zqz/platform-external-webrtc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Limit input size for the rtp video layers allocation fuzzer

Browse Source 
Bug: chromium:1355892
Change-Id: Ib0c48d27fb1e79212d2354e0249511aeeb53f650
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/272961
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Reviewed-by: Per Kjellander <perkj@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#37913}
This commit is contained in:
Danil Chapovalov
2022-08-26 10:19:38 +02:00
committed by WebRTC LUCI CQ
parent 7643f373a0
commit 02c99982c8
2 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
test/fuzzers/BUILD.gn
View File

@ -605,6 +605,10 @@ webrtc_fuzzer_test("rtp_video_layers_allocation_fuzzer") {
"../../modules/rtp_rtcp:rtp_rtcp_format",
"../../rtc_base:checks",
]
# video_layers_allocation is an rtp header extension and thus can't be longer
# than 255 bytes on the wire.
libfuzzer_options = [ "max_len=255" ]
}
webrtc_fuzzer_test("rtp_frame_reference_finder_fuzzer") {

15
test/fuzzers/rtp_video_layers_allocation_fuzzer.cc
View File

@ -10,6 +10,7 @@
#include <cstddef>
#include <cstdint>
#include <limits>
#include "api/array_view.h"
#include "api/video/video_layers_allocation.h"
@ -19,6 +20,14 @@
namespace webrtc {
void FuzzOneInput(const uint8_t* data, size_t size) {
// Video layers allocation is an rtp header extension.
// Per https://datatracker.ietf.org/doc/html/rfc8285#section-4.3
// rtp header extension uses up to one byte to store the size, i.e.
// maximum size of any rtp header extension is 255 bytes.
constexpr int kMaxSize = std::numeric_limits<uint8_t>::max();
if (size > kMaxSize) {
return;
}
auto raw = rtc::MakeArrayView(data, size);
VideoLayersAllocation allocation1;
@ -32,10 +41,8 @@ void FuzzOneInput(const uint8_t* data, size_t size) {
// Check `writer` use minimal number of bytes to pack the extension by
// checking it doesn't use more than reader consumed.
RTC_CHECK_LE(value_size, raw.size());
uint8_t some_memory[256];
// An extension may not be larger than 255 bytes since the extension lenght
// field is only one byte.
RTC_CHECK_LT(value_size, 256);
uint8_t some_memory[kMaxSize];
RTC_CHECK_LE(value_size, kMaxSize);
rtc::ArrayView<uint8_t> write_buffer(some_memory, value_size);
RTC_CHECK(
RtpVideoLayersAllocationExtension::Write(write_buffer, allocation1));