143 lines
4.3 KiB
C++
143 lines
4.3 KiB
C++
|
/*
|
||
|
|
* Copyright (C) 2020 The Android Open Source Project
|
||
|
|
*
|
||
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
|
* you may not use this file except in compliance with the License.
|
||
|
|
* You may obtain a copy of the License at
|
||
|
|
*
|
||
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||
|
|
*
|
||
|
|
* Unless required by applicable law or agreed to in writing, software
|
||
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
|
* See the License for the specific language governing permissions and
|
||
|
|
* limitations under the License.
|
||
|
|
*/
|
||
|
|
|
||
|
|
#include <fstream>
|
||
|
|
#include <memory>
|
||
|
|
#include <stddef.h>
|
||
|
|
#include <stdint.h>
|
||
|
|
#include <stdlib.h>
|
||
|
|
#include <string.h>
|
||
|
|
#include <string>
|
||
|
|
#include <sys/types.h>
|
||
|
|
#include <unistd.h>
|
||
|
|
#include "audio_utils/sndfile.h"
|
||
|
|
#include <android-base/scopeguard.h>
|
||
|
|
|
||
|
|
#define MAX_BUFFER_SIZE 0x00005000
|
||
|
|
#define MAX_FRAME_READ_COUNT 100
|
||
|
|
#define MAX_FRAME_COUNT 1000
|
||
|
|
|
||
|
|
#ifdef SNDFILE_FUZZER_HOST
|
||
|
|
// the path is located in shared memory, so it can accelerate fuzzing on host
|
||
|
|
// however, the path is not supported on device
|
||
|
|
#define TEMP_DATA_PATH "/dev/shm/sndfile_fuzzer.tmp"
|
||
|
|
#else
|
||
|
|
#define TEMP_DATA_PATH "/data/local/tmp/sndfile_fuzzer.tmp"
|
||
|
|
#endif
|
||
|
|
|
||
|
|
// create a unique path so that the fuzzer can be run parallelly
|
||
|
|
std::string getUniquePath() {
|
||
|
|
pid_t pid = getpid();
|
||
|
|
std::string unique_path = TEMP_DATA_PATH + std::to_string(pid);
|
||
|
|
return unique_path;
|
||
|
|
}
|
||
|
|
|
||
|
|
int parseValue(const uint8_t *src, int index, void *dst, size_t size) {
|
||
|
|
memcpy(dst, &src[index], size);
|
||
|
|
return size;
|
||
|
|
}
|
||
|
|
|
||
|
|
size_t getSizeByType(uint32_t input_format) {
|
||
|
|
switch (input_format) {
|
||
|
|
case 0: return sizeof(short);
|
||
|
|
case 1: return sizeof(int);
|
||
|
|
case 2: return sizeof(float);
|
||
|
|
default: return sizeof(short);
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
sf_count_t sfReadfWithType(uint32_t input_format, SNDFILE *handle,
|
||
|
|
const void *ptr, sf_count_t desired) {
|
||
|
|
switch (input_format) {
|
||
|
|
case 0: return sf_readf_short(handle, (short *)ptr, desired);
|
||
|
|
case 1: return sf_readf_int(handle, (int *)ptr, desired);
|
||
|
|
case 2: return sf_readf_float(handle, (float *)ptr, desired);
|
||
|
|
default: return 0;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
// the corpus of this fuzzer is generated by :
|
||
|
|
// printf "\x01\x00\x00\x00\x01\x00\x00\x00" | \
|
||
|
|
// cat - 2020_06_10_15_56_20.wav > merged_corpus
|
||
|
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *bytes, size_t size) {
|
||
|
|
uint32_t desired_frame_count = 1;
|
||
|
|
uint32_t input_format = 0;
|
||
|
|
|
||
|
|
size_t metadata_size = sizeof(desired_frame_count) + sizeof(input_format);
|
||
|
|
if (size < metadata_size) {
|
||
|
|
return 0;
|
||
|
|
}
|
||
|
|
|
||
|
|
int idx = 0;
|
||
|
|
idx +=
|
||
|
|
parseValue(bytes, idx, &desired_frame_count, sizeof(desired_frame_count));
|
||
|
|
idx += parseValue(bytes, idx, &input_format, sizeof(input_format));
|
||
|
|
|
||
|
|
desired_frame_count %= MAX_FRAME_READ_COUNT;
|
||
|
|
input_format %= 3;
|
||
|
|
|
||
|
|
// write bytes to a file
|
||
|
|
std::string path = getUniquePath();
|
||
|
|
std::ofstream file;
|
||
|
|
file.open(path.c_str(), std::ios::trunc | std::ios::binary | std::ios::out);
|
||
|
|
if (!file.is_open()) {
|
||
|
|
return 0;
|
||
|
|
}
|
||
|
|
|
||
|
|
file.write((char *)(bytes + idx), size - idx);
|
||
|
|
file.close();
|
||
|
|
// ensure file is unlinked after use
|
||
|
|
auto scope_guard =
|
||
|
|
android::base::make_scope_guard([path] { remove(path.c_str()); });
|
||
|
|
|
||
|
|
SF_INFO info;
|
||
|
|
// when format is set to zero, all other field are filled in by the lib
|
||
|
|
info.format = 0;
|
||
|
|
std::unique_ptr<SNDFILE, decltype(&sf_close)> handle(
|
||
|
|
sf_open(path.c_str(), SFM_READ, &info), &sf_close);
|
||
|
|
|
||
|
|
if (handle == nullptr) {
|
||
|
|
return 0;
|
||
|
|
}
|
||
|
|
|
||
|
|
// sndfile support three different data types to read regardless the original
|
||
|
|
// data type in file. the library handles the data conversion. The size of
|
||
|
|
// input is parsed from file; malloc buffer by the size is risky, but it
|
||
|
|
// cannot be fuzzed at this level. Here, we only ensure the read APIs does not
|
||
|
|
// write memory outside the buffer.
|
||
|
|
size_t input_size =
|
||
|
|
getSizeByType(input_format) * desired_frame_count * info.channels;
|
||
|
|
|
||
|
|
if (input_size > MAX_BUFFER_SIZE) {
|
||
|
|
return 0;
|
||
|
|
}
|
||
|
|
|
||
|
|
void *dst_buffer = malloc(input_size);
|
||
|
|
if (dst_buffer == nullptr) {
|
||
|
|
return 0;
|
||
|
|
}
|
||
|
|
|
||
|
|
sf_count_t read_frame_count = 0;
|
||
|
|
sf_count_t frame_count = 0;
|
||
|
|
do {
|
||
|
|
read_frame_count = sfReadfWithType(input_format, handle.get(), dst_buffer,
|
||
|
|
desired_frame_count);
|
||
|
|
frame_count += read_frame_count;
|
||
|
|
} while (read_frame_count > 0 && frame_count < MAX_FRAME_COUNT);
|
||
|
|
free(dst_buffer);
|
||
|
|
|
||
|
|
return 0;
|
||
|
|
}
|