diff options
author | Felicia Lim <flim@google.com> | 2020-06-17 22:19:25 +0300 |
---|---|---|
committer | Felicia Lim <flim@google.com> | 2020-06-18 23:01:12 +0300 |
commit | f8ed894b1fb681109abc73ba75b3d6237a751d72 (patch) | |
tree | cac89a65d1de062c2b1223891ede95a887183d8d /tests | |
parent | d05a07eab92fbb07a8189f2eaef7d4611d50d9ba (diff) |
Fix and clean up opus_decode_fuzzer
Use the fuzzed sub-length of the input data instead of the whole input.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/opus_decode_fuzzer.c | 33 |
1 files changed, 14 insertions, 19 deletions
diff --git a/tests/opus_decode_fuzzer.c b/tests/opus_decode_fuzzer.c index 90026221..20fa1e5a 100644 --- a/tests/opus_decode_fuzzer.c +++ b/tests/opus_decode_fuzzer.c @@ -62,9 +62,10 @@ static void ParseToc(const uint8_t *toc, TocInfo *const info) { int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { OpusDecoder *dec; opus_int16 *pcm; - uint8_t *packet; + uint8_t *temp_data; TocInfo toc; - int i, err; + int i = 0; + int err = OPUS_OK; /* Not enough data to setup the decoder (+1 for the ToC) */ if (size < SETUP_BYTE_COUNT + 1) { @@ -75,26 +76,20 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ParseToc(&data[SETUP_BYTE_COUNT], &toc); dec = opus_decoder_create(toc.fs, toc.channels, &err); - if (err != OPUS_OK | dec == NULL) { + if (err != OPUS_OK || dec == NULL) { return 0; } pcm = (opus_int16*) malloc(sizeof(*pcm) * MAX_FRAME_SAMP * toc.channels); - packet = (uint8_t*) calloc(MAX_PACKET, sizeof(*packet)); - i = 0; - while (1) { + while (i + SETUP_BYTE_COUNT < size) { int len, fec; - if (i + SETUP_BYTE_COUNT >= size) { - break; - } - len = (opus_uint32) data[i ] << 24 | (opus_uint32) data[i + 1] << 16 | (opus_uint32) data[i + 2] << 8 | (opus_uint32) data[i + 3]; - if (len > MAX_PACKET || len < 0) { + if (len > MAX_PACKET || len < 0 || i + SETUP_BYTE_COUNT + len > size) { break; } @@ -102,17 +97,18 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { * Instead, byte 4 is repurposed to determine if FEC is used. */ fec = data[i + 4] & 1; - /* Lost packet */ if (len == 0) { + /* Lost packet */ int frame_size; opus_decoder_ctl(dec, OPUS_GET_LAST_PACKET_DURATION(&frame_size)); - (void) opus_decode(dec, NULL, size, pcm, frame_size, fec); + (void) opus_decode(dec, NULL, len, pcm, frame_size, fec); } else { - if (i + SETUP_BYTE_COUNT + len > size) { - break; - } - memcpy(pcm, &data[i + SETUP_BYTE_COUNT], len); - (void) opus_decode(dec, data, size, pcm, MAX_FRAME_SAMP, fec); + temp_data = (uint8_t*) malloc(len); + memcpy(temp_data, &data[i + SETUP_BYTE_COUNT], len); + + (void) opus_decode(dec, temp_data, len, pcm, MAX_FRAME_SAMP, fec); + + free(temp_data); } i += SETUP_BYTE_COUNT + len; @@ -120,7 +116,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { opus_decoder_destroy(dec); free(pcm); - free(packet); return 0; } |