1 /*
2 * Copyright (c) 2017 The WebRTC project authors. All Rights Reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
11 #include <memory>
12
13 #include "api/scoped_refptr.h"
14 #include "modules/rtp_rtcp/source/byte_io.h"
15 #include "modules/rtp_rtcp/source/forward_error_correction.h"
16 #include "rtc_base/byte_buffer.h"
17
18 namespace webrtc {
19
20 namespace {
21 constexpr uint32_t kMediaSsrc = 100200300;
22 constexpr uint32_t kFecSsrc = 111222333;
23
24 constexpr size_t kPacketSize = 50;
25 constexpr size_t kMaxPacketsInBuffer = 48;
26 } // namespace
27
FuzzOneInput(const uint8_t * data,size_t size)28 void FuzzOneInput(const uint8_t* data, size_t size) {
29 if (size > 5000) {
30 return;
31 }
32 // Object under test.
33 std::unique_ptr<ForwardErrorCorrection> fec =
34 ForwardErrorCorrection::CreateFlexfec(kFecSsrc, kMediaSsrc);
35
36 // Entropy from fuzzer.
37 rtc::ByteBufferReader fuzz_buffer(reinterpret_cast<const char*>(data), size);
38
39 // Initial stream state.
40 uint16_t media_seqnum;
41 if (!fuzz_buffer.ReadUInt16(&media_seqnum))
42 return;
43 const uint16_t original_media_seqnum = media_seqnum;
44 uint16_t fec_seqnum;
45 if (!fuzz_buffer.ReadUInt16(&fec_seqnum))
46 return;
47
48 // Existing packets in the packet buffer.
49 ForwardErrorCorrection::RecoveredPacketList recovered_packets;
50 uint8_t num_existing_recovered_packets;
51 if (!fuzz_buffer.ReadUInt8(&num_existing_recovered_packets))
52 return;
53 for (size_t i = 0; i < num_existing_recovered_packets % kMaxPacketsInBuffer;
54 ++i) {
55 ForwardErrorCorrection::RecoveredPacket* recovered_packet =
56 new ForwardErrorCorrection::RecoveredPacket();
57 recovered_packet->pkt = rtc::scoped_refptr<ForwardErrorCorrection::Packet>(
58 new ForwardErrorCorrection::Packet());
59 recovered_packet->pkt->data.SetSize(kPacketSize);
60 memset(recovered_packet->pkt->data.MutableData(), 0, kPacketSize);
61 recovered_packet->ssrc = kMediaSsrc;
62 recovered_packet->seq_num = media_seqnum++;
63 recovered_packets.emplace_back(recovered_packet);
64 }
65
66 // New packets received from the network.
67 ForwardErrorCorrection::ReceivedPacket received_packet;
68 received_packet.pkt = rtc::scoped_refptr<ForwardErrorCorrection::Packet>(
69 new ForwardErrorCorrection::Packet());
70 received_packet.pkt->data.SetSize(kPacketSize);
71 received_packet.pkt->data.EnsureCapacity(IP_PACKET_SIZE);
72 uint8_t* packet_buffer = received_packet.pkt->data.MutableData();
73 uint8_t reordering;
74 uint16_t seq_num_diff;
75 uint8_t packet_type;
76 uint8_t packet_loss;
77 while (true) {
78 if (!fuzz_buffer.ReadBytes(reinterpret_cast<char*>(packet_buffer),
79 kPacketSize)) {
80 return;
81 }
82 if (!fuzz_buffer.ReadUInt8(&reordering))
83 return;
84 if (!fuzz_buffer.ReadUInt16(&seq_num_diff))
85 return;
86 if (!fuzz_buffer.ReadUInt8(&packet_type))
87 return;
88 if (!fuzz_buffer.ReadUInt8(&packet_loss))
89 return;
90
91 if (reordering % 10 != 0)
92 seq_num_diff = 0;
93
94 if (packet_type % 2 == 0) {
95 received_packet.is_fec = true;
96 received_packet.ssrc = kFecSsrc;
97 received_packet.seq_num = seq_num_diff + fec_seqnum++;
98
99 // Overwrite parts of the FlexFEC header for fuzzing efficiency.
100 packet_buffer[0] = 0; // R, F bits.
101 ByteWriter<uint8_t>::WriteBigEndian(&packet_buffer[8], 1); // SSRCCount.
102 ByteWriter<uint32_t>::WriteBigEndian(&packet_buffer[12],
103 kMediaSsrc); // SSRC_i.
104 ByteWriter<uint16_t>::WriteBigEndian(
105 &packet_buffer[16], original_media_seqnum); // SN base_i.
106 } else {
107 received_packet.is_fec = false;
108 received_packet.ssrc = kMediaSsrc;
109 received_packet.seq_num = seq_num_diff + media_seqnum++;
110 }
111
112 if (packet_loss % 10 == 0)
113 continue;
114
115 fec->DecodeFec(received_packet, &recovered_packets);
116 }
117 }
118
119 } // namespace webrtc
120