From f8ed894b1fb681109abc73ba75b3d6237a751d72 Mon Sep 17 00:00:00 2001
From: Felicia Lim <flim@google.com>
Date: Wed, 17 Jun 2020 12:19:25 -0700
Subject: Fix and clean up opus_decode_fuzzer

Use the fuzzed sub-length of the input data instead of the whole input.
---
 tests/opus_decode_fuzzer.c | 33 ++++++++++++++-------------------
 1 file changed, 14 insertions(+), 19 deletions(-)

(limited to 'tests')

diff --git a/tests/opus_decode_fuzzer.c b/tests/opus_decode_fuzzer.c
index 90026221..20fa1e5a 100644
--- a/tests/opus_decode_fuzzer.c
+++ b/tests/opus_decode_fuzzer.c
@@ -62,9 +62,10 @@ static void ParseToc(const uint8_t *toc, TocInfo *const info) {
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     OpusDecoder *dec;
     opus_int16 *pcm;
-    uint8_t *packet;
+    uint8_t *temp_data;
     TocInfo toc;
-    int i, err;
+    int i = 0;
+    int err = OPUS_OK;
 
     /* Not enough data to setup the decoder (+1 for the ToC) */
     if (size < SETUP_BYTE_COUNT + 1) {
@@ -75,26 +76,20 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     ParseToc(&data[SETUP_BYTE_COUNT], &toc);
 
     dec = opus_decoder_create(toc.fs, toc.channels, &err);
-    if (err != OPUS_OK | dec == NULL) {
+    if (err != OPUS_OK || dec == NULL) {
         return 0;
     }
 
     pcm = (opus_int16*) malloc(sizeof(*pcm) * MAX_FRAME_SAMP * toc.channels);
-    packet = (uint8_t*) calloc(MAX_PACKET, sizeof(*packet));
 
-    i = 0;
-    while (1) {
+    while (i + SETUP_BYTE_COUNT < size) {
         int len, fec;
 
-        if (i + SETUP_BYTE_COUNT >= size) {
-            break;
-        }
-
         len = (opus_uint32) data[i    ] << 24 |
               (opus_uint32) data[i + 1] << 16 |
               (opus_uint32) data[i + 2] <<  8 |
               (opus_uint32) data[i + 3];
-        if (len > MAX_PACKET || len < 0) {
+        if (len > MAX_PACKET || len < 0 || i + SETUP_BYTE_COUNT + len > size) {
             break;
         }
 
@@ -102,17 +97,18 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
          * Instead, byte 4 is repurposed to determine if FEC is used. */
         fec = data[i + 4] & 1;
 
-        /* Lost packet */
         if (len == 0) {
+            /* Lost packet */
             int frame_size;
             opus_decoder_ctl(dec, OPUS_GET_LAST_PACKET_DURATION(&frame_size));
-            (void) opus_decode(dec, NULL, size, pcm, frame_size, fec);
+            (void) opus_decode(dec, NULL, len, pcm, frame_size, fec);
         } else {
-            if (i + SETUP_BYTE_COUNT + len > size) {
-                break;
-            }
-            memcpy(pcm, &data[i + SETUP_BYTE_COUNT], len);
-            (void) opus_decode(dec, data, size, pcm, MAX_FRAME_SAMP, fec);
+            temp_data = (uint8_t*) malloc(len);
+            memcpy(temp_data, &data[i + SETUP_BYTE_COUNT], len);
+
+            (void) opus_decode(dec, temp_data, len, pcm, MAX_FRAME_SAMP, fec);
+
+            free(temp_data);
         }
 
         i += SETUP_BYTE_COUNT + len;
@@ -120,7 +116,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
     opus_decoder_destroy(dec);
     free(pcm);
-    free(packet);
 
     return 0;
 }
-- 
cgit v1.2.3