aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Android.bp8
-rw-r--r--fuzzer/Android.bp39
-rw-r--r--fuzzer/README.md59
-rw-r--r--fuzzer/aac_dec_fuzzer.cpp84
-rw-r--r--libAACdec/src/aacdecoder_lib.cpp2
-rw-r--r--libAACenc/src/aacenc_lib.cpp2
-rw-r--r--libDRCdec/src/FDK_drcDecLib.cpp2
-rw-r--r--libFDK/src/FDK_core.cpp2
-rw-r--r--libMpegTPDec/src/tpdec_lib.cpp2
-rw-r--r--libMpegTPEnc/src/tpenc_lib.cpp2
-rw-r--r--libPCMutils/src/version.h2
-rw-r--r--libSACdec/src/sac_dec_lib.cpp2
-rw-r--r--libSACenc/src/sacenc_lib.cpp2
-rw-r--r--libSBRdec/src/sbrdecoder.cpp2
-rw-r--r--libSBRenc/src/sbr_encoder.cpp2
15 files changed, 201 insertions, 11 deletions
diff --git a/Android.bp b/Android.bp
index 80a0347..c0937dd 100644
--- a/Android.bp
+++ b/Android.bp
@@ -1,6 +1,7 @@
cc_library_static {
name: "libFraunhoferAAC",
vendor_available: true,
+ host_supported:true,
srcs: [
"libAACdec/src/*.cpp",
"libAACenc/src/*.cpp",
@@ -23,6 +24,7 @@ cc_library_static {
"-Wuninitialized",
"-Wno-self-assign",
"-Wno-implicit-fallthrough",
+ "-DSUPPRESS_BUILD_DATE_INFO",
],
sanitize: {
misc_undefined:[
@@ -51,4 +53,10 @@ cc_library_static {
"libSACdec/include",
"libSACenc/include",
],
+
+ target: {
+ darwin: {
+ enabled: false,
+ },
+ },
}
diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp
new file mode 100644
index 0000000..ae01dad
--- /dev/null
+++ b/fuzzer/Android.bp
@@ -0,0 +1,39 @@
+/******************************************************************************
+ *
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ *****************************************************************************
+ * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
+ */
+
+cc_fuzz {
+ name: "aac_dec_fuzzer",
+ host_supported:true,
+
+ static_libs: [
+ "libFraunhoferAAC",
+ "liblog",
+ ],
+
+ srcs: [
+ "aac_dec_fuzzer.cpp",
+ ],
+
+ target: {
+ darwin: {
+ enabled: false,
+ },
+ },
+}
diff --git a/fuzzer/README.md b/fuzzer/README.md
new file mode 100644
index 0000000..d99bc75
--- /dev/null
+++ b/fuzzer/README.md
@@ -0,0 +1,59 @@
+# Fuzzer for libFraunhoferAAC decoder
+
+## Plugin Design Considerations
+The fuzzer plugin for aac decoder is designed based on the understanding of the
+codec and tries to achieve the following:
+
+##### Maximize code coverage
+
+This fuzzer makes use of the following config parameters:
+1. Transport type (parameter name: `TRANSPORT_TYPE`)
+
+| Parameter| Valid Values| Configured Value|
+|------------- |-------------| ----- |
+| `TRANSPORT_TYPE` | 0.`TT_UNKNOWN ` 1.`TT_MP4_RAW ` 2.`TT_MP4_ADIF ` 3.`TT_MP4_ADTS ` 4.`TT_MP4_LATM_MCP1 ` 5.`TT_MP4_LATM_MCP0 ` 6.`TT_MP4_LOAS ` 7.`TT_DRM ` | `TT_MP4_ADIF ` |
+
+Note: Value of `TRANSPORT_TYPE` could be set to any of these values.
+It is set to `TT_MP4_ADIF` in the fuzzer plugin.
+
+##### Maximize utilization of input data
+The plugin feeds the entire input data to the codec using a loop.
+ * If the decode operation was successful, the input is advanced by an
+ offset calculated using valid bytes.
+ * If the decode operation was un-successful, the input is advanced by 1 byte
+ till it reaches a valid frame or end of stream.
+
+This ensures that the plugin tolerates any kind of input (empty, huge,
+malformed, etc) and doesnt `exit()` on any input and thereby increasing the
+chance of identifying vulnerabilities.
+
+## Build
+
+This describes steps to build aac_dec_fuzzer binary.
+
+## Android
+
+### Steps to build
+Build the fuzzer
+```
+ $ mm -j$(nproc) aac_dec_fuzzer
+```
+
+### Steps to run
+Create a directory CORPUS_DIR and copy some aac files to that folder.
+Push this directory to device.
+
+To run on device
+```
+ $ adb sync data
+ $ adb shell /data/fuzz/arm64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR
+```
+To run on host
+```
+ $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR
+```
+
+## References:
+ * http://llvm.org/docs/LibFuzzer.html
+ * https://github.com/google/oss-fuzz
+
diff --git a/fuzzer/aac_dec_fuzzer.cpp b/fuzzer/aac_dec_fuzzer.cpp
new file mode 100644
index 0000000..686c42f
--- /dev/null
+++ b/fuzzer/aac_dec_fuzzer.cpp
@@ -0,0 +1,84 @@
+/******************************************************************************
+ *
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ *****************************************************************************
+ * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
+ */
+
+#include <stdint.h>
+#include "aacdecoder_lib.h"
+
+constexpr uint8_t kNumberOfLayers = 1;
+constexpr uint8_t kMaxChannelCount = 8;
+
+class Codec {
+ public:
+ Codec() = default;
+ ~Codec() { deInitDecoder(); }
+ bool initDecoder();
+ void decodeFrames(UCHAR *data, UINT size);
+ void deInitDecoder();
+
+ private:
+ HANDLE_AACDECODER mAacDecoderHandle = nullptr;
+ AAC_DECODER_ERROR mErrorCode = AAC_DEC_OK;
+};
+
+bool Codec::initDecoder() {
+ mAacDecoderHandle = aacDecoder_Open(TT_MP4_ADIF, kNumberOfLayers);
+ if (!mAacDecoderHandle) {
+ return false;
+ }
+ return true;
+}
+
+void Codec::deInitDecoder() {
+ aacDecoder_Close(mAacDecoderHandle);
+ mAacDecoderHandle = nullptr;
+}
+
+void Codec::decodeFrames(UCHAR *data, UINT size) {
+ while (size > 0) {
+ UINT inputSize = size;
+ UINT valid = size;
+ mErrorCode = aacDecoder_Fill(mAacDecoderHandle, &data, &inputSize, &valid);
+ if (mErrorCode != AAC_DEC_OK) {
+ ++data;
+ --size;
+ } else {
+ INT_PCM outputBuf[2048 * kMaxChannelCount];
+ aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf, 2048 * kMaxChannelCount, 0);
+ if (valid >= inputSize) {
+ return;
+ }
+ UINT offset = inputSize - valid;
+ data += offset;
+ size = valid;
+ }
+ }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ Codec *codec = new Codec();
+ if (!codec) {
+ return 0;
+ }
+ if (codec->initDecoder()) {
+ codec->decodeFrames((UCHAR *)(data), static_cast<UINT>(size));
+ }
+ delete codec;
+ return 0;
+}
diff --git a/libAACdec/src/aacdecoder_lib.cpp b/libAACdec/src/aacdecoder_lib.cpp
index f5ce7e0..0f281eb 100644
--- a/libAACdec/src/aacdecoder_lib.cpp
+++ b/libAACdec/src/aacdecoder_lib.cpp
@@ -122,7 +122,7 @@ amm-info@iis.fraunhofer.de
#define AACDECODER_LIB_VL1 2
#define AACDECODER_LIB_VL2 0
#define AACDECODER_LIB_TITLE "AAC Decoder Lib"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
#define AACDECODER_LIB_BUILD_DATE ""
#define AACDECODER_LIB_BUILD_TIME ""
#else
diff --git a/libAACenc/src/aacenc_lib.cpp b/libAACenc/src/aacenc_lib.cpp
index 2c2010f..c3977f3 100644
--- a/libAACenc/src/aacenc_lib.cpp
+++ b/libAACenc/src/aacenc_lib.cpp
@@ -112,7 +112,7 @@ amm-info@iis.fraunhofer.de
#define AACENCODER_LIB_VL1 0
#define AACENCODER_LIB_VL2 1
#define AACENCODER_LIB_TITLE "AAC Encoder"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
#define AACENCODER_LIB_BUILD_DATE ""
#define AACENCODER_LIB_BUILD_TIME ""
#else
diff --git a/libDRCdec/src/FDK_drcDecLib.cpp b/libDRCdec/src/FDK_drcDecLib.cpp
index 83b5773..26e5b78 100644
--- a/libDRCdec/src/FDK_drcDecLib.cpp
+++ b/libDRCdec/src/FDK_drcDecLib.cpp
@@ -112,7 +112,7 @@ amm-info@iis.fraunhofer.de
#define DRCDEC_LIB_VL1 1
#define DRCDEC_LIB_VL2 0
#define DRCDEC_LIB_TITLE "MPEG-D DRC Decoder Lib"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
#define DRCDEC_LIB_BUILD_DATE ""
#define DRCDEC_LIB_BUILD_TIME ""
#else
diff --git a/libFDK/src/FDK_core.cpp b/libFDK/src/FDK_core.cpp
index 2f77179..48db17e 100644
--- a/libFDK/src/FDK_core.cpp
+++ b/libFDK/src/FDK_core.cpp
@@ -107,7 +107,7 @@ amm-info@iis.fraunhofer.de
#define FDK_TOOLS_LIB_VL1 1
#define FDK_TOOLS_LIB_VL2 0
#define FDK_TOOLS_LIB_TITLE "FDK Tools"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
#define FDK_TOOLS_LIB_BUILD_DATE ""
#define FDK_TOOLS_LIB_BUILD_TIME ""
#else
diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
index ca35184..091d011 100644
--- a/libMpegTPDec/src/tpdec_lib.cpp
+++ b/libMpegTPDec/src/tpdec_lib.cpp
@@ -1769,7 +1769,7 @@ TRANSPORTDEC_ERROR transportDec_GetLibInfo(LIB_INFO *info) {
info += i;
info->module_id = FDK_TPDEC;
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
info->build_date = "";
info->build_time = "";
#else
diff --git a/libMpegTPEnc/src/tpenc_lib.cpp b/libMpegTPEnc/src/tpenc_lib.cpp
index 14ea5fe..77c19b5 100644
--- a/libMpegTPEnc/src/tpenc_lib.cpp
+++ b/libMpegTPEnc/src/tpenc_lib.cpp
@@ -647,7 +647,7 @@ TRANSPORTENC_ERROR transportEnc_GetLibInfo(LIB_INFO *info) {
info->module_id = FDK_TPENC;
info->version = LIB_VERSION(TP_LIB_VL0, TP_LIB_VL1, TP_LIB_VL2);
LIB_VERSION_STRING(info);
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
info->build_date = "";
info->build_time = "";
#else
diff --git a/libPCMutils/src/version.h b/libPCMutils/src/version.h
index 05371f8..871aa90 100644
--- a/libPCMutils/src/version.h
+++ b/libPCMutils/src/version.h
@@ -108,7 +108,7 @@ amm-info@iis.fraunhofer.de
#define PCMUTIL_LIB_VL1 1
#define PCMUTIL_LIB_VL2 0
#define PCMUTIL_LIB_TITLE "PCM Utility Lib"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
#define PCMUTIL_LIB_BUILD_DATE ""
#define PCMUTIL_LIB_BUILD_TIME ""
#else
diff --git a/libSACdec/src/sac_dec_lib.cpp b/libSACdec/src/sac_dec_lib.cpp
index 856a923..57446f8 100644
--- a/libSACdec/src/sac_dec_lib.cpp
+++ b/libSACdec/src/sac_dec_lib.cpp
@@ -1804,7 +1804,7 @@ int mpegSurroundDecoder_GetLibInfo(LIB_INFO *info) {
info += i;
info->module_id = FDK_MPSDEC;
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
info->build_date = "";
info->build_time = "";
#else
diff --git a/libSACenc/src/sacenc_lib.cpp b/libSACenc/src/sacenc_lib.cpp
index d6a1658..fcfe39b 100644
--- a/libSACenc/src/sacenc_lib.cpp
+++ b/libSACenc/src/sacenc_lib.cpp
@@ -130,7 +130,7 @@ Description of file contents
#define SACENC_LIB_VL1 0
#define SACENC_LIB_VL2 0
#define SACENC_LIB_TITLE "MPEG Surround Encoder"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
#define SACENC_LIB_BUILD_DATE ""
#define SACENC_LIB_BUILD_TIME ""
#else
diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp
index 6e4aad4..b51461d 100644
--- a/libSBRdec/src/sbrdecoder.cpp
+++ b/libSBRdec/src/sbrdecoder.cpp
@@ -158,7 +158,7 @@ amm-info@iis.fraunhofer.de
#define SBRDECODER_LIB_VL1 1
#define SBRDECODER_LIB_VL2 0
#define SBRDECODER_LIB_TITLE "SBR Decoder"
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
#define SBRDECODER_LIB_BUILD_DATE ""
#define SBRDECODER_LIB_BUILD_TIME ""
#else
diff --git a/libSBRenc/src/sbr_encoder.cpp b/libSBRenc/src/sbr_encoder.cpp
index df9e996..c1e083f 100644
--- a/libSBRenc/src/sbr_encoder.cpp
+++ b/libSBRenc/src/sbr_encoder.cpp
@@ -2560,7 +2560,7 @@ INT sbrEncoder_GetLibInfo(LIB_INFO *info) {
info->version =
LIB_VERSION(SBRENCODER_LIB_VL0, SBRENCODER_LIB_VL1, SBRENCODER_LIB_VL2);
LIB_VERSION_STRING(info);
-#ifdef __ANDROID__
+#ifdef SUPPRESS_BUILD_DATE_INFO
info->build_date = "";
info->build_time = "";
#else