audio_utils/fuzz/sndfile_fuzzer/sndfile_fuzzer.cpp - platform/system/media - Git at Google

 /*
  * Copyright (C) 2020 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <fstream>
 #include <memory>
 #include <stddef.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 #include <string>
 #include <sys/types.h>
 #include <unistd.h>
 #include "audio_utils/sndfile.h"
 #include <android-base/scopeguard.h>

 #define MAX_BUFFER_SIZE 0x00005000
 #define MAX_FRAME_READ_COUNT 100
 #define MAX_FRAME_COUNT 1000

 #ifdef SNDFILE_FUZZER_HOST
 // the path is located in shared memory, so it can accelerate fuzzing on host
 // however, the path is not supported on device
 #define TEMP_DATA_PATH "/dev/shm/sndfile_fuzzer.tmp"
 #else
 #define TEMP_DATA_PATH "/data/local/tmp/sndfile_fuzzer.tmp"
 #endif

 // create a unique path so that the fuzzer can be run parallelly
 std::string getUniquePath() {
   pid_t pid = getpid();
   std::string unique_path = TEMP_DATA_PATH + std::to_string(pid);
   return unique_path;
 }

 int parseValue(const uint8_t *src, int index, void *dst, size_t size) {
   memcpy(dst, &src[index], size);
   return size;
 }

 size_t getSizeByType(uint32_t input_format) {
   switch (input_format) {
   case 0: return sizeof(short);
   case 1: return sizeof(int);
   case 2: return sizeof(float);
   default: return sizeof(short);
   }
 }

 sf_count_t sfReadfWithType(uint32_t input_format, SNDFILE *handle,
                            const void *ptr, sf_count_t desired) {
   switch (input_format) {
   case 0: return sf_readf_short(handle, (short *)ptr, desired);
   case 1: return sf_readf_int(handle, (int *)ptr, desired);
   case 2: return sf_readf_float(handle, (float *)ptr, desired);
   default: return 0;
   }
 }

 // the corpus of this fuzzer is generated by :
 // printf "\x01\x00\x00\x00\x01\x00\x00\x00" | \
 // cat - 2020_06_10_15_56_20.wav > merged_corpus
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *bytes, size_t size) {
   uint32_t desired_frame_count = 1;
   uint32_t input_format = 0;

   size_t metadata_size = sizeof(desired_frame_count) + sizeof(input_format);
   if (size < metadata_size) {
     return 0;
   }

   int idx = 0;
   idx +=
       parseValue(bytes, idx, &desired_frame_count, sizeof(desired_frame_count));
   idx += parseValue(bytes, idx, &input_format, sizeof(input_format));

   desired_frame_count %= MAX_FRAME_READ_COUNT;
   input_format %= 3;

   // write bytes to a file
   std::string path = getUniquePath();
   std::ofstream file;
   file.open(path.c_str(), std::ios::trunc | std::ios::binary | std::ios::out);
   if (!file.is_open()) {
     return 0;
   }

   file.write((char *)(bytes + idx), size - idx);
   file.close();
   // ensure file is unlinked after use
   auto scope_guard =
       android::base::make_scope_guard([path] { remove(path.c_str()); });

   SF_INFO info;
   // when format is set to zero, all other field are filled in by the lib
   info.format = 0;
   std::unique_ptr<SNDFILE, decltype(&sf_close)> handle(
       sf_open(path.c_str(), SFM_READ, &info), &sf_close);

   if (handle == nullptr) {
     return 0;
   }

   // sndfile support three different data types to read regardless the original
   // data type in file. the library handles the data conversion. The size of
   // input is parsed from file; malloc buffer by the size is risky, but it
   // cannot be fuzzed at this level. Here, we only ensure the read APIs does not
   // write memory outside the buffer.
   size_t input_size =
       getSizeByType(input_format) * desired_frame_count * info.channels;

   if (input_size > MAX_BUFFER_SIZE) {
     return 0;
   }

   void *dst_buffer = malloc(input_size);
   if (dst_buffer == nullptr) {
     return 0;
   }

   sf_count_t read_frame_count = 0;
   sf_count_t frame_count = 0;
   do {
     read_frame_count = sfReadfWithType(input_format, handle.get(), dst_buffer,
                                        desired_frame_count);
     frame_count += read_frame_count;
   } while (read_frame_count > 0 && frame_count < MAX_FRAME_COUNT);
   free(dst_buffer);

   return 0;
 }
	/*
	* Copyright (C) 2020 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <fstream>
	#include <memory>
	#include <stddef.h>
	#include <stdint.h>
	#include <stdlib.h>
	#include <string.h>
	#include <string>
	#include <sys/types.h>
	#include <unistd.h>
	#include "audio_utils/sndfile.h"
	#include <android-base/scopeguard.h>

	#define MAX_BUFFER_SIZE 0x00005000
	#define MAX_FRAME_READ_COUNT 100
	#define MAX_FRAME_COUNT 1000

	#ifdef SNDFILE_FUZZER_HOST
	// the path is located in shared memory, so it can accelerate fuzzing on host
	// however, the path is not supported on device
	#define TEMP_DATA_PATH "/dev/shm/sndfile_fuzzer.tmp"
	#else
	#define TEMP_DATA_PATH "/data/local/tmp/sndfile_fuzzer.tmp"
	#endif

	// create a unique path so that the fuzzer can be run parallelly
	std::string getUniquePath() {
	pid_t pid = getpid();
	std::string unique_path = TEMP_DATA_PATH + std::to_string(pid);
	return unique_path;
	}

	int parseValue(const uint8_t src, int index, void dst, size_t size) {
	memcpy(dst, &src[index], size);
	return size;
	}

	size_t getSizeByType(uint32_t input_format) {
	switch (input_format) {
	case 0: return sizeof(short);
	case 1: return sizeof(int);
	case 2: return sizeof(float);
	default: return sizeof(short);
	}
	}

	sf_count_t sfReadfWithType(uint32_t input_format, SNDFILE *handle,
	const void *ptr, sf_count_t desired) {
	switch (input_format) {
	case 0: return sf_readf_short(handle, (short *)ptr, desired);
	case 1: return sf_readf_int(handle, (int *)ptr, desired);
	case 2: return sf_readf_float(handle, (float *)ptr, desired);
	default: return 0;
	}
	}

	// the corpus of this fuzzer is generated by :
	// printf "\x01\x00\x00\x00\x01\x00\x00\x00" \| \
	// cat - 2020_06_10_15_56_20.wav > merged_corpus
	extern "C" int LLVMFuzzerTestOneInput(const uint8_t *bytes, size_t size) {
	uint32_t desired_frame_count = 1;
	uint32_t input_format = 0;

	size_t metadata_size = sizeof(desired_frame_count) + sizeof(input_format);
	if (size < metadata_size) {
	return 0;
	}

	int idx = 0;
	idx +=
	parseValue(bytes, idx, &desired_frame_count, sizeof(desired_frame_count));
	idx += parseValue(bytes, idx, &input_format, sizeof(input_format));

	desired_frame_count %= MAX_FRAME_READ_COUNT;
	input_format %= 3;

	// write bytes to a file
	std::string path = getUniquePath();
	std::ofstream file;
	file.open(path.c_str(), std::ios::trunc \| std::ios::binary \| std::ios::out);
	if (!file.is_open()) {
	return 0;
	}

	file.write((char *)(bytes + idx), size - idx);
	file.close();
	// ensure file is unlinked after use
	auto scope_guard =
	android::base::make_scope_guard([path] { remove(path.c_str()); });

	SF_INFO info;
	// when format is set to zero, all other field are filled in by the lib
	info.format = 0;
	std::unique_ptr<SNDFILE, decltype(&sf_close)> handle(
	sf_open(path.c_str(), SFM_READ, &info), &sf_close);

	if (handle == nullptr) {
	return 0;
	}

	// sndfile support three different data types to read regardless the original
	// data type in file. the library handles the data conversion. The size of
	// input is parsed from file; malloc buffer by the size is risky, but it
	// cannot be fuzzed at this level. Here, we only ensure the read APIs does not
	// write memory outside the buffer.
	size_t input_size =
	getSizeByType(input_format) * desired_frame_count * info.channels;

	if (input_size > MAX_BUFFER_SIZE) {
	return 0;
	}

	void *dst_buffer = malloc(input_size);
	if (dst_buffer == nullptr) {
	return 0;
	}

	sf_count_t read_frame_count = 0;
	sf_count_t frame_count = 0;
	do {
	read_frame_count = sfReadfWithType(input_format, handle.get(), dst_buffer,
	desired_frame_count);
	frame_count += read_frame_count;
	} while (read_frame_count > 0 && frame_count < MAX_FRAME_COUNT);
	free(dst_buffer);

	return 0;
	}