From d41cddf9e9f46a1596c19505967261140a5bd6f8 Mon Sep 17 00:00:00 2001 From: Anuj Joshi Date: Thu, 26 Mar 2020 11:51:15 +0530 Subject: Added aac_dec_fuzzer Test: ./aac_dec_fuzzer Bug: 151595970 Change-Id: Iad37ae766288e9490520d858a6de0dd755e70681 --- fuzzer/Android.bp | 39 ++++++++++++++++++++++ fuzzer/README.md | 59 +++++++++++++++++++++++++++++++++ fuzzer/aac_dec_fuzzer.cpp | 84 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 182 insertions(+) create mode 100644 fuzzer/Android.bp create mode 100644 fuzzer/README.md create mode 100644 fuzzer/aac_dec_fuzzer.cpp (limited to 'fuzzer') diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp new file mode 100644 index 0000000..ae01dad --- /dev/null +++ b/fuzzer/Android.bp @@ -0,0 +1,39 @@ +/****************************************************************************** + * + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************************** + * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore + */ + +cc_fuzz { + name: "aac_dec_fuzzer", + host_supported:true, + + static_libs: [ + "libFraunhoferAAC", + "liblog", + ], + + srcs: [ + "aac_dec_fuzzer.cpp", + ], + + target: { + darwin: { + enabled: false, + }, + }, +} diff --git a/fuzzer/README.md b/fuzzer/README.md new file mode 100644 index 0000000..d99bc75 --- /dev/null +++ b/fuzzer/README.md @@ -0,0 +1,59 @@ +# Fuzzer for libFraunhoferAAC decoder + +## Plugin Design Considerations +The fuzzer plugin for aac decoder is designed based on the understanding of the +codec and tries to achieve the following: + +##### Maximize code coverage + +This fuzzer makes use of the following config parameters: +1. Transport type (parameter name: `TRANSPORT_TYPE`) + +| Parameter| Valid Values| Configured Value| +|------------- |-------------| ----- | +| `TRANSPORT_TYPE` | 0.`TT_UNKNOWN ` 1.`TT_MP4_RAW ` 2.`TT_MP4_ADIF ` 3.`TT_MP4_ADTS ` 4.`TT_MP4_LATM_MCP1 ` 5.`TT_MP4_LATM_MCP0 ` 6.`TT_MP4_LOAS ` 7.`TT_DRM ` | `TT_MP4_ADIF ` | + +Note: Value of `TRANSPORT_TYPE` could be set to any of these values. +It is set to `TT_MP4_ADIF` in the fuzzer plugin. + +##### Maximize utilization of input data +The plugin feeds the entire input data to the codec using a loop. + * If the decode operation was successful, the input is advanced by an + offset calculated using valid bytes. + * If the decode operation was un-successful, the input is advanced by 1 byte + till it reaches a valid frame or end of stream. + +This ensures that the plugin tolerates any kind of input (empty, huge, +malformed, etc) and doesnt `exit()` on any input and thereby increasing the +chance of identifying vulnerabilities. + +## Build + +This describes steps to build aac_dec_fuzzer binary. + +## Android + +### Steps to build +Build the fuzzer +``` + $ mm -j$(nproc) aac_dec_fuzzer +``` + +### Steps to run +Create a directory CORPUS_DIR and copy some aac files to that folder. +Push this directory to device. + +To run on device +``` + $ adb sync data + $ adb shell /data/fuzz/arm64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR +``` +To run on host +``` + $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR +``` + +## References: + * http://llvm.org/docs/LibFuzzer.html + * https://github.com/google/oss-fuzz + diff --git a/fuzzer/aac_dec_fuzzer.cpp b/fuzzer/aac_dec_fuzzer.cpp new file mode 100644 index 0000000..686c42f --- /dev/null +++ b/fuzzer/aac_dec_fuzzer.cpp @@ -0,0 +1,84 @@ +/****************************************************************************** + * + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************************** + * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore + */ + +#include +#include "aacdecoder_lib.h" + +constexpr uint8_t kNumberOfLayers = 1; +constexpr uint8_t kMaxChannelCount = 8; + +class Codec { + public: + Codec() = default; + ~Codec() { deInitDecoder(); } + bool initDecoder(); + void decodeFrames(UCHAR *data, UINT size); + void deInitDecoder(); + + private: + HANDLE_AACDECODER mAacDecoderHandle = nullptr; + AAC_DECODER_ERROR mErrorCode = AAC_DEC_OK; +}; + +bool Codec::initDecoder() { + mAacDecoderHandle = aacDecoder_Open(TT_MP4_ADIF, kNumberOfLayers); + if (!mAacDecoderHandle) { + return false; + } + return true; +} + +void Codec::deInitDecoder() { + aacDecoder_Close(mAacDecoderHandle); + mAacDecoderHandle = nullptr; +} + +void Codec::decodeFrames(UCHAR *data, UINT size) { + while (size > 0) { + UINT inputSize = size; + UINT valid = size; + mErrorCode = aacDecoder_Fill(mAacDecoderHandle, &data, &inputSize, &valid); + if (mErrorCode != AAC_DEC_OK) { + ++data; + --size; + } else { + INT_PCM outputBuf[2048 * kMaxChannelCount]; + aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf, 2048 * kMaxChannelCount, 0); + if (valid >= inputSize) { + return; + } + UINT offset = inputSize - valid; + data += offset; + size = valid; + } + } +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + Codec *codec = new Codec(); + if (!codec) { + return 0; + } + if (codec->initDecoder()) { + codec->decodeFrames((UCHAR *)(data), static_cast(size)); + } + delete codec; + return 0; +} -- cgit v1.2.3 From 64e4f25b299fed46eb4cf3fef21b25b916911515 Mon Sep 17 00:00:00 2001 From: Ayushi Khopkar Date: Mon, 18 May 2020 12:19:41 +0530 Subject: Added fuzz_config field in aac_dec_fuzzer Test: ./aac_dec_fuzzer Bug: 156871294 Change-Id: Idfc93a6f6c71a78c2b7759443161d8e75dfc4670 --- fuzzer/Android.bp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'fuzzer') diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp index ae01dad..28a21b9 100644 --- a/fuzzer/Android.bp +++ b/fuzzer/Android.bp @@ -36,4 +36,11 @@ cc_fuzz { enabled: false, }, }, + + fuzz_config: { + cc: [ + "android-media-fuzzing-reports@google.com", + ], + componentid: 155276, + }, } -- cgit v1.2.3 From c1a75279a113d9cab3b2639ab9bd4070351655c5 Mon Sep 17 00:00:00 2001 From: S Vasudev Prasad Date: Fri, 15 May 2020 23:11:05 +0530 Subject: Improve code coverage for aac_dec_fuzzer Test: ./aac_dec_fuzzer Bug: 158206619 Change-Id: I42d57ec832dbd273f66ce149ce81bfcb1c514add --- fuzzer/aac_dec_fuzzer.cpp | 66 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 61 insertions(+), 5 deletions(-) (limited to 'fuzzer') diff --git a/fuzzer/aac_dec_fuzzer.cpp b/fuzzer/aac_dec_fuzzer.cpp index 686c42f..b5545fc 100644 --- a/fuzzer/aac_dec_fuzzer.cpp +++ b/fuzzer/aac_dec_fuzzer.cpp @@ -19,10 +19,58 @@ */ #include +#include +#include #include "aacdecoder_lib.h" constexpr uint8_t kNumberOfLayers = 1; constexpr uint8_t kMaxChannelCount = 8; +constexpr uint32_t kMaxConfigurationSize = 1024; +constexpr uint32_t kMaxOutBufferSize = 2048 * kMaxChannelCount; + +// Value indicating the start of AAC Header Segment +constexpr const char *kAacSegStartSeq = "AAC_STRT"; +constexpr uint8_t kAacSegStartSeqLen = sizeof(kAacSegStartSeq); +// Value indicating the end of AAC Header Segment +constexpr const char *kAacSegEndSeq = "AAC_ENDS"; +constexpr uint8_t kAacSegEndSeqLen = sizeof(kAacSegEndSeq); + +// Number of bytes used to signal the length of the header +constexpr uint8_t kHeaderLengthBytes = 2; +// Minimum size of an AAC header is 2 +// Minimum data required is +// strlen(AAC_STRT) + strlen(AAC_ENDS) + kHeaderLengthBytes + 2; +constexpr UINT kMinDataSize = kAacSegStartSeqLen + kAacSegEndSeqLen + kHeaderLengthBytes + 2; + +UINT getHeaderSize(UCHAR *data, UINT size) { + if (size < kMinDataSize) { + return 0; + } + + int32_t result = memcmp(data, kAacSegStartSeq, kAacSegStartSeqLen); + if (result) { + return 0; + } + data += kAacSegStartSeqLen; + size -= kAacSegStartSeqLen; + + uint32_t headerLengthInBytes = (data[0] << 8 | data[1]) & 0xFFFF; + data += kHeaderLengthBytes; + size -= kHeaderLengthBytes; + + if (headerLengthInBytes + kAacSegEndSeqLen > size) { + return 0; + } + + data += headerLengthInBytes; + size -= headerLengthInBytes; + result = memcmp(data, kAacSegEndSeq, kAacSegEndSeqLen); + if (result) { + return 0; + } + + return std::min(headerLengthInBytes, kMaxConfigurationSize); +} class Codec { public: @@ -51,6 +99,14 @@ void Codec::deInitDecoder() { } void Codec::decodeFrames(UCHAR *data, UINT size) { + UINT headerSize = getHeaderSize(data, size); + if (headerSize != 0) { + data += kAacSegStartSeqLen + kHeaderLengthBytes; + size -= kAacSegStartSeqLen + kHeaderLengthBytes; + aacDecoder_ConfigRaw(mAacDecoderHandle, &data, &headerSize); + data += headerSize + kAacSegEndSeqLen; + size -= headerSize + kAacSegEndSeqLen; + } while (size > 0) { UINT inputSize = size; UINT valid = size; @@ -59,11 +115,11 @@ void Codec::decodeFrames(UCHAR *data, UINT size) { ++data; --size; } else { - INT_PCM outputBuf[2048 * kMaxChannelCount]; - aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf, 2048 * kMaxChannelCount, 0); - if (valid >= inputSize) { - return; - } + INT_PCM outputBuf[kMaxOutBufferSize]; + do { + mErrorCode = + aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf, sizeof(outputBuf), 0); + } while (mErrorCode == AAC_DEC_OK); UINT offset = inputSize - valid; data += offset; size = valid; -- cgit v1.2.3 From ec3d6d9f0e738d6e56ec418b89ca6cae79097dda Mon Sep 17 00:00:00 2001 From: Anuj Joshi Date: Thu, 1 Oct 2020 16:03:54 +0530 Subject: Added aac_enc_fuzzer Test: ./aac_enc_fuzzer Bug: 172429950 Change-Id: Ia84f85425f6df10b13a3d045472f7f684f27eb8a --- fuzzer/Android.bp | 39 ++++- fuzzer/README.md | 80 +++++++++- fuzzer/aac_enc_fuzzer.cpp | 374 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 484 insertions(+), 9 deletions(-) create mode 100644 fuzzer/aac_enc_fuzzer.cpp (limited to 'fuzzer') diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp index 28a21b9..470eb9a 100644 --- a/fuzzer/Android.bp +++ b/fuzzer/Android.bp @@ -18,17 +18,12 @@ * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore */ -cc_fuzz { - name: "aac_dec_fuzzer", - host_supported:true, +cc_defaults { + name: "aac_fuzz_defaults", + host_supported: true, static_libs: [ "libFraunhoferAAC", - "liblog", - ], - - srcs: [ - "aac_dec_fuzzer.cpp", ], target: { @@ -44,3 +39,31 @@ cc_fuzz { componentid: 155276, }, } + +cc_fuzz { + name: "aac_dec_fuzzer", + + srcs: [ + "aac_dec_fuzzer.cpp", + ], + + static_libs: [ + "liblog", + ], + + defaults: [ + "aac_fuzz_defaults" + ], +} + +cc_fuzz { + name: "aac_enc_fuzzer", + + srcs: [ + "aac_enc_fuzzer.cpp", + ], + + defaults: [ + "aac_fuzz_defaults" + ], +} diff --git a/fuzzer/README.md b/fuzzer/README.md index d99bc75..43a7ff4 100644 --- a/fuzzer/README.md +++ b/fuzzer/README.md @@ -53,7 +53,85 @@ To run on host $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR ``` +# Fuzzer for libFraunhoferAAC encoder + +## Plugin Design Considerations +The fuzzer plugin for aac encoder is designed based on the understanding of the +codec and tries to achieve the following: + +##### Maximize code coverage + +The configuration parameters are not hardcoded, but instead selected based on +incoming data. This ensures more code paths are reached by the fuzzer. + +Following arguments are passed to aacEncoder_SetParam to set the respective AACENC_PARAM parameter: + +| Variable name| AACENC_PARAM param| Valid Values| Configured Value| +|------------- |-------------| ----- |----- | +| `sbrMode` |`AACENC_SBR_MODE` | `AAC_SBR_OFF ` `AAC_SBR_SINGLE_RATE ` `AAC_SBR_DUAL_RATE ` `AAC_SBR_AUTO ` | Calculated using first byte of data | +| `aacAOT` | `AACENC_AOT` |`AOT_AAC_LC ` `AOT_ER_AAC_ELD ` `AOT_SBR ` `AOT_PS ` `AOT_ER_AAC_LD ` | Calculated using second byte of data | +| `sampleRate` |`AACENC_SAMPLERATE` | `8000 ` `11025 ` `12000 ` `16000 ` `22050 ` `24000 ` `32000 ` `44100 ` `48000 `| Calculated using third byte of data | +| `bitRate` |`AACENC_BITRATE` | In range `8000 ` to `960000 ` | Calculated using fourth, fifth and sixth byte of data | +| `channelMode` |`AACENC_CHANNELMODE` | `MODE_1 ` `MODE_2 ` `MODE_1_2 ` `MODE_1_2_1 ` `MODE_1_2_2 ` `MODE_1_2_2_1 ` `MODE_1_2_2_2_1 ` `MODE_7_1_BACK ` | Calculated using seventh byte of data | +| `identifier` |`AACENC_TRANSMUX` | `TT_MP4_RAW ` `TT_MP4_ADIF ` `TT_MP4_ADTS ` `TT_MP4_LATM_MCP1 ` `TT_MP4_LATM_MCP0 ` `TT_MP4_LOAS ` `TT_DRM ` | Calculated using eight byte of data | +| `sbrRatio` | `AACENC_SBR_RATIO` |`0 ` `1 ` `2 ` | Calculated using ninth byte of data | + +Following values are configured to set up the meta data represented by the class variable `mMetaData ` : +| Variable name| Possible Values| Configured Value| +|------------- | ----- |----- | +| `drc_profile` | `AACENC_METADATA_DRC_NONE ` `AACENC_METADATA_DRC_FILMSTANDARD ` `AACENC_METADATA_DRC_FILMLIGHT ` `AACENC_METADATA_DRC_MUSICSTANDARD ` `AACENC_METADATA_DRC_MUSICLIGHT ` `AACENC_METADATA_DRC_SPEECH ` `AACENC_METADATA_DRC_NOT_PRESENT ` | Calculated using tenth byte of data | +| `comp_profile` | `AACENC_METADATA_DRC_NONE ` `AACENC_METADATA_DRC_FILMSTANDARD ` `AACENC_METADATA_DRC_FILMLIGHT ` `AACENC_METADATA_DRC_MUSICSTANDARD ` `AACENC_METADATA_DRC_MUSICLIGHT ` `AACENC_METADATA_DRC_SPEECH ` `AACENC_METADATA_DRC_NOT_PRESENT ` | Calculated using eleventh byte of data | +| `drc_TargetRefLevel` | In range `0 ` to `255 ` | Calculated using twelfth byte of data | +| `comp_TargetRefLevel` | In range `0 ` to `255 ` | Calculated using thirteenth byte of data | +| `prog_ref_level_present` | `0 ` `1 ` | Calculated using fourteenth byte of data | +| `prog_ref_level` | In range `0 ` to `255 ` | Calculated using fifteenth byte of data | +| `PCE_mixdown_idx_present` | `0 ` `1 ` | Calculated using sixteenth byte of data | +| `ETSI_DmxLvl_present` | `0 ` `1 ` | Calculated using seventeenth byte of data | +| `centerMixLevel` | In range `0 ` to `7 ` | Calculated using eighteenth byte of data | +| `surroundMixLevel` | In range `0 ` to `7 ` | Calculated using nineteenth byte of data | +| `dolbySurroundMode` | In range `0 ` to `2 ` | Calculated using twentieth byte of data | +| `drcPresentationMode` | In range `0 ` to `2 ` | Calculated using twenty-first byte of data | +| `extAncDataEnable` | `0 ` `1 ` | Calculated using twenty-second byte of data | +| `extDownmixLevelEnable` | `0 ` `1 ` | Calculated using twenty-third byte of data | +| `extDownmixLevel_A` | In range `0 ` to `7 ` | Calculated using twenty-fourth byte of data | +| `extDownmixLevel_B` | In range `0 ` to `7 ` | Calculated using twenty-fifth byte of data | +| `dmxGainEnable` | `0 ` `1 ` | Calculated using twenty-sixth byte of data | +| `dmxGain5` | In range `0 ` to `255 ` | Calculated using twenty-seventh byte of data | +| `dmxGain2` | In range `0 ` to `255 ` | Calculated using twenty-eighth byte of data | +| `lfeDmxEnable` | `0 ` `1 ` | Calculated using twenty-ninth byte of data | +| `lfeDmxLevel` | In range `0 ` to `15 ` | Calculated using thirtieth byte of data | + +Indexes `mInBufferIdx_1`, `mInBufferIdx_2` and `mInBufferIdx_3`(in range `0 ` to `2`) are calculated using the thirty-first, thirty-second and thirty-third byte respectively. + +##### Maximize utilization of input data +The plugin feeds the entire input data to the codec and continues with the encoding even on a failure. This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) and doesnt `exit()` on any input and thereby increasing the chance of identifying vulnerabilities. + +## Build + +This describes steps to build aac_enc_fuzzer binary. + +## Android + +### Steps to build +Build the fuzzer +``` + $ mm -j$(nproc) aac_enc_fuzzer +``` + +### Steps to run +Create a directory CORPUS_DIR and copy some raw files to that folder. +Push this directory to device. + +To run on device +``` + $ adb sync data + $ adb shell /data/fuzz/arm64/aac_enc_fuzzer/aac_enc_fuzzer CORPUS_DIR +``` +To run on host +``` + $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_enc_fuzzer/aac_enc_fuzzer CORPUS_DIR +``` + ## References: * http://llvm.org/docs/LibFuzzer.html * https://github.com/google/oss-fuzz - diff --git a/fuzzer/aac_enc_fuzzer.cpp b/fuzzer/aac_enc_fuzzer.cpp new file mode 100644 index 0000000..4908922 --- /dev/null +++ b/fuzzer/aac_enc_fuzzer.cpp @@ -0,0 +1,374 @@ +/****************************************************************************** + * + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************************** + * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore + */ + +#include +#include "aacenc_lib.h" + +using namespace std; + +// IN_AUDIO_DATA, IN_ANCILLRY_DATA and IN_METADATA_SETUP +constexpr size_t kMaxBuffers = 3; + +constexpr size_t kMaxOutputBufferSize = 8192; + +constexpr uint32_t kMinBitRate = 8000; +constexpr uint32_t kMaxBitRate = 960000; + +constexpr uint32_t kSampleRates[] = {8000, 11025, 12000, 16000, 22050, 24000, 32000, 44100, 48000}; +constexpr size_t kSampleRatesSize = size(kSampleRates); + +constexpr CHANNEL_MODE kChannelModes[] = {MODE_1, MODE_2, MODE_1_2, MODE_1_2_1, + MODE_1_2_2, MODE_1_2_2_1, MODE_1_2_2_2_1, MODE_7_1_BACK}; +constexpr size_t kChannelModesSize = size(kChannelModes); + +constexpr TRANSPORT_TYPE kIdentifiers[] = { + TT_MP4_RAW, TT_MP4_ADIF, TT_MP4_ADTS, TT_MP4_LATM_MCP1, TT_MP4_LATM_MCP0, TT_MP4_LOAS, TT_DRM}; +constexpr size_t kIdentifiersSize = size(kIdentifiers); + +constexpr AUDIO_OBJECT_TYPE kAudioObjectTypes[] = {AOT_AAC_LC, AOT_ER_AAC_ELD, AOT_SBR, AOT_PS, + AOT_ER_AAC_LD}; +constexpr size_t kAudioObjectTypesSize = size(kAudioObjectTypes); + +constexpr int32_t kSbrRatios[] = {0, 1, 2}; +constexpr size_t kSbrRatiosSize = size(kSbrRatios); + +constexpr AACENC_METADATA_DRC_PROFILE kMetaDataDrcProfiles[] = { + AACENC_METADATA_DRC_NONE, AACENC_METADATA_DRC_FILMSTANDARD, + AACENC_METADATA_DRC_FILMLIGHT, AACENC_METADATA_DRC_MUSICSTANDARD, + AACENC_METADATA_DRC_MUSICLIGHT, AACENC_METADATA_DRC_SPEECH, + AACENC_METADATA_DRC_NOT_PRESENT}; +constexpr size_t kMetaDataDrcProfilesSize = size(kMetaDataDrcProfiles); + +enum { + IDX_SBR_MODE = 0, + IDX_AAC_AOT, + IDX_SAMPLE_RATE, + IDX_BIT_RATE_1, + IDX_BIT_RATE_2, + IDX_BIT_RATE_3, + IDX_CHANNEL, + IDX_IDENTIFIER, + IDX_SBR_RATIO, + + IDX_METADATA_DRC_PROFILE, + IDX_METADATA_COMP_PROFILE, + IDX_METADATA_DRC_TARGET_REF_LEVEL, + IDX_METADATA_COMP_TARGET_REF_LEVEL, + IDX_METADATA_PROG_LEVEL_PRESENT, + IDX_METADATA_PROG_LEVEL, + IDX_METADATA_PCE_MIXDOWN_IDX_PRESENT, + IDX_METADATA_ETSI_DMXLVL_PRESENT, + IDX_METADATA_CENTER_MIX_LEVEL, + IDX_METADATA_SURROUND_MIX_LEVEL, + IDX_METADATA_DOLBY_SURROUND_MODE, + IDX_METADATA_DRC_PRESENTATION_MODE, + IDX_METADATA_EXT_ANC_DATA_ENABLE, + IDX_METADATA_EXT_DOWNMIX_LEVEL_ENABLE, + IDX_METADATA_EXT_DOWNMIX_LEVEL_A, + IDX_METADATA_EXT_DOWNMIX_LEVEL_B, + IDX_METADATA_DMX_GAIN_ENABLE, + IDX_METADATA_DMX_GAIN_5, + IDX_METADATA_DMX_GAIN_2, + IDX_METADATA_LFE_DMX_ENABLE, + IDX_METADATA_LFE_DMX_LEVEL, + + IDX_IN_BUFFER_INDEX_1, + IDX_IN_BUFFER_INDEX_2, + IDX_IN_BUFFER_INDEX_3, + + IDX_LAST +}; + +enum aac_sbr_mode_t : uint32_t { + AAC_SBR_OFF, + AAC_SBR_SINGLE_RATE, + AAC_SBR_DUAL_RATE, + AAC_SBR_AUTO +}; + +template +auto generateNumberInRangeFromData(type1 data, type2 min, type3 max) -> decltype(max) { + return (data % (1 + max - min)) + min; +} + +class Codec { + public: + ~Codec() { deInitEncoder(); } + bool initEncoder(uint8_t **dataPtr, size_t *sizePtr); + void encodeFrames(const uint8_t *data, size_t size); + void deInitEncoder(); + + private: + void setupMetaData(uint8_t *data); + + HANDLE_AACENCODER mEncoder = nullptr; + AACENC_MetaData mMetaData = {}; + uint32_t mInBufferIdx_1 = 0; + uint32_t mInBufferIdx_2 = 0; + uint32_t mInBufferIdx_3 = 0; +}; + +void Codec::setupMetaData(uint8_t *data) { + uint32_t drcProfileIndex = generateNumberInRangeFromData(data[IDX_METADATA_DRC_PROFILE], 0, + kMetaDataDrcProfilesSize - 1); + AACENC_METADATA_DRC_PROFILE drcProfile = kMetaDataDrcProfiles[drcProfileIndex]; + mMetaData.drc_profile = drcProfile; + + uint32_t compProfileIndex = generateNumberInRangeFromData(data[IDX_METADATA_COMP_PROFILE], 0, + kMetaDataDrcProfilesSize - 1); + AACENC_METADATA_DRC_PROFILE compProfile = kMetaDataDrcProfiles[compProfileIndex]; + mMetaData.comp_profile = compProfile; + + INT drcTargetRefLevel = + generateNumberInRangeFromData(data[IDX_METADATA_DRC_TARGET_REF_LEVEL], 0, UINT8_MAX); + mMetaData.drc_TargetRefLevel = drcTargetRefLevel; + + INT compTargetRefLevel = + generateNumberInRangeFromData(data[IDX_METADATA_COMP_TARGET_REF_LEVEL], 0, UINT8_MAX); + mMetaData.comp_TargetRefLevel = compTargetRefLevel; + + INT isProgRefLevelPresent = + generateNumberInRangeFromData(data[IDX_METADATA_PROG_LEVEL_PRESENT], 0, 1); + mMetaData.prog_ref_level_present = isProgRefLevelPresent; + + INT progRefLevel = generateNumberInRangeFromData(data[IDX_METADATA_PROG_LEVEL], 0, UINT8_MAX); + mMetaData.prog_ref_level = progRefLevel; + + UCHAR isPCEMixdownIdxPresent = + generateNumberInRangeFromData(data[IDX_METADATA_PCE_MIXDOWN_IDX_PRESENT], 0, 1); + mMetaData.PCE_mixdown_idx_present = isPCEMixdownIdxPresent; + + UCHAR isETSIDmxLvlPresent = + generateNumberInRangeFromData(data[IDX_METADATA_ETSI_DMXLVL_PRESENT], 0, 1); + mMetaData.ETSI_DmxLvl_present = isETSIDmxLvlPresent; + + SCHAR centerMixLevel = generateNumberInRangeFromData(data[IDX_METADATA_CENTER_MIX_LEVEL], 0, 7); + mMetaData.centerMixLevel = centerMixLevel; + + SCHAR surroundMixLevel = + generateNumberInRangeFromData(data[IDX_METADATA_SURROUND_MIX_LEVEL], 0, 7); + mMetaData.surroundMixLevel = surroundMixLevel; + + UCHAR dolbySurroundMode = + generateNumberInRangeFromData(data[IDX_METADATA_DOLBY_SURROUND_MODE], 0, 2); + mMetaData.dolbySurroundMode = dolbySurroundMode; + + UCHAR drcPresentationMode = + generateNumberInRangeFromData(data[IDX_METADATA_DRC_PRESENTATION_MODE], 0, 2); + mMetaData.drcPresentationMode = drcPresentationMode; + + UCHAR extAncDataEnable = + generateNumberInRangeFromData(data[IDX_METADATA_EXT_ANC_DATA_ENABLE], 0, 1); + mMetaData.ExtMetaData.extAncDataEnable = extAncDataEnable; + + UCHAR extDownmixLevelEnable = + generateNumberInRangeFromData(data[IDX_METADATA_EXT_DOWNMIX_LEVEL_ENABLE], 0, 1); + mMetaData.ExtMetaData.extDownmixLevelEnable = extDownmixLevelEnable; + + UCHAR extDownmixLevel_A = + generateNumberInRangeFromData(data[IDX_METADATA_EXT_DOWNMIX_LEVEL_A], 0, 7); + mMetaData.ExtMetaData.extDownmixLevel_A = extDownmixLevel_A; + + UCHAR extDownmixLevel_B = + generateNumberInRangeFromData(data[IDX_METADATA_EXT_DOWNMIX_LEVEL_B], 0, 7); + mMetaData.ExtMetaData.extDownmixLevel_B = extDownmixLevel_B; + + UCHAR dmxGainEnable = generateNumberInRangeFromData(data[IDX_METADATA_DMX_GAIN_ENABLE], 0, 1); + mMetaData.ExtMetaData.dmxGainEnable = dmxGainEnable; + + INT dmxGain5 = generateNumberInRangeFromData(data[IDX_METADATA_DMX_GAIN_5], 0, UINT8_MAX); + mMetaData.ExtMetaData.dmxGain5 = dmxGain5; + + INT dmxGain2 = generateNumberInRangeFromData(data[IDX_METADATA_DMX_GAIN_2], 0, UINT8_MAX); + mMetaData.ExtMetaData.dmxGain2 = dmxGain2; + + UCHAR lfeDmxEnable = generateNumberInRangeFromData(data[IDX_METADATA_LFE_DMX_ENABLE], 0, 1); + mMetaData.ExtMetaData.lfeDmxEnable = lfeDmxEnable; + + UCHAR lfeDmxLevel = generateNumberInRangeFromData(data[IDX_METADATA_LFE_DMX_LEVEL], 0, 15); + mMetaData.ExtMetaData.lfeDmxLevel = lfeDmxLevel; +} + +bool Codec::initEncoder(uint8_t **dataPtr, size_t *sizePtr) { + uint8_t *data = *dataPtr; + + if (AACENC_OK != aacEncOpen(&mEncoder, 0, 0)) { + return false; + } + + uint32_t sbrMode = generateNumberInRangeFromData(data[IDX_SBR_MODE], (uint32_t)AAC_SBR_OFF, + (uint32_t)AAC_SBR_AUTO); + aacEncoder_SetParam(mEncoder, AACENC_SBR_MODE, sbrMode); + + uint32_t sbrRatioIndex = + generateNumberInRangeFromData(data[IDX_SBR_RATIO], 0, kSbrRatiosSize - 1); + int32_t sbrRatio = kSbrRatios[sbrRatioIndex]; + aacEncoder_SetParam(mEncoder, AACENC_SBR_RATIO, sbrRatio); + + uint32_t aacAOTIndex = + generateNumberInRangeFromData(data[IDX_AAC_AOT], 0, kAudioObjectTypesSize - 1); + uint32_t aacAOT = kAudioObjectTypes[aacAOTIndex]; + aacEncoder_SetParam(mEncoder, AACENC_AOT, aacAOT); + + uint32_t sampleRateIndex = + generateNumberInRangeFromData(data[IDX_SAMPLE_RATE], 0, kSampleRatesSize - 1); + uint32_t sampleRate = kSampleRates[sampleRateIndex]; + aacEncoder_SetParam(mEncoder, AACENC_SAMPLERATE, sampleRate); + + uint32_t tempValue = + (data[IDX_BIT_RATE_1] << 16) | (data[IDX_BIT_RATE_2] << 8) | data[IDX_BIT_RATE_3]; + uint32_t bitRate = generateNumberInRangeFromData(tempValue, kMinBitRate, kMaxBitRate); + aacEncoder_SetParam(mEncoder, AACENC_BITRATE, bitRate); + + uint32_t channelModeIndex = + generateNumberInRangeFromData(data[IDX_CHANNEL], 0, kChannelModesSize - 1); + CHANNEL_MODE channelMode = kChannelModes[channelModeIndex]; + aacEncoder_SetParam(mEncoder, AACENC_CHANNELMODE, channelMode); + + uint32_t identifierIndex = + generateNumberInRangeFromData(data[IDX_IDENTIFIER], 0, kIdentifiersSize - 1); + uint32_t identifier = kIdentifiers[identifierIndex]; + aacEncoder_SetParam(mEncoder, AACENC_TRANSMUX, identifier); + + mInBufferIdx_1 = generateNumberInRangeFromData(data[IDX_IN_BUFFER_INDEX_1], 0, kMaxBuffers - 1); + mInBufferIdx_2 = generateNumberInRangeFromData(data[IDX_IN_BUFFER_INDEX_2], 0, kMaxBuffers - 1); + mInBufferIdx_3 = generateNumberInRangeFromData(data[IDX_IN_BUFFER_INDEX_3], 0, kMaxBuffers - 1); + + setupMetaData(data); + + // Not re-using the data which was used for configuration for encoding + *dataPtr += IDX_LAST; + *sizePtr -= IDX_LAST; + + return true; +} + +static void deleteBuffers(uint8_t **buffers, size_t size) { + for (size_t n = 0; n < size; ++n) { + delete[] buffers[n]; + } + delete[] buffers; +} + +void Codec::encodeFrames(const uint8_t *data, size_t size) { + uint8_t *audioData = (uint8_t *)data; + uint8_t *ancData = (uint8_t *)data; + size_t audioSize = size; + size_t ancSize = size; + + while ((audioSize > 0) && (ancSize > 0)) { + AACENC_InArgs inargs; + memset(&inargs, 0, sizeof(inargs)); + inargs.numInSamples = audioSize / sizeof(int16_t); + inargs.numAncBytes = ancSize; + + void *buffers[] = {(void *)audioData, (void *)ancData, &mMetaData}; + INT bufferIds[] = {IN_AUDIO_DATA, IN_ANCILLRY_DATA, IN_METADATA_SETUP}; + INT bufferSizes[] = {static_cast(audioSize), static_cast(ancSize), + static_cast(sizeof(mMetaData))}; + INT bufferElSizes[] = {sizeof(int16_t), sizeof(UCHAR), sizeof(AACENC_MetaData)}; + + void *inBuffer[kMaxBuffers] = {}; + INT inBufferIds[kMaxBuffers] = {}; + INT inBufferSize[kMaxBuffers] = {}; + INT inBufferElSize[kMaxBuffers] = {}; + for (int32_t buffer = 0; buffer < kMaxBuffers; ++buffer) { + uint32_t Idxs[] = {mInBufferIdx_1, mInBufferIdx_2, mInBufferIdx_3}; + inBuffer[buffer] = buffers[Idxs[buffer]]; + inBufferIds[buffer] = bufferIds[Idxs[buffer]]; + inBufferSize[buffer] = bufferSizes[Idxs[buffer]]; + inBufferElSize[buffer] = bufferElSizes[Idxs[buffer]]; + } + + AACENC_BufDesc inBufDesc; + inBufDesc.numBufs = kMaxBuffers; + inBufDesc.bufs = (void **)&inBuffer; + inBufDesc.bufferIdentifiers = inBufferIds; + inBufDesc.bufSizes = inBufferSize; + inBufDesc.bufElSizes = inBufferElSize; + + uint8_t **outPtrRef = new uint8_t *[kMaxBuffers]; + for (int32_t buffer = 0; buffer < kMaxBuffers; ++buffer) { + outPtrRef[buffer] = new uint8_t[kMaxOutputBufferSize]; + } + + void *outBuffer[kMaxBuffers]; + INT outBufferIds[kMaxBuffers]; + INT outBufferSize[kMaxBuffers]; + INT outBufferElSize[kMaxBuffers]; + + for (int32_t buffer = 0; buffer < kMaxBuffers; ++buffer) { + outBuffer[buffer] = outPtrRef[buffer]; + outBufferIds[buffer] = OUT_BITSTREAM_DATA; + outBufferSize[buffer] = (INT)kMaxOutputBufferSize; + outBufferElSize[buffer] = sizeof(UCHAR); + } + + AACENC_BufDesc outBufDesc; + outBufDesc.numBufs = kMaxBuffers; + outBufDesc.bufs = (void **)&outBuffer; + outBufDesc.bufferIdentifiers = outBufferIds; + outBufDesc.bufSizes = outBufferSize; + outBufDesc.bufElSizes = outBufferElSize; + + AACENC_OutArgs outargs = {}; + aacEncEncode(mEncoder, &inBufDesc, &outBufDesc, &inargs, &outargs); + + if (outargs.numOutBytes == 0) { + if (audioSize > 0) { + ++audioData; + --audioSize; + } + if (ancSize > 0) { + ++ancData; + --ancSize; + } + } else { + size_t audioConsumed = outargs.numInSamples * sizeof(int16_t); + audioData += audioConsumed; + audioSize -= audioConsumed; + + size_t ancConsumed = outargs.numAncBytes; + ancData += ancConsumed; + ancSize -= ancConsumed; + } + deleteBuffers(outPtrRef, kMaxBuffers); + + // break out of loop if only metadata was sent in all the input buffers + // as sending it multiple times in a loop is redundant. + if ((mInBufferIdx_1 == kMaxBuffers - 1) && (mInBufferIdx_2 == kMaxBuffers - 1) && + (mInBufferIdx_3 == kMaxBuffers - 1)) { + break; + } + } +} + +void Codec::deInitEncoder() { aacEncClose(&mEncoder); } + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + if (size < IDX_LAST) { + return 0; + } + Codec encoder; + if (encoder.initEncoder(const_cast(&data), &size)) { + encoder.encodeFrames(data, size); + } + return 0; +} -- cgit v1.2.3 From d3c11e097be26afe76006034b0e8d5de08699729 Mon Sep 17 00:00:00 2001 From: Anuj Joshi Date: Thu, 21 Jan 2021 10:20:45 +0530 Subject: aac_enc_fuzzer: Improve code coverage Test: ./aac_enc_fuzzer Bug: 172429950 Change-Id: Id8c5c6351627ba09d6b0f8eeb81ad81003eba0c5 --- fuzzer/Android.bp | 4 + fuzzer/README.md | 31 +++++--- fuzzer/aac_enc_fuzzer.cpp | 191 +++++++++++++++++++++++++++++++++++----------- 3 files changed, 174 insertions(+), 52 deletions(-) (limited to 'fuzzer') diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp index 470eb9a..0aff547 100644 --- a/fuzzer/Android.bp +++ b/fuzzer/Android.bp @@ -66,4 +66,8 @@ cc_fuzz { defaults: [ "aac_fuzz_defaults" ], + + include_dirs: [ + "external/aac/libAACenc/" + ], } diff --git a/fuzzer/README.md b/fuzzer/README.md index 43a7ff4..b8cc260 100644 --- a/fuzzer/README.md +++ b/fuzzer/README.md @@ -66,17 +66,30 @@ incoming data. This ensures more code paths are reached by the fuzzer. Following arguments are passed to aacEncoder_SetParam to set the respective AACENC_PARAM parameter: -| Variable name| AACENC_PARAM param| Valid Values| Configured Value| -|------------- |-------------| ----- |----- | -| `sbrMode` |`AACENC_SBR_MODE` | `AAC_SBR_OFF ` `AAC_SBR_SINGLE_RATE ` `AAC_SBR_DUAL_RATE ` `AAC_SBR_AUTO ` | Calculated using first byte of data | -| `aacAOT` | `AACENC_AOT` |`AOT_AAC_LC ` `AOT_ER_AAC_ELD ` `AOT_SBR ` `AOT_PS ` `AOT_ER_AAC_LD ` | Calculated using second byte of data | -| `sampleRate` |`AACENC_SAMPLERATE` | `8000 ` `11025 ` `12000 ` `16000 ` `22050 ` `24000 ` `32000 ` `44100 ` `48000 `| Calculated using third byte of data | -| `bitRate` |`AACENC_BITRATE` | In range `8000 ` to `960000 ` | Calculated using fourth, fifth and sixth byte of data | -| `channelMode` |`AACENC_CHANNELMODE` | `MODE_1 ` `MODE_2 ` `MODE_1_2 ` `MODE_1_2_1 ` `MODE_1_2_2 ` `MODE_1_2_2_1 ` `MODE_1_2_2_2_1 ` `MODE_7_1_BACK ` | Calculated using seventh byte of data | -| `identifier` |`AACENC_TRANSMUX` | `TT_MP4_RAW ` `TT_MP4_ADIF ` `TT_MP4_ADTS ` `TT_MP4_LATM_MCP1 ` `TT_MP4_LATM_MCP0 ` `TT_MP4_LOAS ` `TT_DRM ` | Calculated using eight byte of data | -| `sbrRatio` | `AACENC_SBR_RATIO` |`0 ` `1 ` `2 ` | Calculated using ninth byte of data | +| AACENC_PARAM param| Valid Values| Configured Value| +|-------------| ----- |----- | +|`AACENC_SBR_MODE` | `-1 ` `0 ` `1 ` `2 ` | Calculated using first byte of data | +|`AACENC_AOT` |`AOT_NONE ` `AOT_NULL_OBJECT ` `AOT_AAC_MAIN ` `AOT_AAC_LC ` `AOT_AAC_SSR ` `AOT_AAC_LTP ` `AOT_SBR ` `AOT_AAC_SCAL ` `AOT_TWIN_VQ ` `AOT_CELP ` `AOT_HVXC ` `AOT_RSVD_10 ` `AOT_RSVD_11 ` `AOT_TTSI ` `AOT_MAIN_SYNTH ` `AOT_WAV_TAB_SYNTH ` `AOT_GEN_MIDI ` `AOT_ALG_SYNTH_AUD_FX ` `AOT_ER_AAC_LC ` `AOT_RSVD_18 ` `AOT_ER_AAC_LTP ` `AOT_ER_AAC_SCAL ` `AOT_ER_TWIN_VQ ` `AOT_ER_BSAC ` `AOT_ER_AAC_LD ` `AOT_ER_CELP ` `AOT_ER_HVXC ` `AOT_ER_HILN ` `AOT_ER_PARA ` `AOT_RSVD_28 ` `AOT_PS ` `AOT_MPEGS ` `AOT_ESCAPE ` `AOT_MP3ONMP4_L1 ` `AOT_MP3ONMP4_L2 ` `AOT_MP3ONMP4_L3 ` `AOT_RSVD_35 ` `AOT_RSVD_36 ` `AOT_AAC_SLS ` `AOT_SLS ` `AOT_ER_AAC_ELD ` `AOT_USAC ` `AOT_SAOC ` `AOT_LD_MPEGS ` `AOT_MP2_AAC_LC ` `AOT_MP2_SBR ` `AOT_DRM_AAC ` `AOT_DRM_SBR ` `AOT_DRM_MPEG_PS ` `AOT_DRM_SURROUND ` `AOT_DRM_USAC ` | Calculated using second byte of data | +|`AACENC_SAMPLERATE` | `8000 ` `11025 ` `12000 ` `16000 ` `22050 ` `24000 ` `32000 ` `44100 ` `48000 ` `64000 ` `88200 ` `96000 `| Calculated using third byte of data | +|`AACENC_BITRATE` | In range `8000 ` to `960000 ` | Calculated using fourth, fifth and sixth byte of data | +|`AACENC_CHANNELMODE` | `MODE_1 ` `MODE_2 ` `MODE_1_2 ` `MODE_1_2_1 ` `MODE_1_2_2 ` `MODE_1_2_2_1 ` `MODE_1_2_2_2_1 ` `MODE_6_1 ` `MODE_7_1_BACK ` `MODE_7_1_TOP_FRONT ` `MODE_7_1_REAR_SURROUND ` `MODE_7_1_FRONT_CENTER ` `MODE_212 ` | Calculated using seventh byte of data | +|`AACENC_TRANSMUX` | `TT_MP4_RAW ` `TT_MP4_ADIF ` `TT_MP4_ADTS ` `TT_MP4_LATM_MCP1 ` `TT_MP4_LATM_MCP0 ` `TT_MP4_LOAS ` `TT_DRM ` | Calculated using eight byte of data |`AACENC_SBR_RATIO` |`-1 ` `0 ` `1 ` `2 ` | Calculated using ninth byte of data | +|`AACENC_BITRATEMODE` |`AACENC_BR_MODE_INVALID ` `AACENC_BR_MODE_CBR ` `AACENC_BR_MODE_VBR_1 ` `AACENC_BR_MODE_VBR_2 ` `AACENC_BR_MODE_VBR_3 ` `AACENC_BR_MODE_VBR_4 ` `AACENC_BR_MODE_VBR_5 ` `AACENC_BR_MODE_FF ` `AACENC_BR_MODE_SFR ` | Calculated using thirty-fourth byte of data | +|`AACENC_GRANULE_LENGTH` |`120 ` `128 ` `240 ` `256 ` `480 ` `512 ` `1024 ` | Calculated using thirty-fifth byte of data | +|`AACENC_CHANNELORDER` |`CH_ORDER_MPEG ` `CH_ORDER_WAV ` | Calculated using thirty-sixth byte of data | +|`AACENC_AFTERBURNER` |`0 ` `1 ` | Calculated using thirty-seventh byte of data | +|`AACENC_BANDWIDTH` |`0 ` `1` | Calculated using thirty-eigth byte of data | +|` AACENC_IDX_PEAK_BITRATE` | In range `8000 ` to `960000 ` | Calculated using thirty-ninth byte of data | +|` AACENC_HEADER_PERIOD` |In range `0 ` to `255 ` | Calculated using fortieth byte of data | +|` AACENC_SIGNALING_MODE` |`-1 ` `0 ` `1 ` `2 ` `3 ` | Calculated using forty-first byte of data | +|` AACENC_TPSUBFRAMES` |In range `0 ` to `255 ` | Calculated using forty-second byte of data | +|` AACENC_AUDIOMUXVER` |`-1 ` `0 ` `1 ` `2 ` | Calculated using forty-third byte of data | +|` AACENC_PROTECTION` |`0 ` `1 ` | Calculated using forty-fourth of data | +|`AACENC_ANCILLARY_BITRATE` |In range `0 ` to `960000 `| Calculated using forty-fifth byte of data | +|`AACENC_METADATA_MODE ` |`0 ` `1 ` `2 ` `3 ` | Calculated using forty-sixth byte of data | Following values are configured to set up the meta data represented by the class variable `mMetaData ` : + | Variable name| Possible Values| Configured Value| |------------- | ----- |----- | | `drc_profile` | `AACENC_METADATA_DRC_NONE ` `AACENC_METADATA_DRC_FILMSTANDARD ` `AACENC_METADATA_DRC_FILMLIGHT ` `AACENC_METADATA_DRC_MUSICSTANDARD ` `AACENC_METADATA_DRC_MUSICLIGHT ` `AACENC_METADATA_DRC_SPEECH ` `AACENC_METADATA_DRC_NOT_PRESENT ` | Calculated using tenth byte of data | diff --git a/fuzzer/aac_enc_fuzzer.cpp b/fuzzer/aac_enc_fuzzer.cpp index 4908922..4cce6fa 100644 --- a/fuzzer/aac_enc_fuzzer.cpp +++ b/fuzzer/aac_enc_fuzzer.cpp @@ -20,6 +20,7 @@ #include #include "aacenc_lib.h" +#include "src/aacenc.h" using namespace std; @@ -31,24 +32,82 @@ constexpr size_t kMaxOutputBufferSize = 8192; constexpr uint32_t kMinBitRate = 8000; constexpr uint32_t kMaxBitRate = 960000; -constexpr uint32_t kSampleRates[] = {8000, 11025, 12000, 16000, 22050, 24000, 32000, 44100, 48000}; +constexpr int32_t kSampleRates[] = {8000, 11025, 12000, 16000, 22050, 24000, + 32000, 44100, 48000, 64000, 88200, 96000}; constexpr size_t kSampleRatesSize = size(kSampleRates); -constexpr CHANNEL_MODE kChannelModes[] = {MODE_1, MODE_2, MODE_1_2, MODE_1_2_1, - MODE_1_2_2, MODE_1_2_2_1, MODE_1_2_2_2_1, MODE_7_1_BACK}; +constexpr CHANNEL_MODE kChannelModes[] = {MODE_1, + MODE_2, + MODE_1_2, + MODE_1_2_1, + MODE_1_2_2, + MODE_1_2_2_1, + MODE_1_2_2_2_1, + MODE_6_1, + MODE_7_1_BACK, + MODE_7_1_TOP_FRONT, + MODE_7_1_REAR_SURROUND, + MODE_7_1_FRONT_CENTER, + MODE_212}; constexpr size_t kChannelModesSize = size(kChannelModes); constexpr TRANSPORT_TYPE kIdentifiers[] = { TT_MP4_RAW, TT_MP4_ADIF, TT_MP4_ADTS, TT_MP4_LATM_MCP1, TT_MP4_LATM_MCP0, TT_MP4_LOAS, TT_DRM}; constexpr size_t kIdentifiersSize = size(kIdentifiers); -constexpr AUDIO_OBJECT_TYPE kAudioObjectTypes[] = {AOT_AAC_LC, AOT_ER_AAC_ELD, AOT_SBR, AOT_PS, - AOT_ER_AAC_LD}; +constexpr AUDIO_OBJECT_TYPE kAudioObjectTypes[] = {AOT_NONE, AOT_NULL_OBJECT, + AOT_AAC_MAIN, AOT_AAC_LC, + AOT_AAC_SSR, AOT_AAC_LTP, + AOT_SBR, AOT_AAC_SCAL, + AOT_TWIN_VQ, AOT_CELP, + AOT_HVXC, AOT_RSVD_10, + AOT_RSVD_11, AOT_TTSI, + AOT_MAIN_SYNTH, AOT_WAV_TAB_SYNTH, + AOT_GEN_MIDI, AOT_ALG_SYNTH_AUD_FX, + AOT_ER_AAC_LC, AOT_RSVD_18, + AOT_ER_AAC_LTP, AOT_ER_AAC_SCAL, + AOT_ER_TWIN_VQ, AOT_ER_BSAC, + AOT_ER_AAC_LD, AOT_ER_CELP, + AOT_ER_HVXC, AOT_ER_HILN, + AOT_ER_PARA, AOT_RSVD_28, + AOT_PS, AOT_MPEGS, + AOT_ESCAPE, AOT_MP3ONMP4_L1, + AOT_MP3ONMP4_L2, AOT_MP3ONMP4_L3, + AOT_RSVD_35, AOT_RSVD_36, + AOT_AAC_SLS, AOT_SLS, + AOT_ER_AAC_ELD, AOT_USAC, + AOT_SAOC, AOT_LD_MPEGS, + AOT_MP2_AAC_LC, AOT_MP2_SBR, + AOT_DRM_AAC, AOT_DRM_SBR, + AOT_DRM_MPEG_PS, AOT_DRM_SURROUND, + AOT_DRM_USAC}; + constexpr size_t kAudioObjectTypesSize = size(kAudioObjectTypes); -constexpr int32_t kSbrRatios[] = {0, 1, 2}; +constexpr int32_t kSbrRatios[] = {-1, 0, 1, 2}; constexpr size_t kSbrRatiosSize = size(kSbrRatios); +constexpr int32_t kBitRateModes[] = { + AACENC_BR_MODE_INVALID, AACENC_BR_MODE_CBR, AACENC_BR_MODE_VBR_1, + AACENC_BR_MODE_VBR_2, AACENC_BR_MODE_VBR_3, AACENC_BR_MODE_VBR_4, + AACENC_BR_MODE_VBR_5, AACENC_BR_MODE_FF, AACENC_BR_MODE_SFR}; +constexpr size_t kBitRateModesSize = size(kBitRateModes); + +constexpr int32_t kGranuleLengths[] = {120, 128, 240, 256, 480, 512, 1024}; +constexpr size_t kGranuleLengthsSize = size(kGranuleLengths); + +constexpr int32_t kChannelOrder[] = {CH_ORDER_MPEG, CH_ORDER_WAV}; +constexpr size_t kChannelOrderSize = size(kChannelOrder); + +constexpr int32_t kSignalingModes[] = {-1, 0, 1, 2, 3}; +constexpr size_t kSignalingModesSize = size(kGranuleLengths); + +constexpr int32_t kAudioMuxVer[] = {-1, 0, 1, 2}; +constexpr size_t kAudioMuxVerSize = size(kAudioMuxVer); + +constexpr int32_t kSbrModes[] = {-1, 0, 1, 2}; +constexpr size_t kSbrModesSize = size(kSbrModes); + constexpr AACENC_METADATA_DRC_PROFILE kMetaDataDrcProfiles[] = { AACENC_METADATA_DRC_NONE, AACENC_METADATA_DRC_FILMSTANDARD, AACENC_METADATA_DRC_FILMLIGHT, AACENC_METADATA_DRC_MUSICSTANDARD, @@ -66,7 +125,6 @@ enum { IDX_CHANNEL, IDX_IDENTIFIER, IDX_SBR_RATIO, - IDX_METADATA_DRC_PROFILE, IDX_METADATA_COMP_PROFILE, IDX_METADATA_DRC_TARGET_REF_LEVEL, @@ -88,21 +146,25 @@ enum { IDX_METADATA_DMX_GAIN_2, IDX_METADATA_LFE_DMX_ENABLE, IDX_METADATA_LFE_DMX_LEVEL, - IDX_IN_BUFFER_INDEX_1, IDX_IN_BUFFER_INDEX_2, IDX_IN_BUFFER_INDEX_3, - + IDX_BIT_RATE_MODE, + IDX_GRANULE_LENGTH, + IDX_CHANNELORDER, + IDX_AFTERBURNER, + IDX_BANDWIDTH, + IDX_PEAK_BITRATE, + IDX_HEADER_PERIOD, + IDX_SIGNALING_MODE, + IDX_TPSUBFRAMES, + IDX_AUDIOMUXVER, + IDX_PROTECTION, + IDX_ANCILLARY_BITRATE, + IDX_METADATA_MODE, IDX_LAST }; -enum aac_sbr_mode_t : uint32_t { - AAC_SBR_OFF, - AAC_SBR_SINGLE_RATE, - AAC_SBR_DUAL_RATE, - AAC_SBR_AUTO -}; - template auto generateNumberInRangeFromData(type1 data, type2 min, type3 max) -> decltype(max) { return (data % (1 + max - min)) + min; @@ -116,6 +178,9 @@ class Codec { void deInitEncoder(); private: + template + void setAACParam(type1 data, const AACENC_PARAM aacParam, type2 min, type2 max, + const type3 *array = nullptr); void setupMetaData(uint8_t *data); HANDLE_AACENCODER mEncoder = nullptr; @@ -206,6 +271,20 @@ void Codec::setupMetaData(uint8_t *data) { mMetaData.ExtMetaData.lfeDmxLevel = lfeDmxLevel; } +template +void Codec::setAACParam(type1 data, const AACENC_PARAM aacParam, type2 min, type2 max, + const type3 *array) { + auto value = 0; + if (array) { + uint32_t index = generateNumberInRangeFromData(data, min, max); + value = array[index]; + } else { + value = generateNumberInRangeFromData(data, min, max); + } + aacEncoder_SetParam(mEncoder, aacParam, value); + (void)aacEncoder_GetParam(mEncoder, aacParam); +} + bool Codec::initEncoder(uint8_t **dataPtr, size_t *sizePtr) { uint8_t *data = *dataPtr; @@ -213,39 +292,65 @@ bool Codec::initEncoder(uint8_t **dataPtr, size_t *sizePtr) { return false; } - uint32_t sbrMode = generateNumberInRangeFromData(data[IDX_SBR_MODE], (uint32_t)AAC_SBR_OFF, - (uint32_t)AAC_SBR_AUTO); - aacEncoder_SetParam(mEncoder, AACENC_SBR_MODE, sbrMode); + setAACParam(data[IDX_SBR_MODE], AACENC_SBR_MODE, 0, kSbrModesSize - 1, + kSbrModes); - uint32_t sbrRatioIndex = - generateNumberInRangeFromData(data[IDX_SBR_RATIO], 0, kSbrRatiosSize - 1); - int32_t sbrRatio = kSbrRatios[sbrRatioIndex]; - aacEncoder_SetParam(mEncoder, AACENC_SBR_RATIO, sbrRatio); + setAACParam(data[IDX_SBR_RATIO], AACENC_SBR_RATIO, 0, + kSbrRatiosSize - 1, kSbrRatios); - uint32_t aacAOTIndex = - generateNumberInRangeFromData(data[IDX_AAC_AOT], 0, kAudioObjectTypesSize - 1); - uint32_t aacAOT = kAudioObjectTypes[aacAOTIndex]; - aacEncoder_SetParam(mEncoder, AACENC_AOT, aacAOT); + setAACParam(data[IDX_AAC_AOT], AACENC_AOT, 0, + kAudioObjectTypesSize - 1, kAudioObjectTypes); - uint32_t sampleRateIndex = - generateNumberInRangeFromData(data[IDX_SAMPLE_RATE], 0, kSampleRatesSize - 1); - uint32_t sampleRate = kSampleRates[sampleRateIndex]; - aacEncoder_SetParam(mEncoder, AACENC_SAMPLERATE, sampleRate); + setAACParam(data[IDX_SAMPLE_RATE], AACENC_SAMPLERATE, 0, + kSampleRatesSize - 1, kSampleRates); uint32_t tempValue = (data[IDX_BIT_RATE_1] << 16) | (data[IDX_BIT_RATE_2] << 8) | data[IDX_BIT_RATE_3]; - uint32_t bitRate = generateNumberInRangeFromData(tempValue, kMinBitRate, kMaxBitRate); - aacEncoder_SetParam(mEncoder, AACENC_BITRATE, bitRate); - - uint32_t channelModeIndex = - generateNumberInRangeFromData(data[IDX_CHANNEL], 0, kChannelModesSize - 1); - CHANNEL_MODE channelMode = kChannelModes[channelModeIndex]; - aacEncoder_SetParam(mEncoder, AACENC_CHANNELMODE, channelMode); - - uint32_t identifierIndex = - generateNumberInRangeFromData(data[IDX_IDENTIFIER], 0, kIdentifiersSize - 1); - uint32_t identifier = kIdentifiers[identifierIndex]; - aacEncoder_SetParam(mEncoder, AACENC_TRANSMUX, identifier); + setAACParam(tempValue, AACENC_BITRATE, kMinBitRate, kMaxBitRate); + + setAACParam(data[IDX_CHANNEL], AACENC_CHANNELMODE, 0, + kChannelModesSize - 1, kChannelModes); + + setAACParam(data[IDX_IDENTIFIER], AACENC_TRANSMUX, 0, + kIdentifiersSize - 1, kIdentifiers); + + setAACParam(data[IDX_BIT_RATE_MODE], AACENC_BITRATEMODE, 0, + kBitRateModesSize - 1, kBitRateModes); + + setAACParam(data[IDX_GRANULE_LENGTH], AACENC_GRANULE_LENGTH, 0, + kGranuleLengthsSize - 1, kGranuleLengths); + + setAACParam(data[IDX_CHANNELORDER], AACENC_CHANNELORDER, 0, + kChannelOrderSize - 1, kChannelOrder); + + setAACParam(data[IDX_AFTERBURNER], AACENC_AFTERBURNER, 0, 1); + + setAACParam(data[IDX_BANDWIDTH], AACENC_BANDWIDTH, 0, 1); + + setAACParam(data[IDX_PEAK_BITRATE], AACENC_PEAK_BITRATE, + kMinBitRate, kMinBitRate); + + setAACParam(data[IDX_HEADER_PERIOD], AACENC_HEADER_PERIOD, 0, + UINT8_MAX); + + setAACParam(data[IDX_SIGNALING_MODE], AACENC_SIGNALING_MODE, 0, + kSignalingModesSize - 1, kSignalingModes); + + setAACParam(data[IDX_TPSUBFRAMES], AACENC_TPSUBFRAMES, 0, + UINT8_MAX); + + setAACParam(data[IDX_AUDIOMUXVER], AACENC_AUDIOMUXVER, 0, + kAudioMuxVerSize - 1, kAudioMuxVer); + + setAACParam(data[IDX_PROTECTION], AACENC_PROTECTION, 0, 1); + + setAACParam(data[IDX_ANCILLARY_BITRATE], AACENC_ANCILLARY_BITRATE, + 0, kMaxBitRate); + + setAACParam(data[IDX_METADATA_MODE], AACENC_METADATA_MODE, 0, 3); + + AACENC_InfoStruct encInfo; + aacEncInfo(mEncoder, &encInfo); mInBufferIdx_1 = generateNumberInRangeFromData(data[IDX_IN_BUFFER_INDEX_1], 0, kMaxBuffers - 1); mInBufferIdx_2 = generateNumberInRangeFromData(data[IDX_IN_BUFFER_INDEX_2], 0, kMaxBuffers - 1); -- cgit v1.2.3 From 176eed73f14eab86ff20a5b4a0d00c688b51fcd0 Mon Sep 17 00:00:00 2001 From: Bob Badour Date: Fri, 12 Feb 2021 15:27:18 -0800 Subject: [LSC] Add LOCAL_LICENSE_KINDS to external/aac Added SPDX-license-identifier-Apache-2.0 to: fuzzer/Android.bp Added SPDX-license-identifier-Apache-2.0 legacy_by_exception_only to: Android.bp Bug: 68860345 Bug: 151177513 Bug: 151953481 Test: m all Exempt-From-Owner-Approval: janitorial work Change-Id: I518bcad1cb91b80b2bcce1726f53aadf9afc749e --- Android.bp | 33 +++++++++++++++++++++++++++++++++ fuzzer/Android.bp | 9 +++++++++ 2 files changed, 42 insertions(+) (limited to 'fuzzer') diff --git a/Android.bp b/Android.bp index c1e8734..0c67186 100644 --- a/Android.bp +++ b/Android.bp @@ -1,3 +1,36 @@ +// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE +// CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE +// DEPENDING ON IT IN YOUR PROJECT. *** +package { + default_applicable_licenses: ["external_aac_license"], +} + +// Added automatically by a large-scale-change that took the approach of +// 'apply every license found to every target'. While this makes sure we respect +// every license restriction, it may not be entirely correct. +// +// e.g. GPL in an MIT project might only apply to the contrib/ directory. +// +// Please consider splitting the single license below into multiple licenses, +// taking care not to lose any license_kind information, and overriding the +// default license using the 'licenses: [...]' property on targets as needed. +// +// For unused files, consider creating a 'fileGroup' with "//visibility:private" +// to attach the license to, and including a comment whether the files may be +// used in the current project. +// See: http://go/android-license-faq +license { + name: "external_aac_license", + visibility: [":__subpackages__"], + license_kinds: [ + "SPDX-license-identifier-Apache-2.0", + "legacy_by_exception_only", // by exception only + ], + license_text: [ + "NOTICE", + ], +} + cc_library_static { name: "libFraunhoferAAC", vendor_available: true, diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp index 0aff547..6739798 100644 --- a/fuzzer/Android.bp +++ b/fuzzer/Android.bp @@ -18,6 +18,15 @@ * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore */ +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "external_aac_license" + // to get the below license kinds: + // SPDX-license-identifier-Apache-2.0 + default_applicable_licenses: ["external_aac_license"], +} + cc_defaults { name: "aac_fuzz_defaults", host_supported: true, -- cgit v1.2.3 From b50bd1751d5368aae6beab3e166f598bc1a497c1 Mon Sep 17 00:00:00 2001 From: Anuj Joshi Date: Tue, 16 Feb 2021 09:48:17 +0530 Subject: Fix improper assignment in aac_enc_fuzzer This commit updates the fuzzer to use correct value of kSignalingModesSize and prevent OOB access on kSignalingModes Test: ./aac_enc_fuzzer Bug: 180220144 Change-Id: Ic9d01c5c166f2291d8d8ffacaa7813fb1560322b --- fuzzer/aac_enc_fuzzer.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'fuzzer') diff --git a/fuzzer/aac_enc_fuzzer.cpp b/fuzzer/aac_enc_fuzzer.cpp index 4cce6fa..5a35d70 100644 --- a/fuzzer/aac_enc_fuzzer.cpp +++ b/fuzzer/aac_enc_fuzzer.cpp @@ -100,7 +100,7 @@ constexpr int32_t kChannelOrder[] = {CH_ORDER_MPEG, CH_ORDER_WAV}; constexpr size_t kChannelOrderSize = size(kChannelOrder); constexpr int32_t kSignalingModes[] = {-1, 0, 1, 2, 3}; -constexpr size_t kSignalingModesSize = size(kGranuleLengths); +constexpr size_t kSignalingModesSize = size(kSignalingModes); constexpr int32_t kAudioMuxVer[] = {-1, 0, 1, 2}; constexpr size_t kAudioMuxVerSize = size(kAudioMuxVer); -- cgit v1.2.3