Loading media/libstagefright/codecs/m4v_h263/dec/Android.bp +7 −5 Original line number Diff line number Diff line cc_library_static { name: "libstagefright_m4vh263dec", vendor_available: true, host_supported: true, shared_libs: ["liblog"], srcs: [ Loading Loading @@ -38,11 +39,6 @@ cc_library_static { "src/zigzag_tab.cpp", ], header_libs: [ "media_plugin_headers", "libstagefright_headers" ], local_include_dirs: ["src"], export_include_dirs: ["include"], Loading @@ -61,6 +57,12 @@ cc_library_static { ], cfi: true, }, target: { darwin: { enabled: false, }, }, } //############################################################################### Loading media/libstagefright/codecs/m4v_h263/fuzzer/Android.bp 0 → 100644 +60 −0 Original line number Diff line number Diff line /****************************************************************************** * * Copyright (C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * ***************************************************************************** * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore */ cc_fuzz { name: "mpeg4_dec_fuzzer", host_supported: true, srcs: [ "mpeg4_h263_dec_fuzzer.cpp", ], static_libs: [ "libstagefright_m4vh263dec", "liblog", ], cflags: [ "-DOSCL_IMPORT_REF=", "-DMPEG4", ], target: { darwin: { enabled: false, }, }, } cc_fuzz { name: "h263_dec_fuzzer", host_supported: true, srcs: [ "mpeg4_h263_dec_fuzzer.cpp", ], static_libs: [ "libstagefright_m4vh263dec", "liblog", ], cflags: [ "-DOSCL_IMPORT_REF=", ], target: { darwin: { enabled: false, }, }, } media/libstagefright/codecs/m4v_h263/fuzzer/README.md 0 → 100644 +57 −0 Original line number Diff line number Diff line # Fuzzer for libstagefright_m4vh263dec decoder ## Plugin Design Considerations The fuzzer plugin for MPEG4/H263 is designed based on the understanding of the codec and tries to achieve the following: ##### Maximize code coverage Dict files (dictionary files) are created for MPEG4 and H263 to ensure that the required start bytes are present in every input file that goes to the fuzzer. This ensures that decoder does not reject any input file in the first check ##### Maximize utilization of input data The plugin feeds the entire input data to the codec using a loop. * If the decode operation was successful, the input is advanced by the number of bytes consumed in the decode call. * If the decode operation was un-successful, the input is advanced by 1 byte so that the fuzzer can proceed to feed the next frame. This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) and doesnt `exit()` on any input and thereby increasing the chance of identifying vulnerabilities. ##### Other considerations * Two fuzzer binaries - mpeg4_dec_fuzzer and h263_dec_fuzzer are generated based on the presence of a flag - 'MPEG4' * The number of decode calls are kept to a maximum of 100 so that the fuzzer does not timeout. ## Build This describes steps to build mpeg4_dec_fuzzer and h263_dec_fuzzer binary. ### Android #### Steps to build Build the fuzzer ``` $ mm -j$(nproc) mpeg4_dec_fuzzer $ mm -j$(nproc) h263_dec_fuzzer ``` #### Steps to run Create a directory CORPUS_DIR and copy some MPEG4 or H263 files to that folder Push this directory to device. To run on device ``` $ adb sync data $ adb shell /data/fuzz/arm64/mpeg4_dec_fuzzer/mpeg4_dec_fuzzer CORPUS_DIR $ adb shell /data/fuzz/arm64/h263_dec_fuzzer/h263_dec_fuzzer CORPUS_DIR ``` To run on host ``` $ $ANDROID_HOST_OUT/fuzz/x86_64/mpeg4_dec_fuzzer/mpeg4_dec_fuzzer CORPUS_DIR $ $ANDROID_HOST_OUT/fuzz/x86_64/h263_dec_fuzzer/h263_dec_fuzzer CORPUS_DIR ``` ## References: * http://llvm.org/docs/LibFuzzer.html * https://github.com/google/oss-fuzz media/libstagefright/codecs/m4v_h263/fuzzer/h263_dec_fuzzer.dict 0 → 100644 +2 −0 Original line number Diff line number Diff line # Start code (bytes 0-3) kw1="\x00\x00\x80\x02" media/libstagefright/codecs/m4v_h263/fuzzer/mpeg4_dec_fuzzer.dict 0 → 100644 +2 −0 Original line number Diff line number Diff line # Start code (bytes 0-3) kw1="\x00\x00\x01\xB0" Loading
media/libstagefright/codecs/m4v_h263/dec/Android.bp +7 −5 Original line number Diff line number Diff line cc_library_static { name: "libstagefright_m4vh263dec", vendor_available: true, host_supported: true, shared_libs: ["liblog"], srcs: [ Loading Loading @@ -38,11 +39,6 @@ cc_library_static { "src/zigzag_tab.cpp", ], header_libs: [ "media_plugin_headers", "libstagefright_headers" ], local_include_dirs: ["src"], export_include_dirs: ["include"], Loading @@ -61,6 +57,12 @@ cc_library_static { ], cfi: true, }, target: { darwin: { enabled: false, }, }, } //############################################################################### Loading
media/libstagefright/codecs/m4v_h263/fuzzer/Android.bp 0 → 100644 +60 −0 Original line number Diff line number Diff line /****************************************************************************** * * Copyright (C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * ***************************************************************************** * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore */ cc_fuzz { name: "mpeg4_dec_fuzzer", host_supported: true, srcs: [ "mpeg4_h263_dec_fuzzer.cpp", ], static_libs: [ "libstagefright_m4vh263dec", "liblog", ], cflags: [ "-DOSCL_IMPORT_REF=", "-DMPEG4", ], target: { darwin: { enabled: false, }, }, } cc_fuzz { name: "h263_dec_fuzzer", host_supported: true, srcs: [ "mpeg4_h263_dec_fuzzer.cpp", ], static_libs: [ "libstagefright_m4vh263dec", "liblog", ], cflags: [ "-DOSCL_IMPORT_REF=", ], target: { darwin: { enabled: false, }, }, }
media/libstagefright/codecs/m4v_h263/fuzzer/README.md 0 → 100644 +57 −0 Original line number Diff line number Diff line # Fuzzer for libstagefright_m4vh263dec decoder ## Plugin Design Considerations The fuzzer plugin for MPEG4/H263 is designed based on the understanding of the codec and tries to achieve the following: ##### Maximize code coverage Dict files (dictionary files) are created for MPEG4 and H263 to ensure that the required start bytes are present in every input file that goes to the fuzzer. This ensures that decoder does not reject any input file in the first check ##### Maximize utilization of input data The plugin feeds the entire input data to the codec using a loop. * If the decode operation was successful, the input is advanced by the number of bytes consumed in the decode call. * If the decode operation was un-successful, the input is advanced by 1 byte so that the fuzzer can proceed to feed the next frame. This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) and doesnt `exit()` on any input and thereby increasing the chance of identifying vulnerabilities. ##### Other considerations * Two fuzzer binaries - mpeg4_dec_fuzzer and h263_dec_fuzzer are generated based on the presence of a flag - 'MPEG4' * The number of decode calls are kept to a maximum of 100 so that the fuzzer does not timeout. ## Build This describes steps to build mpeg4_dec_fuzzer and h263_dec_fuzzer binary. ### Android #### Steps to build Build the fuzzer ``` $ mm -j$(nproc) mpeg4_dec_fuzzer $ mm -j$(nproc) h263_dec_fuzzer ``` #### Steps to run Create a directory CORPUS_DIR and copy some MPEG4 or H263 files to that folder Push this directory to device. To run on device ``` $ adb sync data $ adb shell /data/fuzz/arm64/mpeg4_dec_fuzzer/mpeg4_dec_fuzzer CORPUS_DIR $ adb shell /data/fuzz/arm64/h263_dec_fuzzer/h263_dec_fuzzer CORPUS_DIR ``` To run on host ``` $ $ANDROID_HOST_OUT/fuzz/x86_64/mpeg4_dec_fuzzer/mpeg4_dec_fuzzer CORPUS_DIR $ $ANDROID_HOST_OUT/fuzz/x86_64/h263_dec_fuzzer/h263_dec_fuzzer CORPUS_DIR ``` ## References: * http://llvm.org/docs/LibFuzzer.html * https://github.com/google/oss-fuzz
media/libstagefright/codecs/m4v_h263/fuzzer/h263_dec_fuzzer.dict 0 → 100644 +2 −0 Original line number Diff line number Diff line # Start code (bytes 0-3) kw1="\x00\x00\x80\x02"
media/libstagefright/codecs/m4v_h263/fuzzer/mpeg4_dec_fuzzer.dict 0 → 100644 +2 −0 Original line number Diff line number Diff line # Start code (bytes 0-3) kw1="\x00\x00\x01\xB0"
