1*e5436536SAndroid Build Coastguard Worker# Fuzzer for libFraunhoferAAC decoder 2*e5436536SAndroid Build Coastguard Worker 3*e5436536SAndroid Build Coastguard Worker## Plugin Design Considerations 4*e5436536SAndroid Build Coastguard WorkerThe fuzzer plugin for aac decoder is designed based on the understanding of the 5*e5436536SAndroid Build Coastguard Workercodec and tries to achieve the following: 6*e5436536SAndroid Build Coastguard Worker 7*e5436536SAndroid Build Coastguard Worker##### Maximize code coverage 8*e5436536SAndroid Build Coastguard Worker 9*e5436536SAndroid Build Coastguard WorkerThis fuzzer makes use of the following config parameters: 10*e5436536SAndroid Build Coastguard Worker1. Transport type (parameter name: `TRANSPORT_TYPE`) 11*e5436536SAndroid Build Coastguard Worker 12*e5436536SAndroid Build Coastguard Worker| Parameter| Valid Values| Configured Value| 13*e5436536SAndroid Build Coastguard Worker|------------- |-------------| ----- | 14*e5436536SAndroid Build Coastguard Worker| `TRANSPORT_TYPE` | 0.`TT_UNKNOWN ` 1.`TT_MP4_RAW ` 2.`TT_MP4_ADIF ` 3.`TT_MP4_ADTS ` 4.`TT_MP4_LATM_MCP1 ` 5.`TT_MP4_LATM_MCP0 ` 6.`TT_MP4_LOAS ` 7.`TT_DRM ` | `TT_MP4_ADIF ` | 15*e5436536SAndroid Build Coastguard Worker 16*e5436536SAndroid Build Coastguard WorkerNote: Value of `TRANSPORT_TYPE` could be set to any of these values. 17*e5436536SAndroid Build Coastguard WorkerIt is set to `TT_MP4_ADIF` in the fuzzer plugin. 18*e5436536SAndroid Build Coastguard Worker 19*e5436536SAndroid Build Coastguard Worker##### Maximize utilization of input data 20*e5436536SAndroid Build Coastguard WorkerThe plugin feeds the entire input data to the codec using a loop. 21*e5436536SAndroid Build Coastguard Worker * If the decode operation was successful, the input is advanced by an 22*e5436536SAndroid Build Coastguard Worker offset calculated using valid bytes. 23*e5436536SAndroid Build Coastguard Worker * If the decode operation was un-successful, the input is advanced by 1 byte 24*e5436536SAndroid Build Coastguard Worker till it reaches a valid frame or end of stream. 25*e5436536SAndroid Build Coastguard Worker 26*e5436536SAndroid Build Coastguard WorkerThis ensures that the plugin tolerates any kind of input (empty, huge, 27*e5436536SAndroid Build Coastguard Workermalformed, etc) and doesnt `exit()` on any input and thereby increasing the 28*e5436536SAndroid Build Coastguard Workerchance of identifying vulnerabilities. 29*e5436536SAndroid Build Coastguard Worker 30*e5436536SAndroid Build Coastguard Worker## Build 31*e5436536SAndroid Build Coastguard Worker 32*e5436536SAndroid Build Coastguard WorkerThis describes steps to build aac_dec_fuzzer binary. 33*e5436536SAndroid Build Coastguard Worker 34*e5436536SAndroid Build Coastguard Worker## Android 35*e5436536SAndroid Build Coastguard Worker 36*e5436536SAndroid Build Coastguard Worker### Steps to build 37*e5436536SAndroid Build Coastguard WorkerBuild the fuzzer 38*e5436536SAndroid Build Coastguard Worker``` 39*e5436536SAndroid Build Coastguard Worker $ mm -j$(nproc) aac_dec_fuzzer 40*e5436536SAndroid Build Coastguard Worker``` 41*e5436536SAndroid Build Coastguard Worker 42*e5436536SAndroid Build Coastguard Worker### Steps to run 43*e5436536SAndroid Build Coastguard WorkerCreate a directory CORPUS_DIR and copy some aac files to that folder. 44*e5436536SAndroid Build Coastguard WorkerPush this directory to device. 45*e5436536SAndroid Build Coastguard Worker 46*e5436536SAndroid Build Coastguard WorkerTo run on device 47*e5436536SAndroid Build Coastguard Worker``` 48*e5436536SAndroid Build Coastguard Worker $ adb sync data 49*e5436536SAndroid Build Coastguard Worker $ adb shell /data/fuzz/arm64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR 50*e5436536SAndroid Build Coastguard Worker``` 51*e5436536SAndroid Build Coastguard WorkerTo run on host 52*e5436536SAndroid Build Coastguard Worker``` 53*e5436536SAndroid Build Coastguard Worker $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR 54*e5436536SAndroid Build Coastguard Worker``` 55*e5436536SAndroid Build Coastguard Worker 56*e5436536SAndroid Build Coastguard Worker# Fuzzer for libFraunhoferAAC encoder 57*e5436536SAndroid Build Coastguard Worker 58*e5436536SAndroid Build Coastguard Worker## Plugin Design Considerations 59*e5436536SAndroid Build Coastguard WorkerThe fuzzer plugin for aac encoder is designed based on the understanding of the 60*e5436536SAndroid Build Coastguard Workercodec and tries to achieve the following: 61*e5436536SAndroid Build Coastguard Worker 62*e5436536SAndroid Build Coastguard Worker##### Maximize code coverage 63*e5436536SAndroid Build Coastguard Worker 64*e5436536SAndroid Build Coastguard WorkerThe configuration parameters are not hardcoded, but instead selected based on 65*e5436536SAndroid Build Coastguard Workerincoming data. This ensures more code paths are reached by the fuzzer. 66*e5436536SAndroid Build Coastguard Worker 67*e5436536SAndroid Build Coastguard WorkerFollowing arguments are passed to aacEncoder_SetParam to set the respective AACENC_PARAM parameter: 68*e5436536SAndroid Build Coastguard Worker 69*e5436536SAndroid Build Coastguard Worker| AACENC_PARAM param| Valid Values| Configured Value| 70*e5436536SAndroid Build Coastguard Worker|-------------| ----- |----- | 71*e5436536SAndroid Build Coastguard Worker|`AACENC_SBR_MODE` | `-1 ` `0 ` `1 ` `2 ` | Calculated using first byte of data | 72*e5436536SAndroid Build Coastguard Worker|`AACENC_AOT` |`AOT_NONE ` `AOT_NULL_OBJECT ` `AOT_AAC_MAIN ` `AOT_AAC_LC ` `AOT_AAC_SSR ` `AOT_AAC_LTP ` `AOT_SBR ` `AOT_AAC_SCAL ` `AOT_TWIN_VQ ` `AOT_CELP ` `AOT_HVXC ` `AOT_RSVD_10 ` `AOT_RSVD_11 ` `AOT_TTSI ` `AOT_MAIN_SYNTH ` `AOT_WAV_TAB_SYNTH ` `AOT_GEN_MIDI ` `AOT_ALG_SYNTH_AUD_FX ` `AOT_ER_AAC_LC ` `AOT_RSVD_18 ` `AOT_ER_AAC_LTP ` `AOT_ER_AAC_SCAL ` `AOT_ER_TWIN_VQ ` `AOT_ER_BSAC ` `AOT_ER_AAC_LD ` `AOT_ER_CELP ` `AOT_ER_HVXC ` `AOT_ER_HILN ` `AOT_ER_PARA ` `AOT_RSVD_28 ` `AOT_PS ` `AOT_MPEGS ` `AOT_ESCAPE ` `AOT_MP3ONMP4_L1 ` `AOT_MP3ONMP4_L2 ` `AOT_MP3ONMP4_L3 ` `AOT_RSVD_35 ` `AOT_RSVD_36 ` `AOT_AAC_SLS ` `AOT_SLS ` `AOT_ER_AAC_ELD ` `AOT_USAC ` `AOT_SAOC ` `AOT_LD_MPEGS ` `AOT_MP2_AAC_LC ` `AOT_MP2_SBR ` `AOT_DRM_AAC ` `AOT_DRM_SBR ` `AOT_DRM_MPEG_PS ` `AOT_DRM_SURROUND ` `AOT_DRM_USAC ` | Calculated using second byte of data | 73*e5436536SAndroid Build Coastguard Worker|`AACENC_SAMPLERATE` | `8000 ` `11025 ` `12000 ` `16000 ` `22050 ` `24000 ` `32000 ` `44100 ` `48000 ` `64000 ` `88200 ` `96000 `| Calculated using third byte of data | 74*e5436536SAndroid Build Coastguard Worker|`AACENC_BITRATE` | In range `8000 ` to `960000 ` | Calculated using fourth, fifth and sixth byte of data | 75*e5436536SAndroid Build Coastguard Worker|`AACENC_CHANNELMODE` | `MODE_1 ` `MODE_2 ` `MODE_1_2 ` `MODE_1_2_1 ` `MODE_1_2_2 ` `MODE_1_2_2_1 ` `MODE_1_2_2_2_1 ` `MODE_6_1 ` `MODE_7_1_BACK ` `MODE_7_1_TOP_FRONT ` `MODE_7_1_REAR_SURROUND ` `MODE_7_1_FRONT_CENTER ` `MODE_212 ` | Calculated using seventh byte of data | 76*e5436536SAndroid Build Coastguard Worker|`AACENC_TRANSMUX` | `TT_MP4_RAW ` `TT_MP4_ADIF ` `TT_MP4_ADTS ` `TT_MP4_LATM_MCP1 ` `TT_MP4_LATM_MCP0 ` `TT_MP4_LOAS ` `TT_DRM ` | Calculated using eight byte of data |`AACENC_SBR_RATIO` |`-1 ` `0 ` `1 ` `2 ` | Calculated using ninth byte of data | 77*e5436536SAndroid Build Coastguard Worker|`AACENC_BITRATEMODE` |`AACENC_BR_MODE_INVALID ` `AACENC_BR_MODE_CBR ` `AACENC_BR_MODE_VBR_1 ` `AACENC_BR_MODE_VBR_2 ` `AACENC_BR_MODE_VBR_3 ` `AACENC_BR_MODE_VBR_4 ` `AACENC_BR_MODE_VBR_5 ` `AACENC_BR_MODE_FF ` `AACENC_BR_MODE_SFR ` | Calculated using thirty-fourth byte of data | 78*e5436536SAndroid Build Coastguard Worker|`AACENC_GRANULE_LENGTH` |`120 ` `128 ` `240 ` `256 ` `480 ` `512 ` `1024 ` | Calculated using thirty-fifth byte of data | 79*e5436536SAndroid Build Coastguard Worker|`AACENC_CHANNELORDER` |`CH_ORDER_MPEG ` `CH_ORDER_WAV ` | Calculated using thirty-sixth byte of data | 80*e5436536SAndroid Build Coastguard Worker|`AACENC_AFTERBURNER` |`0 ` `1 ` | Calculated using thirty-seventh byte of data | 81*e5436536SAndroid Build Coastguard Worker|`AACENC_BANDWIDTH` |`0 ` `1` | Calculated using thirty-eigth byte of data | 82*e5436536SAndroid Build Coastguard Worker|` AACENC_IDX_PEAK_BITRATE` | In range `8000 ` to `960000 ` | Calculated using thirty-ninth byte of data | 83*e5436536SAndroid Build Coastguard Worker|` AACENC_HEADER_PERIOD` |In range `0 ` to `255 ` | Calculated using fortieth byte of data | 84*e5436536SAndroid Build Coastguard Worker|` AACENC_SIGNALING_MODE` |`-1 ` `0 ` `1 ` `2 ` `3 ` | Calculated using forty-first byte of data | 85*e5436536SAndroid Build Coastguard Worker|` AACENC_TPSUBFRAMES` |In range `0 ` to `255 ` | Calculated using forty-second byte of data | 86*e5436536SAndroid Build Coastguard Worker|` AACENC_AUDIOMUXVER` |`-1 ` `0 ` `1 ` `2 ` | Calculated using forty-third byte of data | 87*e5436536SAndroid Build Coastguard Worker|` AACENC_PROTECTION` |`0 ` `1 ` | Calculated using forty-fourth of data | 88*e5436536SAndroid Build Coastguard Worker|`AACENC_ANCILLARY_BITRATE` |In range `0 ` to `960000 `| Calculated using forty-fifth byte of data | 89*e5436536SAndroid Build Coastguard Worker|`AACENC_METADATA_MODE ` |`0 ` `1 ` `2 ` `3 ` | Calculated using forty-sixth byte of data | 90*e5436536SAndroid Build Coastguard Worker 91*e5436536SAndroid Build Coastguard WorkerFollowing values are configured to set up the meta data represented by the class variable `mMetaData ` : 92*e5436536SAndroid Build Coastguard Worker 93*e5436536SAndroid Build Coastguard Worker| Variable name| Possible Values| Configured Value| 94*e5436536SAndroid Build Coastguard Worker|------------- | ----- |----- | 95*e5436536SAndroid Build Coastguard Worker| `drc_profile` | `AACENC_METADATA_DRC_NONE ` `AACENC_METADATA_DRC_FILMSTANDARD ` `AACENC_METADATA_DRC_FILMLIGHT ` `AACENC_METADATA_DRC_MUSICSTANDARD ` `AACENC_METADATA_DRC_MUSICLIGHT ` `AACENC_METADATA_DRC_SPEECH ` `AACENC_METADATA_DRC_NOT_PRESENT ` | Calculated using tenth byte of data | 96*e5436536SAndroid Build Coastguard Worker| `comp_profile` | `AACENC_METADATA_DRC_NONE ` `AACENC_METADATA_DRC_FILMSTANDARD ` `AACENC_METADATA_DRC_FILMLIGHT ` `AACENC_METADATA_DRC_MUSICSTANDARD ` `AACENC_METADATA_DRC_MUSICLIGHT ` `AACENC_METADATA_DRC_SPEECH ` `AACENC_METADATA_DRC_NOT_PRESENT ` | Calculated using eleventh byte of data | 97*e5436536SAndroid Build Coastguard Worker| `drc_TargetRefLevel` | In range `0 ` to `255 ` | Calculated using twelfth byte of data | 98*e5436536SAndroid Build Coastguard Worker| `comp_TargetRefLevel` | In range `0 ` to `255 ` | Calculated using thirteenth byte of data | 99*e5436536SAndroid Build Coastguard Worker| `prog_ref_level_present` | `0 ` `1 ` | Calculated using fourteenth byte of data | 100*e5436536SAndroid Build Coastguard Worker| `prog_ref_level` | In range `0 ` to `255 ` | Calculated using fifteenth byte of data | 101*e5436536SAndroid Build Coastguard Worker| `PCE_mixdown_idx_present` | `0 ` `1 ` | Calculated using sixteenth byte of data | 102*e5436536SAndroid Build Coastguard Worker| `ETSI_DmxLvl_present` | `0 ` `1 ` | Calculated using seventeenth byte of data | 103*e5436536SAndroid Build Coastguard Worker| `centerMixLevel` | In range `0 ` to `7 ` | Calculated using eighteenth byte of data | 104*e5436536SAndroid Build Coastguard Worker| `surroundMixLevel` | In range `0 ` to `7 ` | Calculated using nineteenth byte of data | 105*e5436536SAndroid Build Coastguard Worker| `dolbySurroundMode` | In range `0 ` to `2 ` | Calculated using twentieth byte of data | 106*e5436536SAndroid Build Coastguard Worker| `drcPresentationMode` | In range `0 ` to `2 ` | Calculated using twenty-first byte of data | 107*e5436536SAndroid Build Coastguard Worker| `extAncDataEnable` | `0 ` `1 ` | Calculated using twenty-second byte of data | 108*e5436536SAndroid Build Coastguard Worker| `extDownmixLevelEnable` | `0 ` `1 ` | Calculated using twenty-third byte of data | 109*e5436536SAndroid Build Coastguard Worker| `extDownmixLevel_A` | In range `0 ` to `7 ` | Calculated using twenty-fourth byte of data | 110*e5436536SAndroid Build Coastguard Worker| `extDownmixLevel_B` | In range `0 ` to `7 ` | Calculated using twenty-fifth byte of data | 111*e5436536SAndroid Build Coastguard Worker| `dmxGainEnable` | `0 ` `1 ` | Calculated using twenty-sixth byte of data | 112*e5436536SAndroid Build Coastguard Worker| `dmxGain5` | In range `0 ` to `255 ` | Calculated using twenty-seventh byte of data | 113*e5436536SAndroid Build Coastguard Worker| `dmxGain2` | In range `0 ` to `255 ` | Calculated using twenty-eighth byte of data | 114*e5436536SAndroid Build Coastguard Worker| `lfeDmxEnable` | `0 ` `1 ` | Calculated using twenty-ninth byte of data | 115*e5436536SAndroid Build Coastguard Worker| `lfeDmxLevel` | In range `0 ` to `15 ` | Calculated using thirtieth byte of data | 116*e5436536SAndroid Build Coastguard Worker 117*e5436536SAndroid Build Coastguard WorkerIndexes `mInBufferIdx_1`, `mInBufferIdx_2` and `mInBufferIdx_3`(in range `0 ` to `2`) are calculated using the thirty-first, thirty-second and thirty-third byte respectively. 118*e5436536SAndroid Build Coastguard Worker 119*e5436536SAndroid Build Coastguard Worker##### Maximize utilization of input data 120*e5436536SAndroid Build Coastguard WorkerThe plugin feeds the entire input data to the codec and continues with the encoding even on a failure. This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) and doesnt `exit()` on any input and thereby increasing the chance of identifying vulnerabilities. 121*e5436536SAndroid Build Coastguard Worker 122*e5436536SAndroid Build Coastguard Worker## Build 123*e5436536SAndroid Build Coastguard Worker 124*e5436536SAndroid Build Coastguard WorkerThis describes steps to build aac_enc_fuzzer binary. 125*e5436536SAndroid Build Coastguard Worker 126*e5436536SAndroid Build Coastguard Worker## Android 127*e5436536SAndroid Build Coastguard Worker 128*e5436536SAndroid Build Coastguard Worker### Steps to build 129*e5436536SAndroid Build Coastguard WorkerBuild the fuzzer 130*e5436536SAndroid Build Coastguard Worker``` 131*e5436536SAndroid Build Coastguard Worker $ mm -j$(nproc) aac_enc_fuzzer 132*e5436536SAndroid Build Coastguard Worker``` 133*e5436536SAndroid Build Coastguard Worker 134*e5436536SAndroid Build Coastguard Worker### Steps to run 135*e5436536SAndroid Build Coastguard WorkerCreate a directory CORPUS_DIR and copy some raw files to that folder. 136*e5436536SAndroid Build Coastguard WorkerPush this directory to device. 137*e5436536SAndroid Build Coastguard Worker 138*e5436536SAndroid Build Coastguard WorkerTo run on device 139*e5436536SAndroid Build Coastguard Worker``` 140*e5436536SAndroid Build Coastguard Worker $ adb sync data 141*e5436536SAndroid Build Coastguard Worker $ adb shell /data/fuzz/arm64/aac_enc_fuzzer/aac_enc_fuzzer CORPUS_DIR 142*e5436536SAndroid Build Coastguard Worker``` 143*e5436536SAndroid Build Coastguard WorkerTo run on host 144*e5436536SAndroid Build Coastguard Worker``` 145*e5436536SAndroid Build Coastguard Worker $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_enc_fuzzer/aac_enc_fuzzer CORPUS_DIR 146*e5436536SAndroid Build Coastguard Worker``` 147*e5436536SAndroid Build Coastguard Worker 148*e5436536SAndroid Build Coastguard Worker## References: 149*e5436536SAndroid Build Coastguard Worker * http://llvm.org/docs/LibFuzzer.html 150*e5436536SAndroid Build Coastguard Worker * https://github.com/google/oss-fuzz 151