Merge "Added writer fuzzers"

        "WriterFuzzerBase.cpp",

    ],

}

cc_fuzz {

    name: "amrnb_writer_fuzzer",

    defaults: ["writer-fuzzer-defaults"],

    srcs: [

        "amr_writer_fuzzer.cpp",

    ],

    cflags: [

        "-DAMRNB",

    ],

}

cc_fuzz {

    name: "amrwb_writer_fuzzer",

    defaults: ["writer-fuzzer-defaults"],

    srcs: [

        "amr_writer_fuzzer.cpp",

    ],

}

cc_fuzz {

    name : "mpeg4_writer_fuzzer",

    defaults : ["writer-fuzzer-defaults"],

    srcs : [

        "mpeg4_writer_fuzzer.cpp",

    ],

    static_libs: [

        "libstagefright_esds",

    ],

}

cc_fuzz {

    name : "ogg_writer_fuzzer",

    defaults : ["writer-fuzzer-defaults"],

    srcs : [

        "ogg_writer_fuzzer.cpp",

    ],

    static_libs: [

        "libogg",

    ],

}

cc_fuzz {

    name : "webm_writer_fuzzer",

    defaults : ["writer-fuzzer-defaults"],

    srcs : [

        "webm_writer_fuzzer.cpp",

    ],

    static_libs: [

        "libstagefright_webm",

        "libdatasource",

    ],

    include_dirs: [

        "frameworks/av/media/libstagefright",

    ],

}

# Fuzzer for writers

## Table of contents

   [libwriterfuzzerbase](#WriterFuzzerBase)

+  [libwriterfuzzerbase](#WriterFuzzerBase)

+  [Amr Writer](#amrWriterFuzzer)

+  [MPEG4 Writer](#mpeg4WriterFuzzer)

+  [OGG Writer](#oggWriterFuzzer)

+  [WEBM Writer](#webmWriterFuzzer)

# <a name="WriterFuzzerBase"></a> Fuzzer for libwriterfuzzerbase

All the writers have a common API - creating a writer, adding a source for

This ensures that the plugin tolerates any kind of input (huge,

malformed, etc) and thereby increasing the chance of identifying vulnerabilities.

# <a name="amrWriterFuzzer"></a> Fuzzer for Amr Writer

## Plugin Design Considerations

The fuzzer plugin for AMR writer uses the `WriterFuzzerBase` class and

implements only the `createWriter` to create the AMR writer class.

##### Other considerations

 * Two fuzzer binaries - amrnb_writer_fuzzer and amrwb_writer_fuzzer are generated based on the presence of a flag - 'AMRNB'

# <a name="mpeg4WriterFuzzer"></a> Fuzzer for MPEG4 Writer

## Plugin Design Considerations

The fuzzer plugin for MPEG4 writer uses the `WriterFuzzerBase` class and

implements only the `createWriter` to create the MPEG4 writer class.

# <a name="oggWriterFuzzer"></a> Fuzzer for OGG Writer

## Plugin Design Considerations

The fuzzer plugin for OGG writer uses the `WriterFuzzerBase` class and

implements only the `createWriter` to create the OGG writer class.

# <a name="webmWriterFuzzer"></a> Fuzzer for WEBM Writer

## Plugin Design Considerations

The fuzzer plugin for WEBM writer uses the `WriterFuzzerBase` class and

implements only the `createWriter` to create the WEBM writer class.

## Build

This describes steps to build writer fuzzer binaries.

### Android

`*` = amrnb/amrwb/mpeg4/ogg/webm

#### Steps to build

Build the fuzzer

```

  $ mm -j$(nproc) *_writer_fuzzer

```

#### Steps to run

Create a directory CORPUS_DIR and copy some media files to that folder

Push this directory to device.

To run on device

```

  $ adb sync data

  $ adb shell /data/fuzz/arm64/*_writer_fuzzer/*_writer_fuzzer CORPUS_DIR

```

## References:

 * http://llvm.org/docs/LibFuzzer.html

    }

}

void WriterFuzzerBase::processData(const uint8_t *data, size_t size) {

void WriterFuzzerBase::initFileWriterAndProcessData(const uint8_t *data, size_t size) {

    if (!createOutputFile()) {

        return;

    }

/******************************************************************************

 *

 * Copyright (C) 2020 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at:

 *

 * http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *

 *****************************************************************************

 * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore

 */

#include "WriterFuzzerBase.h"

#include <media/stagefright/AMRWriter.h>

using namespace android;

class AmrWriterFuzzer : public WriterFuzzerBase {

   public:

    bool createWriter();

};

bool AmrWriterFuzzer::createWriter() {

    mWriter = new AMRWriter(mFd);

    if (!mWriter) {

        return false;

    }

    mFileMeta = new MetaData;

#ifdef AMRNB

    mFileMeta->setInt32(kKeyFileType, output_format::OUTPUT_FORMAT_AMR_NB);

#else

    mFileMeta->setInt32(kKeyFileType, output_format::OUTPUT_FORMAT_AMR_WB);

#endif

    return true;

}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    AmrWriterFuzzer writerFuzzer;

    writerFuzzer.initFileWriterAndProcessData(data, size);

    return 0;

}

    void sendBuffersToWriter(sp<MediaAdapter>& currentTrack, int32_t trackIndex);

    void processData(const uint8_t* data, size_t size);

    void initFileWriterAndProcessData(const uint8_t* data, size_t size);

   protected:

    class BufferSource {