From 7f7bbce892d9e8ed45e4ee2ee7dcefc1cd87a763 Mon Sep 17 00:00:00 2001 From: Anuj Joshi Date: Fri, 27 Mar 2020 10:43:08 +0530 Subject: [PATCH 1/3] Stop using __DATE__/__TIME__ on all builds Test: mmma external/libaac Bug: 151595970 Change-Id: Icd937cad3e4e2f70a5486cca424544eb410be26f --- Android.bp | 1 + libAACdec/src/aacdecoder_lib.cpp | 2 +- libAACenc/src/aacenc_lib.cpp | 2 +- libDRCdec/src/FDK_drcDecLib.cpp | 2 +- libFDK/src/FDK_core.cpp | 2 +- libMpegTPDec/src/tpdec_lib.cpp | 2 +- libMpegTPEnc/src/tpenc_lib.cpp | 2 +- libPCMutils/src/version.h | 2 +- libSACdec/src/sac_dec_lib.cpp | 2 +- libSACenc/src/sacenc_lib.cpp | 2 +- libSBRdec/src/sbrdecoder.cpp | 2 +- libSBRenc/src/sbr_encoder.cpp | 2 +- 12 files changed, 12 insertions(+), 11 deletions(-) diff --git a/Android.bp b/Android.bp index 80a0347..4d52b71 100644 --- a/Android.bp +++ b/Android.bp @@ -23,6 +23,7 @@ cc_library_static { "-Wuninitialized", "-Wno-self-assign", "-Wno-implicit-fallthrough", + "-DSUPPRESS_BUILD_DATE_INFO", ], sanitize: { misc_undefined:[ diff --git a/libAACdec/src/aacdecoder_lib.cpp b/libAACdec/src/aacdecoder_lib.cpp index 86ec899..3a1fc48 100644 --- a/libAACdec/src/aacdecoder_lib.cpp +++ b/libAACdec/src/aacdecoder_lib.cpp @@ -122,7 +122,7 @@ amm-info@iis.fraunhofer.de #define AACDECODER_LIB_VL1 1 #define AACDECODER_LIB_VL2 2 #define AACDECODER_LIB_TITLE "AAC Decoder Lib" -#ifdef __ANDROID__ +#ifdef SUPPRESS_BUILD_DATE_INFO #define AACDECODER_LIB_BUILD_DATE "" #define AACDECODER_LIB_BUILD_TIME "" #else diff --git a/libAACenc/src/aacenc_lib.cpp b/libAACenc/src/aacenc_lib.cpp index 0f0094f..a152c0d 100644 --- a/libAACenc/src/aacenc_lib.cpp +++ b/libAACenc/src/aacenc_lib.cpp @@ -112,7 +112,7 @@ amm-info@iis.fraunhofer.de #define AACENCODER_LIB_VL1 0 #define AACENCODER_LIB_VL2 0 #define AACENCODER_LIB_TITLE "AAC Encoder" -#ifdef __ANDROID__ +#ifdef SUPPRESS_BUILD_DATE_INFO #define AACENCODER_LIB_BUILD_DATE "" #define AACENCODER_LIB_BUILD_TIME "" #else diff --git a/libDRCdec/src/FDK_drcDecLib.cpp b/libDRCdec/src/FDK_drcDecLib.cpp index 4f8ebc7..98a73ca 100644 --- a/libDRCdec/src/FDK_drcDecLib.cpp +++ b/libDRCdec/src/FDK_drcDecLib.cpp @@ -112,7 +112,7 @@ amm-info@iis.fraunhofer.de #define DRCDEC_LIB_VL1 1 #define DRCDEC_LIB_VL2 0 #define DRCDEC_LIB_TITLE "MPEG-D DRC Decoder Lib" -#ifdef __ANDROID__ +#ifdef SUPPRESS_BUILD_DATE_INFO #define DRCDEC_LIB_BUILD_DATE "" #define DRCDEC_LIB_BUILD_TIME "" #else diff --git a/libFDK/src/FDK_core.cpp b/libFDK/src/FDK_core.cpp index 75ea8a2..52f8915 100644 --- a/libFDK/src/FDK_core.cpp +++ b/libFDK/src/FDK_core.cpp @@ -107,7 +107,7 @@ amm-info@iis.fraunhofer.de #define FDK_TOOLS_LIB_VL1 0 #define FDK_TOOLS_LIB_VL2 0 #define FDK_TOOLS_LIB_TITLE "FDK Tools" -#ifdef __ANDROID__ +#ifdef SUPPRESS_BUILD_DATE_INFO #define FDK_TOOLS_LIB_BUILD_DATE "" #define FDK_TOOLS_LIB_BUILD_TIME "" #else diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp index 506aed3..0b8ff24 100644 --- a/libMpegTPDec/src/tpdec_lib.cpp +++ b/libMpegTPDec/src/tpdec_lib.cpp @@ -1750,7 +1750,7 @@ TRANSPORTDEC_ERROR transportDec_GetLibInfo(LIB_INFO *info) { info += i; info->module_id = FDK_TPDEC; -#ifdef __ANDROID__ +#ifdef SUPPRESS_BUILD_DATE_INFO info->build_date = ""; info->build_time = ""; #else diff --git a/libMpegTPEnc/src/tpenc_lib.cpp b/libMpegTPEnc/src/tpenc_lib.cpp index 14ea5fe..77c19b5 100644 --- a/libMpegTPEnc/src/tpenc_lib.cpp +++ b/libMpegTPEnc/src/tpenc_lib.cpp @@ -647,7 +647,7 @@ TRANSPORTENC_ERROR transportEnc_GetLibInfo(LIB_INFO *info) { info->module_id = FDK_TPENC; info->version = LIB_VERSION(TP_LIB_VL0, TP_LIB_VL1, TP_LIB_VL2); LIB_VERSION_STRING(info); -#ifdef __ANDROID__ +#ifdef SUPPRESS_BUILD_DATE_INFO info->build_date = ""; info->build_time = ""; #else diff --git a/libPCMutils/src/version.h b/libPCMutils/src/version.h index fa31af1..8e537ee 100644 --- a/libPCMutils/src/version.h +++ b/libPCMutils/src/version.h @@ -108,7 +108,7 @@ amm-info@iis.fraunhofer.de #define PCMUTIL_LIB_VL1 0 #define PCMUTIL_LIB_VL2 0 #define PCMUTIL_LIB_TITLE "PCM Utility Lib" -#ifdef __ANDROID__ +#ifdef SUPPRESS_BUILD_DATE_INFO #define PCMUTIL_LIB_BUILD_DATE "" #define PCMUTIL_LIB_BUILD_TIME "" #else diff --git a/libSACdec/src/sac_dec_lib.cpp b/libSACdec/src/sac_dec_lib.cpp index bf6dedf..a07e1c9 100644 --- a/libSACdec/src/sac_dec_lib.cpp +++ b/libSACdec/src/sac_dec_lib.cpp @@ -1800,7 +1800,7 @@ int mpegSurroundDecoder_GetLibInfo(LIB_INFO *info) { info += i; info->module_id = FDK_MPSDEC; -#ifdef __ANDROID__ +#ifdef SUPPRESS_BUILD_DATE_INFO info->build_date = ""; info->build_time = ""; #else diff --git a/libSACenc/src/sacenc_lib.cpp b/libSACenc/src/sacenc_lib.cpp index d6a1658..fcfe39b 100644 --- a/libSACenc/src/sacenc_lib.cpp +++ b/libSACenc/src/sacenc_lib.cpp @@ -130,7 +130,7 @@ Description of file contents #define SACENC_LIB_VL1 0 #define SACENC_LIB_VL2 0 #define SACENC_LIB_TITLE "MPEG Surround Encoder" -#ifdef __ANDROID__ +#ifdef SUPPRESS_BUILD_DATE_INFO #define SACENC_LIB_BUILD_DATE "" #define SACENC_LIB_BUILD_TIME "" #else diff --git a/libSBRdec/src/sbrdecoder.cpp b/libSBRdec/src/sbrdecoder.cpp index c827ced..89a2338 100644 --- a/libSBRdec/src/sbrdecoder.cpp +++ b/libSBRdec/src/sbrdecoder.cpp @@ -160,7 +160,7 @@ amm-info@iis.fraunhofer.de #define SBRDECODER_LIB_VL1 0 #define SBRDECODER_LIB_VL2 0 #define SBRDECODER_LIB_TITLE "SBR Decoder" -#ifdef __ANDROID__ +#ifdef SUPPRESS_BUILD_DATE_INFO #define SBRDECODER_LIB_BUILD_DATE "" #define SBRDECODER_LIB_BUILD_TIME "" #else diff --git a/libSBRenc/src/sbr_encoder.cpp b/libSBRenc/src/sbr_encoder.cpp index df9e996..c1e083f 100644 --- a/libSBRenc/src/sbr_encoder.cpp +++ b/libSBRenc/src/sbr_encoder.cpp @@ -2560,7 +2560,7 @@ INT sbrEncoder_GetLibInfo(LIB_INFO *info) { info->version = LIB_VERSION(SBRENCODER_LIB_VL0, SBRENCODER_LIB_VL1, SBRENCODER_LIB_VL2); LIB_VERSION_STRING(info); -#ifdef __ANDROID__ +#ifdef SUPPRESS_BUILD_DATE_INFO info->build_date = ""; info->build_time = ""; #else From b09c5ae9f054cc33ac492f729f845cda61971da0 Mon Sep 17 00:00:00 2001 From: Anuj Joshi Date: Fri, 27 Mar 2020 10:44:41 +0530 Subject: [PATCH 2/3] aacdec: Add host support Test: Build libFraunhoferAAC on host Bug: 151595970 Change-Id: I4870251b6fe2143dca6b5eed9c2643705c63952c --- Android.bp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Android.bp b/Android.bp index 4d52b71..c0937dd 100644 --- a/Android.bp +++ b/Android.bp @@ -1,6 +1,7 @@ cc_library_static { name: "libFraunhoferAAC", vendor_available: true, + host_supported:true, srcs: [ "libAACdec/src/*.cpp", "libAACenc/src/*.cpp", @@ -52,4 +53,10 @@ cc_library_static { "libSACdec/include", "libSACenc/include", ], + + target: { + darwin: { + enabled: false, + }, + }, } From d41cddf9e9f46a1596c19505967261140a5bd6f8 Mon Sep 17 00:00:00 2001 From: Anuj Joshi Date: Thu, 26 Mar 2020 11:51:15 +0530 Subject: [PATCH 3/3] Added aac_dec_fuzzer Test: ./aac_dec_fuzzer Bug: 151595970 Change-Id: Iad37ae766288e9490520d858a6de0dd755e70681 --- fuzzer/Android.bp | 39 ++++++++++++++++++ fuzzer/README.md | 59 +++++++++++++++++++++++++++ fuzzer/aac_dec_fuzzer.cpp | 84 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 182 insertions(+) create mode 100644 fuzzer/Android.bp create mode 100644 fuzzer/README.md create mode 100644 fuzzer/aac_dec_fuzzer.cpp diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp new file mode 100644 index 0000000..ae01dad --- /dev/null +++ b/fuzzer/Android.bp @@ -0,0 +1,39 @@ +/****************************************************************************** + * + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************************** + * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore + */ + +cc_fuzz { + name: "aac_dec_fuzzer", + host_supported:true, + + static_libs: [ + "libFraunhoferAAC", + "liblog", + ], + + srcs: [ + "aac_dec_fuzzer.cpp", + ], + + target: { + darwin: { + enabled: false, + }, + }, +} diff --git a/fuzzer/README.md b/fuzzer/README.md new file mode 100644 index 0000000..d99bc75 --- /dev/null +++ b/fuzzer/README.md @@ -0,0 +1,59 @@ +# Fuzzer for libFraunhoferAAC decoder + +## Plugin Design Considerations +The fuzzer plugin for aac decoder is designed based on the understanding of the +codec and tries to achieve the following: + +##### Maximize code coverage + +This fuzzer makes use of the following config parameters: +1. Transport type (parameter name: `TRANSPORT_TYPE`) + +| Parameter| Valid Values| Configured Value| +|------------- |-------------| ----- | +| `TRANSPORT_TYPE` | 0.`TT_UNKNOWN ` 1.`TT_MP4_RAW ` 2.`TT_MP4_ADIF ` 3.`TT_MP4_ADTS ` 4.`TT_MP4_LATM_MCP1 ` 5.`TT_MP4_LATM_MCP0 ` 6.`TT_MP4_LOAS ` 7.`TT_DRM ` | `TT_MP4_ADIF ` | + +Note: Value of `TRANSPORT_TYPE` could be set to any of these values. +It is set to `TT_MP4_ADIF` in the fuzzer plugin. + +##### Maximize utilization of input data +The plugin feeds the entire input data to the codec using a loop. + * If the decode operation was successful, the input is advanced by an + offset calculated using valid bytes. + * If the decode operation was un-successful, the input is advanced by 1 byte + till it reaches a valid frame or end of stream. + +This ensures that the plugin tolerates any kind of input (empty, huge, +malformed, etc) and doesnt `exit()` on any input and thereby increasing the +chance of identifying vulnerabilities. + +## Build + +This describes steps to build aac_dec_fuzzer binary. + +## Android + +### Steps to build +Build the fuzzer +``` + $ mm -j$(nproc) aac_dec_fuzzer +``` + +### Steps to run +Create a directory CORPUS_DIR and copy some aac files to that folder. +Push this directory to device. + +To run on device +``` + $ adb sync data + $ adb shell /data/fuzz/arm64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR +``` +To run on host +``` + $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR +``` + +## References: + * http://llvm.org/docs/LibFuzzer.html + * https://github.com/google/oss-fuzz + diff --git a/fuzzer/aac_dec_fuzzer.cpp b/fuzzer/aac_dec_fuzzer.cpp new file mode 100644 index 0000000..686c42f --- /dev/null +++ b/fuzzer/aac_dec_fuzzer.cpp @@ -0,0 +1,84 @@ +/****************************************************************************** + * + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************************** + * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore + */ + +#include +#include "aacdecoder_lib.h" + +constexpr uint8_t kNumberOfLayers = 1; +constexpr uint8_t kMaxChannelCount = 8; + +class Codec { + public: + Codec() = default; + ~Codec() { deInitDecoder(); } + bool initDecoder(); + void decodeFrames(UCHAR *data, UINT size); + void deInitDecoder(); + + private: + HANDLE_AACDECODER mAacDecoderHandle = nullptr; + AAC_DECODER_ERROR mErrorCode = AAC_DEC_OK; +}; + +bool Codec::initDecoder() { + mAacDecoderHandle = aacDecoder_Open(TT_MP4_ADIF, kNumberOfLayers); + if (!mAacDecoderHandle) { + return false; + } + return true; +} + +void Codec::deInitDecoder() { + aacDecoder_Close(mAacDecoderHandle); + mAacDecoderHandle = nullptr; +} + +void Codec::decodeFrames(UCHAR *data, UINT size) { + while (size > 0) { + UINT inputSize = size; + UINT valid = size; + mErrorCode = aacDecoder_Fill(mAacDecoderHandle, &data, &inputSize, &valid); + if (mErrorCode != AAC_DEC_OK) { + ++data; + --size; + } else { + INT_PCM outputBuf[2048 * kMaxChannelCount]; + aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf, 2048 * kMaxChannelCount, 0); + if (valid >= inputSize) { + return; + } + UINT offset = inputSize - valid; + data += offset; + size = valid; + } + } +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + Codec *codec = new Codec(); + if (!codec) { + return 0; + } + if (codec->initDecoder()) { + codec->decodeFrames((UCHAR *)(data), static_cast(size)); + } + delete codec; + return 0; +}