1*495ae853SAndroid Build Coastguard Worker# Fuzzer for libavc decoder and encoder 2*495ae853SAndroid Build Coastguard Worker 3*495ae853SAndroid Build Coastguard WorkerThis describes steps to build avc_dec_fuzzer and avc_enc_fuzzer. 4*495ae853SAndroid Build Coastguard Worker 5*495ae853SAndroid Build Coastguard Worker## Linux x86/x64 6*495ae853SAndroid Build Coastguard Worker 7*495ae853SAndroid Build Coastguard Worker### Requirements 8*495ae853SAndroid Build Coastguard Worker- cmake (3.9.1 or above) 9*495ae853SAndroid Build Coastguard Worker- make 10*495ae853SAndroid Build Coastguard Worker- clang (6.0 or above) 11*495ae853SAndroid Build Coastguard Worker needs to support -fsanitize=fuzzer, -fsanitize=fuzzer-no-link 12*495ae853SAndroid Build Coastguard Worker 13*495ae853SAndroid Build Coastguard Worker### Steps to build 14*495ae853SAndroid Build Coastguard WorkerClone libavc repository 15*495ae853SAndroid Build Coastguard Worker``` 16*495ae853SAndroid Build Coastguard Worker$ git clone https://android.googlesource.com/platform/external/libavc 17*495ae853SAndroid Build Coastguard Worker``` 18*495ae853SAndroid Build Coastguard WorkerCreate a directory inside libavc and change directory 19*495ae853SAndroid Build Coastguard Worker``` 20*495ae853SAndroid Build Coastguard Worker $ cd libavc 21*495ae853SAndroid Build Coastguard Worker $ mkdir build 22*495ae853SAndroid Build Coastguard Worker $ cd build 23*495ae853SAndroid Build Coastguard Worker``` 24*495ae853SAndroid Build Coastguard WorkerBuild fuzzer with required sanitizers (-DSANITIZE=fuzzer-no-link is mandatory 25*495ae853SAndroid Build Coastguard Worker to enable fuzzers) 26*495ae853SAndroid Build Coastguard Worker``` 27*495ae853SAndroid Build Coastguard Worker $ cmake .. -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ \ 28*495ae853SAndroid Build Coastguard Worker -DCMAKE_BUILD_TYPE=Debug -DSANITIZE=fuzzer-no-link,address,\ 29*495ae853SAndroid Build Coastguard Worker signed-integer-overflow,unsigned-integer-overflow 30*495ae853SAndroid Build Coastguard Worker $ make 31*495ae853SAndroid Build Coastguard Worker ``` 32*495ae853SAndroid Build Coastguard Worker 33*495ae853SAndroid Build Coastguard Worker### Steps to run 34*495ae853SAndroid Build Coastguard WorkerCreate a directory CORPUS_DIR and copy some elementary h264 files 35*495ae853SAndroid Build Coastguard Worker(for avc_dec_fuzzer) or yuv files (for avc_enc_fuzzer) to that directory 36*495ae853SAndroid Build Coastguard Worker 37*495ae853SAndroid Build Coastguard WorkerTo run the fuzzers 38*495ae853SAndroid Build Coastguard Worker``` 39*495ae853SAndroid Build Coastguard Worker$ ./avc_dec_fuzzer CORPUS_DIR 40*495ae853SAndroid Build Coastguard Worker$ ./mvc_dec_fuzzer CORPUS_DIR 41*495ae853SAndroid Build Coastguard Worker$ ./avc_enc_fuzzer CORPUS_DIR 42*495ae853SAndroid Build Coastguard Worker``` 43*495ae853SAndroid Build Coastguard Worker 44*495ae853SAndroid Build Coastguard Worker## Android 45*495ae853SAndroid Build Coastguard Worker 46*495ae853SAndroid Build Coastguard Worker### Steps to build 47*495ae853SAndroid Build Coastguard WorkerBuild the fuzzers 48*495ae853SAndroid Build Coastguard Worker``` 49*495ae853SAndroid Build Coastguard Worker $ mm -j$(nproc) avc_dec_fuzzer 50*495ae853SAndroid Build Coastguard Worker $ mm -j$(nproc) mvc_dec_fuzzer 51*495ae853SAndroid Build Coastguard Worker $ mm -j$(nproc) avc_enc_fuzzer 52*495ae853SAndroid Build Coastguard Worker``` 53*495ae853SAndroid Build Coastguard Worker 54*495ae853SAndroid Build Coastguard Worker### Steps to run 55*495ae853SAndroid Build Coastguard WorkerCreate a directory CORPUS_DIR and copy some elementary h264 files 56*495ae853SAndroid Build Coastguard Worker(for avc_dec_fuzzer) or yuv files (for avc_enc_fuzzer) to that folder 57*495ae853SAndroid Build Coastguard WorkerPush this directory to device 58*495ae853SAndroid Build Coastguard Worker 59*495ae853SAndroid Build Coastguard WorkerTo run avc_dec_fuzzer on device 60*495ae853SAndroid Build Coastguard Worker``` 61*495ae853SAndroid Build Coastguard Worker $ adb sync data 62*495ae853SAndroid Build Coastguard Worker $ adb shell /data/fuzz/arm64/avc_dec_fuzzer/avc_dec_fuzzer CORPUS_DIR 63*495ae853SAndroid Build Coastguard Worker``` 64*495ae853SAndroid Build Coastguard WorkerTo run mvc_dec_fuzzer on device 65*495ae853SAndroid Build Coastguard Worker``` 66*495ae853SAndroid Build Coastguard Worker $ adb sync data 67*495ae853SAndroid Build Coastguard Worker $ adb shell /data/fuzz/arm64/mvc_dec_fuzzer/mvc_dec_fuzzer CORPUS_DIR 68*495ae853SAndroid Build Coastguard Worker``` 69*495ae853SAndroid Build Coastguard WorkerTo run avc_enc_fuzzer on device 70*495ae853SAndroid Build Coastguard Worker``` 71*495ae853SAndroid Build Coastguard Worker $ adb sync data 72*495ae853SAndroid Build Coastguard Worker $ adb shell /data/fuzz/arm64/avc_enc_fuzzer/avc_enc_fuzzer CORPUS_DIR 73*495ae853SAndroid Build Coastguard Worker``` 74*495ae853SAndroid Build Coastguard Worker 75*495ae853SAndroid Build Coastguard WorkerTo run avc_dec_fuzzer on host 76*495ae853SAndroid Build Coastguard Worker``` 77*495ae853SAndroid Build Coastguard Worker $ $ANDROID_HOST_OUT/fuzz/x86_64/avc_dec_fuzzer/avc_dec_fuzzer CORPUS_DIR 78*495ae853SAndroid Build Coastguard Worker``` 79*495ae853SAndroid Build Coastguard Worker 80*495ae853SAndroid Build Coastguard WorkerTo run mvc_dec_fuzzer on host 81*495ae853SAndroid Build Coastguard Worker``` 82*495ae853SAndroid Build Coastguard Worker $ $ANDROID_HOST_OUT/fuzz/x86_64/mvc_dec_fuzzer/mvc_dec_fuzzer CORPUS_DIR 83*495ae853SAndroid Build Coastguard Worker``` 84*495ae853SAndroid Build Coastguard Worker 85*495ae853SAndroid Build Coastguard WorkerTo run avc_enc_fuzzer on host 86*495ae853SAndroid Build Coastguard Worker``` 87*495ae853SAndroid Build Coastguard Worker $ $ANDROID_HOST_OUT/fuzz/x86_64/avc_enc_fuzzer/avc_enc_fuzzer CORPUS_DIR 88*495ae853SAndroid Build Coastguard Worker``` 89*495ae853SAndroid Build Coastguard Worker 90*495ae853SAndroid Build Coastguard Worker 91*495ae853SAndroid Build Coastguard Worker# Appendix 92*495ae853SAndroid Build Coastguard Worker## libavc encoder fuzzer 93*495ae853SAndroid Build Coastguard Worker 94*495ae853SAndroid Build Coastguard Worker## Plugin Design Considerations 95*495ae853SAndroid Build Coastguard WorkerThe fuzzer plugin for AVC is designed based on the understanding of the 96*495ae853SAndroid Build Coastguard Workercodec and tries to achieve the following: 97*495ae853SAndroid Build Coastguard Worker 98*495ae853SAndroid Build Coastguard Worker##### Maximize code coverage 99*495ae853SAndroid Build Coastguard WorkerThe configuration parameters are not hardcoded, but instead selected based on 100*495ae853SAndroid Build Coastguard Workerincoming data. This ensures more code paths are reached by the fuzzer. 101*495ae853SAndroid Build Coastguard Worker 102*495ae853SAndroid Build Coastguard WorkerAVC supports the following parameters: 103*495ae853SAndroid Build Coastguard Worker1. Frame Width (parameter name: `u4_wd`) 104*495ae853SAndroid Build Coastguard Worker2. Frame Height (parameter name: `u4_ht`) 105*495ae853SAndroid Build Coastguard Worker3. Input color format (parameter name: `e_inp_color_fmt`) 106*495ae853SAndroid Build Coastguard Worker4. Architecture type (parameter name: `e_arch`) 107*495ae853SAndroid Build Coastguard Worker5. Rate control mode (parameter name: `e_rc_mode`) 108*495ae853SAndroid Build Coastguard Worker6. Number of cores (parameter name: `u4_num_cores`) 109*495ae853SAndroid Build Coastguard Worker7. Maximum B frames (parameter name: `u4_num_bframes`) 110*495ae853SAndroid Build Coastguard Worker8. Encoder speed preset (parameter name: `u4_enc_speed_preset`) 111*495ae853SAndroid Build Coastguard Worker9. enable constrained intra prediction (parameter name: `u4_constrained_intra_pred`) 112*495ae853SAndroid Build Coastguard Worker10. enable intra 4x4 (parameter name: `u4_enable_intra_4x4`) 113*495ae853SAndroid Build Coastguard Worker11. Qp for I frames (parameter name: `u4_i_qp`) 114*495ae853SAndroid Build Coastguard Worker12. Qp for P frames (parameter name: `u4_p_qp`) 115*495ae853SAndroid Build Coastguard Worker13. Qp for B frames (parameter name: `u4_b_qp`) 116*495ae853SAndroid Build Coastguard Worker14. Target Bitrate (parameter name: `u4_target_bitrate`) 117*495ae853SAndroid Build Coastguard Worker15. Intra refresh period in frames (parameter name: `u4_air_refresh_period`) 118*495ae853SAndroid Build Coastguard Worker16. Enable half pel ME (parameter name: `u4_enable_hpel`) 119*495ae853SAndroid Build Coastguard Worker17. Enable quarter pel ME (parameter name: `u4_enable_qpel`) 120*495ae853SAndroid Build Coastguard Worker18. ME speed preset (parameter name: `u4_me_speed_preset`) 121*495ae853SAndroid Build Coastguard Worker19. Adaptive intra refresh mode (parameter name: `e_air_mode`) 122*495ae853SAndroid Build Coastguard Worker20. Disable deblock level (parameter name: `u4_disable_deblock_level`) 123*495ae853SAndroid Build Coastguard Worker21. Max search range in X direction (parameter name: `u4_srch_rng_x`) 124*495ae853SAndroid Build Coastguard Worker22. Max search range in Y direction (parameter name: `u4_srch_rng_y`) 125*495ae853SAndroid Build Coastguard Worker23. I frame interval (parameter name: `u4_i_frm_interval`) 126*495ae853SAndroid Build Coastguard Worker24. IDR frame interval (parameter name: `u4_idr_frm_interval`) 127*495ae853SAndroid Build Coastguard Worker25. Enable mastering display color volume info (parameter name: `u1_sei_mdcv_params_present_flag`) 128*495ae853SAndroid Build Coastguard Worker26. Enable content light level info (parameter name: `u1_sei_cll_params_present_flag`) 129*495ae853SAndroid Build Coastguard Worker27. Enable ambient viewing environment info (parameter name: `u1_sei_ave_params_present_flag`) 130*495ae853SAndroid Build Coastguard Worker28. Enable content color volume info (parameter name: `u1_sei_ccv_params_present_flag`) 131*495ae853SAndroid Build Coastguard Worker29. Profile (parameter name: `e_profile`) 132*495ae853SAndroid Build Coastguard Worker30. Enable aspect_ratio info (parameter name: `u1_aspect_ratio_info_present_flag`) 133*495ae853SAndroid Build Coastguard Worker31. Enable NAL HRD parameters presence (parameter name: `u1_nal_hrd_parameters_present_flag`) 134*495ae853SAndroid Build Coastguard Worker32. Enable VCL HRD parameters presence (parameter name: `u1_vcl_hrd_parameters_present_flag`) 135*495ae853SAndroid Build Coastguard Worker33. Enable force IDR frame (parameter name: `mIsForceIdrEnabled`) 136*495ae853SAndroid Build Coastguard Worker34. Enable dynamic bitrate change (parameter name: `mIsDynamicBitRateChangeEnabled`) 137*495ae853SAndroid Build Coastguard Worker35. Enable dynamic framerate change (parameter name: `mIsDynamicFrameRateChangeEnabled`) 138*495ae853SAndroid Build Coastguard Worker36. Force IDR frame number (parameter name: `mForceIdrInterval`) 139*495ae853SAndroid Build Coastguard Worker37. Frame number for dynamic bitrate (parameter name: `mDynamicBitRateInterval`) 140*495ae853SAndroid Build Coastguard Worker38. Frame number for dynamic framerate (parameter name: `mDynamicFrameRateInterval`) 141*495ae853SAndroid Build Coastguard Worker 142*495ae853SAndroid Build Coastguard Worker| Parameter| Valid Values| Configured Value| 143*495ae853SAndroid Build Coastguard Worker|------------- |-------------| ----- | 144*495ae853SAndroid Build Coastguard Worker| `u4_wd` | In the range `0 to 10239` | All the bits of 1st and 2nd byte of data | 145*495ae853SAndroid Build Coastguard Worker| `u4_ht` | In the range `0 to 10239` | All the bits of 3rd and 4th byte of data | 146*495ae853SAndroid Build Coastguard Worker| `e_inp_color_fmt` | 0. `IV_YUV_420P` 1. `IV_YUV_420SP_UV` 2. `IV_YUV_422ILE` 3. `IV_YUV_420SP_VU` | All the bits of 5th byte of data | 147*495ae853SAndroid Build Coastguard Worker| `e_arch` | 0. `ARCH_ARM_NONEON` 1. `ARCH_NA` | bit 0 and 1 of 6th byte of data | 148*495ae853SAndroid Build Coastguard Worker| `e_rc_mode` | 0. `IVE_RC_NONE` 1. `IVE_RC_STORAGE` 2. `IVE_RC_CBR_NON_LOW_DELAY` 3. `IVE_RC_CBR_LOW_DELAY` | All the bits of 7th byte of data modulus 4 | 149*495ae853SAndroid Build Coastguard Worker| `u4_num_cores` | 0. `0` 1. `1` 2. `2` 3. `3`| bit 0 and 1 of 8th byte of data | 150*495ae853SAndroid Build Coastguard Worker| `u4_num_bframes` | In the range `0 to 7` | bit 0, 1 and 2 of 9th byte of data | 151*495ae853SAndroid Build Coastguard Worker| `u4_enc_speed_preset` | 0. `IVE_CONFIG` 1. `IVE_SLOWEST` 2. `IVE_NORMAL` 3. `IVE_FAST` 4. `IVE_HIGH_SPEED` 5. `IVE_FASTEST` | All the bits of 10th byte of data modulus 6 | 152*495ae853SAndroid Build Coastguard Worker| `u4_constrained_intra_pred` | 0. `0` 1. `1` | bit 0 of 11th byte of data | 153*495ae853SAndroid Build Coastguard Worker| `u4_enable_intra_4x4` | 0. `0` 1. `1` | bit 0 of 12th byte of data | 154*495ae853SAndroid Build Coastguard Worker| `u4_i_qp` | In the range `4 to 51` | All the bits of 13th byte of data | 155*495ae853SAndroid Build Coastguard Worker| `u4_p_qp` | In the range `4 to 51` | All the bits of 14th byte of data | 156*495ae853SAndroid Build Coastguard Worker| `u4_b_qp` | In the range `4 to 51` | All the bits of 15th byte of data | 157*495ae853SAndroid Build Coastguard Worker| `u4_target_bitrate` | In the range `0 to 500000000` | All the bits of 16th and 17th byte of data | 158*495ae853SAndroid Build Coastguard Worker| `u4_target_bitrate` | In the range `0 to 255` | All the bits of 18th byte of data | 159*495ae853SAndroid Build Coastguard Worker| `u4_air_refresh_period` | In the range `1 to 256` | All the bits of 19th byte of data | 160*495ae853SAndroid Build Coastguard Worker| `u4_air_refresh_period` | In the range `1 to 256` | All the bits of 19th byte of data | 161*495ae853SAndroid Build Coastguard Worker| `u4_enable_hpel` | 0. `0` 1. `1` | bit 0 of 20th byte of data | 162*495ae853SAndroid Build Coastguard Worker| `u4_enable_qpel` | 0. `0` 1. `1` | bit 0 of 21st byte of data | 163*495ae853SAndroid Build Coastguard Worker| `u4_me_speed_preset` | 0. `0` 1. `50` 2. `75` 3. `100` | All the bits of 22nd byte of data modulus 4 | 164*495ae853SAndroid Build Coastguard Worker| `e_air_mode` | 0. `IVE_AIR_MODE_NONE` 1. `IVE_AIR_MODE_CYCLIC` 2. `IVE_AIR_MODE_RANDOM` | All the bits of 23rd byte of data modulus 3 | 165*495ae853SAndroid Build Coastguard Worker| `u4_disable_deblock_level` | 0. `0` 1. `1` 2. `2` 3. `3` | bit 0 and 1 of 24th byte of data | 166*495ae853SAndroid Build Coastguard Worker| `u4_srch_rng_x` | In the range `0 to 255` | All the bits of 25th byte of data | 167*495ae853SAndroid Build Coastguard Worker| `u4_srch_rng_y` | In the range `0 to 255`| All the bits of 26th byte of data | 168*495ae853SAndroid Build Coastguard Worker| `u4_i_frm_interval` | In the range `1 to 256` | All the bits of 27th byte of data | 169*495ae853SAndroid Build Coastguard Worker| `u4_idr_frm_interval` | In the range `1 to 256` | All the bits of 28th byte of data | 170*495ae853SAndroid Build Coastguard Worker| `u1_sei_mdcv_params_present_flag` | 0. `0` 1. `1` | bit 0 of 29th byte of data | 171*495ae853SAndroid Build Coastguard Worker| `u1_sei_cll_params_present_flag` | 0. `0` 1. `1` | bit 0 of 30th byte of data | 172*495ae853SAndroid Build Coastguard Worker| `u1_sei_ave_params_present_flag` | 0. `0` 1. `1` | bit 0 of 31st byte of data | 173*495ae853SAndroid Build Coastguard Worker| `u1_sei_ccv_params_present_flag` | 0. `0` 1. `1` | bit 0 of 32nd byte of data | 174*495ae853SAndroid Build Coastguard Worker| `e_profile` | 0. `IV_PROFILE_BASE` 1. `IV_PROFILE_MAIN` | bit 0 and 1 of 33th byte of data modulus 2 | 175*495ae853SAndroid Build Coastguard Worker| `u1_aspect_ratio_info_present_flag` | 0. `0` 1. `1` | bit 0 of 34th byte of data | 176*495ae853SAndroid Build Coastguard Worker| `u1_nal_hrd_parameters_present_flag` | 0. `0` 1. `1` | bit 0 of 35th byte of data | 177*495ae853SAndroid Build Coastguard Worker| `u1_vcl_hrd_parameters_present_flag` | 0. `0` 1. `1` | bit 0 of 36th byte of data | 178*495ae853SAndroid Build Coastguard Worker| `mIsForceIdrEnabled` | 0. `0` 1. `1` | bit 0 of 37th byte of data | 179*495ae853SAndroid Build Coastguard Worker| `mIsDynamicBitRateChangeEnabled` | 0. `0` 1. `1` | bit 0 of 38th byte of data | 180*495ae853SAndroid Build Coastguard Worker| `mIsDynamicFrameRateChangeEnabled` | 0. `0` 1. `1` | bit 0 of 39th byte of data | 181*495ae853SAndroid Build Coastguard Worker| `mForceIdrInterval` | In the range `0 to 7` | bit 0, 1 and 2 of 40th byte of data | 182*495ae853SAndroid Build Coastguard Worker| `mDynamicBitRateInterval` | In the range `0 to 7` | bit 0, 1 and 2 of 41st byte of data | 183*495ae853SAndroid Build Coastguard Worker| `mDynamicFrameRateInterval` | In the range `0 to 7` | bit 0, 1 and 2 of 42nd byte of data | 184*495ae853SAndroid Build Coastguard Worker 185*495ae853SAndroid Build Coastguard WorkerThis also ensures that the plugin is always deterministic for any given input. 186*495ae853SAndroid Build Coastguard Worker 187*495ae853SAndroid Build Coastguard Worker##### Maximize utilization of input data 188*495ae853SAndroid Build Coastguard WorkerThe plugin feeds the entire input data to the codec using a loop. 189*495ae853SAndroid Build Coastguard WorkerIf the encode operation was successful, the input is advanced by the frame size. 190*495ae853SAndroid Build Coastguard WorkerIf the encode operation was un-successful, the input is still advanced by frame size so 191*495ae853SAndroid Build Coastguard Workerthat the fuzzer can proceed to feed the next frame. 192*495ae853SAndroid Build Coastguard Worker 193*495ae853SAndroid Build Coastguard WorkerThis ensures that the plugin tolerates any kind of input (empty, huge, 194*495ae853SAndroid Build Coastguard Workermalformed, etc) and doesnt `exit()` on any input and thereby increasing the 195*495ae853SAndroid Build Coastguard Workerchance of identifying vulnerabilities. 196*495ae853SAndroid Build Coastguard Worker 197*495ae853SAndroid Build Coastguard Worker 198*495ae853SAndroid Build Coastguard Worker## References: 199*495ae853SAndroid Build Coastguard Worker * http://llvm.org/docs/LibFuzzer.html 200*495ae853SAndroid Build Coastguard Worker * https://github.com/google/oss-fuzz 201