Merge changes I5adc737f,I492c2c54,Ib72e4d82

cc_library_static {

    name: "libstagefright_m4vh263dec",

    vendor_available: true,

    host_supported: true,

    shared_libs: ["liblog"],

    srcs: [

        "src/zigzag_tab.cpp",

    ],

    header_libs: [

        "media_plugin_headers",

        "libstagefright_headers"

    ],

    local_include_dirs: ["src"],

    export_include_dirs: ["include"],

        ],

        cfi: true,

    },

    target: {

        darwin: {

            enabled: false,

        },

    },

}

//###############################################################################

/******************************************************************************

 *

 * Copyright (C) 2020 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at:

 *

 * http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *

 *****************************************************************************

 * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore

 */

cc_fuzz {

    name: "mpeg4_dec_fuzzer",

    host_supported: true,

    srcs: [

        "mpeg4_h263_dec_fuzzer.cpp",

    ],

    static_libs: [

        "libstagefright_m4vh263dec",

        "liblog",

    ],

    cflags: [

        "-DOSCL_IMPORT_REF=",

        "-DMPEG4",

    ],

    target: {

        darwin: {

            enabled: false,

        },

    },

}

cc_fuzz {

    name: "h263_dec_fuzzer",

    host_supported: true,

    srcs: [

        "mpeg4_h263_dec_fuzzer.cpp",

    ],

    static_libs: [

        "libstagefright_m4vh263dec",

        "liblog",

    ],

    cflags: [

        "-DOSCL_IMPORT_REF=",

    ],

    target: {

        darwin: {

            enabled: false,

        },

    },

}

# Fuzzer for libstagefright_m4vh263dec decoder

## Plugin Design Considerations

The fuzzer plugin for MPEG4/H263 is designed based on the understanding of the

codec and tries to achieve the following:

##### Maximize code coverage

Dict files (dictionary files) are created for MPEG4 and H263 to ensure that the required start

bytes are present in every input file that goes to the fuzzer.

This ensures that decoder does not reject any input file in the first check

##### Maximize utilization of input data

The plugin feeds the entire input data to the codec using a loop.

 * If the decode operation was successful, the input is advanced by the number of bytes consumed

   in the decode call.

 * If the decode operation was un-successful, the input is advanced by 1 byte so that the fuzzer

   can proceed to feed the next frame.

This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc)

and doesnt `exit()` on any input and thereby increasing the chance of identifying vulnerabilities.

##### Other considerations

 * Two fuzzer binaries - mpeg4_dec_fuzzer and h263_dec_fuzzer are generated based on the presence

   of a flag - 'MPEG4'

 * The number of decode calls are kept to a maximum of 100 so that the fuzzer does not timeout.

## Build

This describes steps to build mpeg4_dec_fuzzer and h263_dec_fuzzer binary.

### Android

#### Steps to build

Build the fuzzer

```

  $ mm -j$(nproc) mpeg4_dec_fuzzer

  $ mm -j$(nproc) h263_dec_fuzzer

```

#### Steps to run

Create a directory CORPUS_DIR and copy some MPEG4 or H263 files to that folder

Push this directory to device.

To run on device

```

  $ adb sync data

  $ adb shell /data/fuzz/arm64/mpeg4_dec_fuzzer/mpeg4_dec_fuzzer CORPUS_DIR

  $ adb shell /data/fuzz/arm64/h263_dec_fuzzer/h263_dec_fuzzer CORPUS_DIR

```

To run on host

```

  $ $ANDROID_HOST_OUT/fuzz/x86_64/mpeg4_dec_fuzzer/mpeg4_dec_fuzzer CORPUS_DIR

  $ $ANDROID_HOST_OUT/fuzz/x86_64/h263_dec_fuzzer/h263_dec_fuzzer CORPUS_DIR

```

## References:

 * http://llvm.org/docs/LibFuzzer.html

 * https://github.com/google/oss-fuzz

# Start code (bytes 0-3)

kw1="\x00\x00\x80\x02"

# Start code (bytes 0-3)

kw1="\x00\x00\x01\xB0"