000..c970197 --- /dev/null +++ b/fuzzer/aac_dec_fuzzer.cpp @@ -0,0 +1,141 @@ +/****************************************************************************** + * + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************************** + * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore + */ + +#include <stdint.h> +#include <string.h> +#include <algorithm> +#include "aacdecoder_lib.h" + +constexpr uint8_t kNumberOfLayers = 1; +constexpr uint8_t kMaxChannelCount = 8; +constexpr uint32_t kMaxConfigurationSize = 1024; +constexpr uint32_t kMaxOutBufferSize = 2048 * kMaxChannelCount; + +// Value indicating the start of AAC Header Segment +constexpr const char *kAacSegStartSeq = "AAC_STRT"; +constexpr uint8_t kAacSegStartSeqLen = sizeof(kAacSegStartSeq); +// Value indicating the end of AAC Header Segment +constexpr const char *kAacSegEndSeq = "AAC_ENDS"; +constexpr uint8_t kAacSegEndSeqLen = sizeof(kAacSegEndSeq); + +// Number of bytes used to signal the length of the header +constexpr uint8_t kHeaderLengthBytes = 2; +// Minimum size of an AAC header is 2 +// Minimum data required is +// strlen(AAC_STRT) + strlen(AAC_ENDS) + kHeaderLengthBytes + 2; +constexpr UINT kMinDataSize = kAacSegStartSeqLen + kAacSegEndSeqLen + kHeaderLengthBytes + 2; + +UINT getHeaderSize(UCHAR *data, UINT size) { + if (size < kMinDataSize) { + return 0; + } + + int32_t result = memcmp(data, kAacSegStartSeq, kAacSegStartSeqLen); + if (result) { + return 0; + } + data += kAacSegStartSeqLen; + size -= kAacSegStartSeqLen; + + uint32_t headerLengthInBytes = (data[0] << 8 | data[1]) & 0xFFFF; + data += kHeaderLengthBytes; + size -= kHeaderLengthBytes; + + if (headerLengthInBytes + kAacSegEndSeqLen > size) { + return 0; + } + + data += headerLengthInBytes; + size -= headerLengthInBytes; + result = memcmp(data, kAacSegEndSeq, kAacSegEndSeqLen); + if (result) { + return 0; + } + + return std::min(headerLengthInBytes, kMaxConfigurationSize); +} + +class Codec { + public: + Codec() = default; + ~Codec() { deInitDecoder(); } + bool initDecoder(); + void decodeFrames(UCHAR *data, UINT size); + void deInitDecoder(); + + private: + HANDLE_AACDECODER mAacDecoderHandle = nullptr; + AAC_DECODER_ERROR mErrorCode = AAC_DEC_OK; +}; + +bool Codec::initDecoder() { + mAacDecoderHandle = aacDecoder_Open(TT_MP4_ADIF, kNumberOfLayers); + if (!mAacDecoderHandle) { + return false; + } + return true; +} + +void Codec::deInitDecoder() { + aacDecoder_Close(mAacDecoderHandle); + mAacDecoderHandle = nullptr; +} + +void Codec::decodeFrames(UCHAR *data, UINT size) { + UINT headerSize = getHeaderSize(data, size); + if (headerSize != 0) { + data += kAacSegStartSeqLen + kHeaderLengthBytes; + size -= kAacSegStartSeqLen + kHeaderLengthBytes; + aacDecoder_ConfigRaw(mAacDecoderHandle, &data, &headerSize); + data += headerSize + kAacSegEndSeqLen; + size -= headerSize + kAacSegEndSeqLen; + } + while (size > 0) { + UINT inputSize = size; + UINT valid = size; + mErrorCode = aacDecoder_Fill(mAacDecoderHandle, &data, &inputSize, &valid); + if (mErrorCode != AAC_DEC_OK) { + ++data; + --size; + } else { + INT_PCM outputBuf[kMaxOutBufferSize]; + do { + mErrorCode = + aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf, + kMaxOutBufferSize /*size in number of INT_PCM, not bytes*/, 0); + } while (mErrorCode == AAC_DEC_OK); + UINT offset = inputSize - valid; + data += offset; + size = valid; + } + } +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + Codec *codec = new Codec(); + if (!codec) { + return 0; + } + if (codec->initDecoder()) { + codec->decodeFrames((UCHAR *)(data), static_cast<UINT>(size)); + } + delete codec; + return 0; +} diff --git a/fuzzer/aac_enc_fuzzer.cpp b/fuzzer/aac_enc_fuzzer.cpp new file mode 100644 index 0000000..5a35d70 --- /dev/null +++ b/fuzzer/aac_enc_fuzzer.cpp @@ -0,0 +1,479 @@ +/****************************************************************************** + * + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************************** + * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore + */ + +#include <string> +#include "aacenc_lib.h" +#include "src/aacenc.h" + +using namespace std; + +// IN_AUDIO_DATA, IN_ANCILLRY_DATA and IN_METADATA_SETUP +constexpr size_t kMaxBuffers = 3; + +constexpr size_t kMaxOutputBufferSize = 8192; + +constexpr uint32_t kMinBitRate = 8000; +constexpr uint32_t kMaxBitRate = 960000; + +constexpr int32_t kSampleRates[] = {8000, 11025, 12000, 16000, 22050, 24000, + 32000, 44100, 48000, 64000, 88200, 96000}; +constexpr size_t kSampleRatesSize = size(kSampleRates); + +constexpr CHANNEL_MODE kChannelModes[] = {MODE_1, + MODE_2, + MODE_1_2, + MODE_1_2_1, + MODE_1_2_2, + MODE_1_2_2_1, + MODE_1_2_2_2_1, + MODE_6_1, + MODE_7_1_BACK, + MODE_7_1_TOP_FRONT, + MODE_7_1_REAR_SURROUND, + MODE_7_1_FRONT_CENTER, + MODE_212}; +constexpr size_t kChannelModesSize = size(kChannelModes); + +constexpr TRANSPORT_TYPE kIdentifiers[] = { + TT_MP4_RAW, TT_MP4_ADIF, TT_MP4_ADTS, TT_MP4_LATM_MCP1, TT_MP4_LATM_MCP0, TT_MP4_LOAS, TT_DRM}; +constexpr size_t kIdentifiersSize = size(kIdentifiers); + +constexpr AUDIO_OBJECT_TYPE kAudioObjectTypes[] = {AOT_NONE, AOT_NULL_OBJECT, + AOT_AAC_MAIN, AOT_AAC_LC, + AOT_AAC_SSR, AOT_AAC_LTP, + AOT_SBR, AOT_AAC_SCAL, + AOT_TWIN_VQ, AOT_CELP, + AOT_HVXC, AOT_RSVD_10, + AOT_RSVD_11, AOT_TTSI, + AOT_MAIN_SYNTH, AOT_WAV_TAB_SYNTH, + AOT_GEN_MIDI, AOT_ALG_SYNTH_AUD_FX, + AOT_ER_AAC_LC, AOT_RSVD_18, + AOT_ER_AAC_LTP, AOT_ER_AAC_SCAL, + AOT_ER_TWIN_VQ, AOT_ER_BSAC, + AOT_ER_AAC_LD, AOT_ER_CELP, + AOT_ER_HVXC, AOT_ER_HILN, + AOT_ER_PARA, AOT_RSVD_28, + AOT_PS, AOT_MPEGS, + AOT_ESCAPE, AOT_MP3ONMP4_L1, + AOT_MP3ONMP4_L2, AOT_MP3ONMP4_L3, + AOT_RSVD_35, AOT_RSVD_36, + AOT_AAC_SLS, AOT_SLS, + AOT_ER_AAC_ELD, AOT_USAC, + AOT_SAOC, AOT_LD_MPEGS, + AOT_MP2_AAC_LC, AOT_MP2_SBR, + AOT_DRM_AAC, AOT_DRM_SBR, + AOT_DRM_MPEG_PS, AOT_DRM_SURROUND, + AOT_DRM_USAC}; + +constexpr size_t kAudioObjectTypesSize = size(kAudioObjectTypes); + +constexpr int32_t kSbrRatios[] = {-1, 0, 1, 2}; +constexpr size_t kSbrRatiosSize = size(kSbrRatios); + +constexpr int32_t kBitRateModes[] = { + AACENC_BR_MODE_INVALID, AACENC_BR_MODE_CBR, AACENC_BR_MODE_VBR_1, + AACENC_BR_MODE_VBR_2, AACENC_BR_MODE_VBR_3, AACENC_BR_MODE_VBR_4, + AACENC_BR_MODE_VBR_5, AACENC_BR_MODE_FF, AACENC_BR_MODE_SFR}; +constexpr size_t kBitRateModesSize = size(kBitRateModes); + +constexpr int32_t kGranuleLengths[] = {120, 128, 240, 256, 480, 512, 1024}; +constexpr size_t kGranuleLengthsSize = size(kGranuleLengths); + +constexpr int32_t kChannelOrder[] = {CH_ORDER_MPEG, CH_ORDER_WAV}; +constexpr size_t kChannelOrderSize = size(kChannelOrder); + +constexpr int32_t kSignalingModes[] = {-1, 0, 1, 2, 3}; +constexpr size_t kSignalingModesSize = size(kSignalingModes); + +constexpr int32_t kAudioMuxVer[] = {-1, 0, 1, 2}; +constexpr size_t kAudioMuxVerSize = size(kAudioMuxVer); + +constexpr int32_t kSbrModes[] = {-1, 0, 1, 2}; +constexpr size_t kSbrModesSize = size(kSbrModes); + +constexpr AACENC_METADATA_DRC_PROFILE kMetaDataDrcProfiles[] = { + AACENC_METADATA_DRC_NONE, AACENC_METADATA_DRC_FILMSTANDARD, + AACENC_METADATA_DRC_FILMLIGHT, AACENC_METADATA_DRC_MUSICSTANDARD, + AACENC_METADATA_DRC_MUSICLIGHT, AACENC_METADATA_DRC_SPEECH, + AACENC_METADATA_DRC_NOT_PRESENT}; +constexpr size_t kMetaDataDrcProfilesSize = size(kMetaDataDrcProfiles); + +enum { + IDX_SBR_MODE = 0, + IDX_AAC_AOT, + IDX_SAMPLE_RATE, + IDX_BIT_RATE_1, + IDX_BIT_RATE_2, + IDX_BIT_RATE_3, + IDX_CHANNEL, + IDX_IDENTIFIER, + IDX_SBR_RATIO, + IDX_METADATA_DRC_PROFILE, + IDX_METADATA_COMP_PROFILE, + IDX_METADATA_DRC_TARGET_REF_LEVEL, + IDX_METADATA_COMP_TARGET_REF_LEVEL, + IDX_METADATA_PROG_LEVEL_PRESENT, + IDX_METADATA_PROG_LEVEL, + IDX_METADATA_PCE_MIXDOWN_IDX_PRESENT, + IDX_METADATA_ETSI_DMXLVL_PRESENT, + IDX_METADATA_CENTER_MIX_LEVEL, + IDX_METADATA_SURROUND_MIX_LEVEL, + IDX_METADATA_DOLBY_SURROUND_MODE, + IDX_METADATA_DRC_PRESENTATION_MODE, + IDX_METADATA_EXT_ANC_DATA_ENABLE, + IDX_METADATA_EXT_DOWNMIX_LEVEL_ENABLE, + IDX_METADATA_EXT_DOWNMIX_LEVEL_A, + IDX_METADATA_EXT_DOWNMIX_LEVEL_B, + IDX_METADATA_DMX_GAIN_ENABLE, + IDX_METADATA_DMX_GAIN_5, + IDX_METADATA_DMX_GAIN_2, + IDX_METADATA_LFE_DMX_ENABLE, + IDX_METADATA_LFE_DMX_LEVEL, + IDX_IN_BUFFER_INDEX_1, + IDX_IN_BUFFER_INDEX_2, + IDX_IN_BUFFER_INDEX_3, + IDX_BIT_RATE_MODE, + IDX_GRANULE_LENGTH, + IDX_CHANNELORDER, + IDX_AFTERBURNER, + IDX_BANDWIDTH, + IDX_PEAK_BITRATE, + IDX_HEADER_PERIOD, + IDX_SIGNALING_MODE, + IDX_TPSUBFRAMES, + IDX_AUDIOMUXVER, + IDX_PROTECTION, + IDX_ANCILLARY_BITRATE, + IDX_METADATA_MODE, + IDX_LAST +}; + +template <typename type1, typename type2, typename type3> +auto generateNumberInRangeFromData(type1 data, type2 min, type3 max) -> decltype(max) { + return (data % (1 + max - min)) + min; +} + +class Codec { + public: + ~Codec() { deInitEncoder(); } + bool initEncoder(uint8_t **dataPtr, size_t *sizePtr); + void encodeFrames(const uint8_t *data, size_t size); + void deInitEncoder(); + + private: + template <typename type1, typename type2, typename type3> + void setAACParam(type1 data, const AACENC_PARAM aacParam, type2 min, type2 max, + const type3 *array = nullptr); + void setupMetaData(uint8_t *data); + + HANDLE_AACENCODER mEncoder = nullptr; + AACENC_MetaData mMetaData = {}; + uint32_t mInBufferIdx_1 = 0; + uint32_t mInBufferIdx_2 = 0; + uint32_t mInBufferIdx_3 = 0; +}; + +void Codec::setupMetaData(uint8_t *data) { + uint32_t drcProfileIndex = generateNumberInRangeFromData(data[IDX_METADATA_DRC_PROFILE], 0, + kMetaDataDrcProfilesSize - 1); + AACENC_METADATA_DRC_PROFILE drcProfile = kMetaDataDrcProfiles[drcProfileIndex]; + mMetaData.drc_profile = drcProfile; + + uint32_t compProfileIndex = generateNumberInRangeFromData(data[IDX_METADATA_COMP_PROFILE], 0, + kMetaDataDrcProfilesSize - 1); + AACENC_METADATA_DRC_PROFILE compProfile = kMetaDataDrcProfiles[compProfileIndex]; + mMetaData.comp_profile = compProfile; + + INT drcTargetRefLevel = + generateNumberInRangeFromData(data[IDX_METADATA_DRC_TARGET_REF_LEVEL], 0, UINT8_MAX); + mMetaData.drc_TargetRefLevel = drcTargetRefLevel; + + INT compTargetRefLevel = + generateNumberInRangeFromData(data[IDX_METADATA_COMP_TARGET_REF_LEVEL], 0, UINT8_MAX); + mMetaData.comp_TargetRefLevel = compTargetRefLevel; + + INT isProgRefLevelPresent = + generateNumberInRangeFromData(data[IDX_METADATA_PROG_LEVEL_PRESENT], 0, 1); + mMetaData.prog_ref_level_present = isProgRefLevelPresent; + + INT progRefLevel = generateNumberInRangeFromData(data[IDX_METADATA_PROG_LEVEL], 0, UINT8_MAX); + mMetaData.prog_ref_level = progRefLevel; + + UCHAR isPCEMixdownIdxPresent = + generateNumberInRangeFromData(data[IDX_METADATA_PCE_MIXDOWN_IDX_PRESENT], 0, 1); + mMetaData.PCE_mixdown_idx_present = isPCEMixdownIdxPresent; + + UCHAR isETSIDmxLvlPresent = + generateNumberInRangeFromData(data[IDX_METADATA_ETSI_DMXLVL_PRESENT], 0, 1); + mMetaData.ETSI_DmxLvl_present = isETSIDmxLvlPresent; + + SCHAR centerMixLevel = generateNumberInRangeFromData(data[IDX_METADATA_CENTER_MIX_LEVEL], 0, 7); + mMetaData.centerMixLevel = centerMixLevel; + + SCHAR surroundMixLevel = + generateNumberInRangeFromData(data[IDX_METADATA_SURROUND_MIX_LEVEL], 0, 7); + mMetaData.surroundMixLevel = surroundMixLevel; + + UCHAR dolbySurroundMode = + generateNumberInRangeFromData(data[IDX_METADATA_DOLBY_SURROUND_MODE], 0, 2); + mMetaData.dolbySurroundMode = dolbySurroundMode; + + UCHAR drcPresentationMode = + generateNumberInRangeFromData(data[IDX_METADATA_DRC_PRESENTATION_MODE], 0, 2); + mMetaData.drcPresentationMode = drcPresentationMode; + + UCHAR extAncDataEnable = + generateNumberInRangeFromData(data[IDX_METADATA_EXT_ANC_DATA_ENABLE], 0, 1); + mMetaData.ExtMetaData.extAncDataEnable = extAncDataEnable; + + UCHAR extDownmixLevelEnable = + generateNumberInRangeFromData(data[IDX_METADATA_EXT_DOWNMIX_LEVEL_ENABLE], 0, 1); + mMetaData.ExtMetaData.extDownmixLevelEnable = extDownmixLevelEnable; + + UCHAR extDownmixLevel_A = + generateNumberInRangeFromData(data[IDX_METADATA_EXT_DOWNMIX_LEVEL_A], 0, 7); + mMetaData.ExtMetaData.extDownmixLevel_A = extDownmixLevel_A; + + UCHAR extDownmixLevel_B = + generateNumberInRangeFromData(data[IDX_METADATA_EXT_DOWNMIX_LEVEL_B], 0, 7); + mMetaData.ExtMetaData.extDownmixLevel_B = extDownmixLevel_B; + + UCHAR dmxGainEnable = generateNumberInRangeFromData(data[IDX_METADATA_DMX_GAIN_ENABLE], 0, 1); + mMetaData.ExtMetaData.dmxGainEnable = dmxGainEnable; + + INT dmxGain5 = generateNumberInRangeFromData(data[IDX_METADATA_DMX_GAIN_5], 0, UINT8_MAX); + mMetaData.ExtMetaData.dmxGain5 = dmxGain5; + + INT dmxGain2 = generateNumberInRangeFromData(data[IDX_METADATA_DMX_GAIN_2], 0, UINT8_MAX); + mMetaData.ExtMetaData.dmxGain2 = dmxGain2; + + UCHAR lfeDmxEnable = generateNumberInRangeFromData(data[IDX_METADATA_LFE_DMX_ENABLE], 0, 1); + mMetaData.ExtMetaData.lfeDmxEnable = lfeDmxEnable; + + UCHAR lfeDmxLevel = generateNumberInRangeFromData(data[IDX_METADATA_LFE_DMX_LEVEL], 0, 15); + mMetaData.ExtMetaData.lfeDmxLevel = lfeDmxLevel; +} + +template <typename type1, typename type2, typename type3> +void Codec::setAACParam(type1 data, const AACENC_PARAM aacParam, type2 min, type2 max, + const type3 *array) { + auto value = 0; + if (array) { + uint32_t index = generateNumberInRangeFromData(data, min, max); + value = array[index]; + } else { + value = generateNumberInRangeFromData(data, min, max); + } + aacEncoder_SetParam(mEncoder, aacParam, value); + (void)aacEncoder_GetParam(mEncoder, aacParam); +} + +bool Codec::initEncoder(uint8_t **dataPtr, size_t *sizePtr) { + uint8_t *data = *dataPtr; + + if (AACENC_OK != aacEncOpen(&mEncoder, 0, 0)) { + return false; + } + + setAACParam<uint8_t, size_t, int32_t>(data[IDX_SBR_MODE], AACENC_SBR_MODE, 0, kSbrModesSize - 1, + kSbrModes); + + setAACParam<uint8_t, size_t, int32_t>(data[IDX_SBR_RATIO], AACENC_SBR_RATIO, 0, + kSbrRatiosSize - 1, kSbrRatios); + + setAACParam<uint8_t, size_t, AUDIO_OBJECT_TYPE>(data[IDX_AAC_AOT], AACENC_AOT, 0, + kAudioObjectTypesSize - 1, kAudioObjectTypes); + + setAACParam<uint8_t, size_t, int32_t>(data[IDX_SAMPLE_RATE], AACENC_SAMPLERATE, 0, + kSampleRatesSize - 1, kSampleRates); + + uint32_t tempValue = + (data[IDX_BIT_RATE_1] << 16) | (data[IDX_BIT_RATE_2] << 8) | data[IDX_BIT_RATE_3]; + setAACParam<uint8_t, uint32_t, uint32_t>(tempValue, AACENC_BITRATE, kMinBitRate, kMaxBitRate); + + setAACParam<uint8_t, size_t, CHANNEL_MODE>(data[IDX_CHANNEL], AACENC_CHANNELMODE, 0, + kChannelModesSize - 1, kChannelModes); + + setAACParam<uint8_t, size_t, TRANSPORT_TYPE>(data[IDX_IDENTIFIER], AACENC_TRANSMUX, 0, + kIdentifiersSize - 1, kIdentifiers); + + setAACParam<uint8_t, size_t, int32_t>(data[IDX_BIT_RATE_MODE], AACENC_BITRATEMODE, 0, + kBitRateModesSize - 1, kBitRateModes); + + setAACParam<uint8_t, size_t, int32_t>(data[IDX_GRANULE_LENGTH], AACENC_GRANULE_LENGTH, 0, + kGranuleLengthsSize - 1, kGranuleLengths); + + setAACParam<uint8_t, size_t, int32_t>(data[IDX_CHANNELORDER], AACENC_CHANNELORDER, 0, + kChannelOrderSize - 1, kChannelOrder); + + setAACParam<uint8_t, int32_t, int32_t>(data[IDX_AFTERBURNER], AACENC_AFTERBURNER, 0, 1); + + setAACParam<uint8_t, int32_t, int32_t>(data[IDX_BANDWIDTH], AACENC_BANDWIDTH, 0, 1); + + setAACParam<uint8_t, uint32_t, uint32_t>(data[IDX_PEAK_BITRATE], AACENC_PEAK_BITRATE, + kMinBitRate, kMinBitRate); + + setAACParam<uint8_t, uint32_t, uint32_t>(data[IDX_HEADER_PERIOD], AACENC_HEADER_PERIOD, 0, + UINT8_MAX); + + setAACParam<uint8_t, size_t, int32_t>(data[IDX_SIGNALING_MODE], AACENC_SIGNALING_MODE, 0, + kSignalingModesSize - 1, kSignalingModes); + + setAACParam<uint8_t, uint32_t, uint32_t>(data[IDX_TPSUBFRAMES], AACENC_TPSUBFRAMES, 0, + UINT8_MAX); + + setAACParam<uint8_t, size_t, int32_t>(data[IDX_AUDIOMUXVER], AACENC_AUDIOMUXVER, 0, + kAudioMuxVerSize - 1, kAudioMuxVer); + + setAACParam<uint8_t, uint32_t, uint32_t>(data[IDX_PROTECTION], AACENC_PROTECTION, 0, 1); + + setAACParam<uint8_t, uint32_t, uint32_t>(data[IDX_ANCILLARY_BITRATE], AACENC_ANCILLARY_BITRATE, + 0, kMaxBitRate); + + setAACParam<uint8_t, uint32_t, uint32_t>(data[IDX_METADATA_MODE], AACENC_METADATA_MODE, 0, 3); + + AACENC_InfoStruct encInfo; + aacEncInfo(mEncoder, &encInfo); + + mInBufferIdx_1 = generateNumberInRangeFromData(data[IDX_IN_BUFFER_INDEX_1], 0, kMaxBuffers - 1); + mInBufferIdx_2 = generateNumberInRangeFromData(data[IDX_IN_BUFFER_INDEX_2], 0, kMaxBuffers - 1); + mInBufferIdx_3 = generateNumberInRangeFromData(data[IDX_IN_BUFFER_INDEX_3], 0, kMaxBuffers - 1); + + setupMetaData(data); + + // Not re-using the data which was used for configuration for encoding + *dataPtr += IDX_LAST; + *sizePtr -= IDX_LAST; + + return true; +} + +static void deleteBuffers(uint8_t **buffers, size_t size) { + for (size_t n = 0; n < size; ++n) { + delete[] buffers[n]; + } + delete[] buffers; +} + +void Codec::encodeFrames(const uint8_t *data, size_t size) { + uint8_t *audioData = (uint8_t *)data; + uint8_t *ancData = (uint8_t *)data; + size_t audioSize = size; + size_t ancSize = size; + + while ((audioSize > 0) && (ancSize > 0)) { + AACENC_InArgs inargs; + memset(&inargs, 0, sizeof(inargs)); + inargs.numInSamples = audioSize / sizeof(int16_t); + inargs.numAncBytes = ancSize; + + void *buffers[] = {(void *)audioData, (void *)ancData, &mMetaData}; + INT bufferIds[] = {IN_AUDIO_DATA, IN_ANCILLRY_DATA, IN_METADATA_SETUP}; + INT bufferSizes[] = {static_cast<INT>(audioSize), static_cast<INT>(ancSize), + static_cast<INT>(sizeof(mMetaData))}; + INT bufferElSizes[] = {sizeof(int16_t), sizeof(UCHAR), sizeof(AACENC_MetaData)}; + + void *inBuffer[kMaxBuffers] = {}; + INT inBufferIds[kMaxBuffers] = {}; + INT inBufferSize[kMaxBuffers] = {}; + INT inBufferElSize[kMaxBuffers] = {}; + for (int32_t buffer = 0; buffer < kMaxBuffers; ++buffer) { + uint32_t Idxs[] = {mInBufferIdx_1, mInBufferIdx_2, mInBufferIdx_3}; + inBuffer[buffer] = buffers[Idxs[buffer]]; + inBufferIds[buffer] = bufferIds[Idxs[buffer]]; + inBufferSize[buffer] = bufferSizes[Idxs[buffer]]; + inBufferElSize[buffer] = bufferElSizes[Idxs[buffer]]; + } + + AACENC_BufDesc inBufDesc; + inBufDesc.numBufs = kMaxBuffers; + inBufDesc.bufs = (void **)&inBuffer; + inBufDesc.bufferIdentifiers = inBufferIds; + inBufDesc.bufSizes = inBufferSize; + inBufDesc.bufElSizes = inBufferElSize; + + uint8_t **outPtrRef = new uint8_t *[kMaxBuffers]; + for (int32_t buffer = 0; buffer < kMaxBuffers; ++buffer) { + outPtrRef[buffer] = new uint8_t[kMaxOutputBufferSize]; + } + + void *outBuffer[kMaxBuffers]; + INT outBufferIds[kMaxBuffers]; + INT outBufferSize[kMaxBuffers]; + INT outBufferElSize[kMaxBuffers]; + + for (int32_t buffer = 0; buffer < kMaxBuffers; ++buffer) { + outBuffer[buffer] = outPtrRef[buffer]; + outBufferIds[buffer] = OUT_BITSTREAM_DATA; + outBufferSize[buffer] = (INT)kMaxOutputBufferSize; + outBufferElSize[buffer] = sizeof(UCHAR); + } + + AACENC_BufDesc outBufDesc; + outBufDesc.numBufs = kMaxBuffers; + outBufDesc.bufs = (void **)&outBuffer; + outBufDesc.bufferIdentifiers = outBufferIds; + outBufDesc.bufSizes = outBufferSize; + outBufDesc.bufElSizes = outBufferElSize; + + AACENC_OutArgs outargs = {}; + aacEncEncode(mEncoder, &inBufDesc, &outBufDesc, &inargs, &outargs); + + if (outargs.numOutBytes == 0) { + if (audioSize > 0) { + ++audioData; + --audioSize; + } + if (ancSize > 0) { + ++ancData; + --ancSize; + } + } else { + size_t audioConsumed = outargs.numInSamples * sizeof(int16_t); + audioData += audioConsumed; + audioSize -= audioConsumed; + + size_t ancConsumed = outargs.numAncBytes; + ancData += ancConsumed; + ancSize -= ancConsumed; + } + deleteBuffers(outPtrRef, kMaxBuffers); + + // break out of loop if only metadata was sent in all the input buffers + // as sending it multiple times in a loop is redundant. + if ((mInBufferIdx_1 == kMaxBuffers - 1) && (mInBufferIdx_2 == kMaxBuffers - 1) && + (mInBufferIdx_3 == kMaxBuffers - 1)) { + break; + } + } +} + +void Codec::deInitEncoder() { aacEncClose(&mEncoder); } + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + if (size < IDX_LAST) { + return 0; + } + Codec encoder; + if (encoder.initEncoder(const_cast<uint8_t **>(&data), &size)) { + encoder.encodeFrames(data, size); + } + return 0; +} |