fdk-aac/fuzzer
Ayushi Khopkar e575d5741d Updated fuzz_config in Android.bp file
Added new fields in fuzz_config like - hotlists,
description, vector, service_privilege, users, fuzzed_code_usage, etc.

Bug: 271384401
Test: Build aac_dec_fuzzer and aac_enc_fuzzer

Change-Id: I2637accffa42e37fc90e19b531ca5aef299b811e
2023-03-06 11:13:25 +05:30
..
Android.bp Updated fuzz_config in Android.bp file 2023-03-06 11:13:25 +05:30
README.md aac_enc_fuzzer: Improve code coverage 2021-02-01 10:30:22 +05:30
aac_dec_fuzzer.cpp Fix fuzzer's use of aacDecoder_DecodeFrame 2020-10-05 16:27:56 -07:00
aac_enc_fuzzer.cpp Fix improper assignment in aac_enc_fuzzer 2021-02-17 17:01:03 +05:30

README.md

Fuzzer for libFraunhoferAAC decoder

Plugin Design Considerations

The fuzzer plugin for aac decoder is designed based on the understanding of the codec and tries to achieve the following:

Maximize code coverage

This fuzzer makes use of the following config parameters:

  1. Transport type (parameter name: TRANSPORT_TYPE)
Parameter Valid Values Configured Value
TRANSPORT_TYPE 0.TT_UNKNOWN 1.TT_MP4_RAW 2.TT_MP4_ADIF 3.TT_MP4_ADTS 4.TT_MP4_LATM_MCP1 5.TT_MP4_LATM_MCP0 6.TT_MP4_LOAS 7.TT_DRM TT_MP4_ADIF

Note: Value of TRANSPORT_TYPE could be set to any of these values. It is set to TT_MP4_ADIF in the fuzzer plugin.

Maximize utilization of input data

The plugin feeds the entire input data to the codec using a loop.

  • If the decode operation was successful, the input is advanced by an offset calculated using valid bytes.
  • If the decode operation was un-successful, the input is advanced by 1 byte till it reaches a valid frame or end of stream.

This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) and doesnt exit() on any input and thereby increasing the chance of identifying vulnerabilities.

Build

This describes steps to build aac_dec_fuzzer binary.

Android

Steps to build

Build the fuzzer

  $ mm -j$(nproc) aac_dec_fuzzer

Steps to run

Create a directory CORPUS_DIR and copy some aac files to that folder. Push this directory to device.

To run on device

  $ adb sync data
  $ adb shell /data/fuzz/arm64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR

To run on host

  $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR

Fuzzer for libFraunhoferAAC encoder

Plugin Design Considerations

The fuzzer plugin for aac encoder is designed based on the understanding of the codec and tries to achieve the following:

Maximize code coverage

The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzer.

Following arguments are passed to aacEncoder_SetParam to set the respective AACENC_PARAM parameter:

AACENC_PARAM param Valid Values Configured Value
AACENC_SBR_MODE -1 0 1 2 Calculated using first byte of data
AACENC_AOT AOT_NONE AOT_NULL_OBJECT AOT_AAC_MAIN AOT_AAC_LC AOT_AAC_SSR AOT_AAC_LTP AOT_SBR AOT_AAC_SCAL AOT_TWIN_VQ AOT_CELP AOT_HVXC AOT_RSVD_10 AOT_RSVD_11 AOT_TTSI AOT_MAIN_SYNTH AOT_WAV_TAB_SYNTH AOT_GEN_MIDI AOT_ALG_SYNTH_AUD_FX AOT_ER_AAC_LC AOT_RSVD_18 AOT_ER_AAC_LTP AOT_ER_AAC_SCAL AOT_ER_TWIN_VQ AOT_ER_BSAC AOT_ER_AAC_LD AOT_ER_CELP AOT_ER_HVXC AOT_ER_HILN AOT_ER_PARA AOT_RSVD_28 AOT_PS AOT_MPEGS AOT_ESCAPE AOT_MP3ONMP4_L1 AOT_MP3ONMP4_L2 AOT_MP3ONMP4_L3 AOT_RSVD_35 AOT_RSVD_36 AOT_AAC_SLS AOT_SLS AOT_ER_AAC_ELD AOT_USAC AOT_SAOC AOT_LD_MPEGS AOT_MP2_AAC_LC AOT_MP2_SBR AOT_DRM_AAC AOT_DRM_SBR AOT_DRM_MPEG_PS AOT_DRM_SURROUND AOT_DRM_USAC Calculated using second byte of data
AACENC_SAMPLERATE 8000 11025 12000 16000 22050 24000 32000 44100 48000 64000 88200 96000 Calculated using third byte of data
AACENC_BITRATE In range 8000 to 960000 Calculated using fourth, fifth and sixth byte of data
AACENC_CHANNELMODE MODE_1 MODE_2 MODE_1_2 MODE_1_2_1 MODE_1_2_2 MODE_1_2_2_1 MODE_1_2_2_2_1 MODE_6_1 MODE_7_1_BACK MODE_7_1_TOP_FRONT MODE_7_1_REAR_SURROUND MODE_7_1_FRONT_CENTER MODE_212 Calculated using seventh byte of data
AACENC_TRANSMUX TT_MP4_RAW TT_MP4_ADIF TT_MP4_ADTS TT_MP4_LATM_MCP1 TT_MP4_LATM_MCP0 TT_MP4_LOAS TT_DRM Calculated using eight byte of data
AACENC_BITRATEMODE AACENC_BR_MODE_INVALID AACENC_BR_MODE_CBR AACENC_BR_MODE_VBR_1 AACENC_BR_MODE_VBR_2 AACENC_BR_MODE_VBR_3 AACENC_BR_MODE_VBR_4 AACENC_BR_MODE_VBR_5 AACENC_BR_MODE_FF AACENC_BR_MODE_SFR Calculated using thirty-fourth byte of data
AACENC_GRANULE_LENGTH 120 128 240 256 480 512 1024 Calculated using thirty-fifth byte of data
AACENC_CHANNELORDER CH_ORDER_MPEG CH_ORDER_WAV Calculated using thirty-sixth byte of data
AACENC_AFTERBURNER 0 1 Calculated using thirty-seventh byte of data
AACENC_BANDWIDTH 0 1 Calculated using thirty-eigth byte of data
AACENC_IDX_PEAK_BITRATE In range 8000 to 960000 Calculated using thirty-ninth byte of data
AACENC_HEADER_PERIOD In range 0 to 255 Calculated using fortieth byte of data
AACENC_SIGNALING_MODE -1 0 1 2 3 Calculated using forty-first byte of data
AACENC_TPSUBFRAMES In range 0 to 255 Calculated using forty-second byte of data
AACENC_AUDIOMUXVER -1 0 1 2 Calculated using forty-third byte of data
AACENC_PROTECTION 0 1 Calculated using forty-fourth of data
AACENC_ANCILLARY_BITRATE In range 0 to 960000 Calculated using forty-fifth byte of data
AACENC_METADATA_MODE 0 1 2 3 Calculated using forty-sixth byte of data

Following values are configured to set up the meta data represented by the class variable mMetaData :

Variable name Possible Values Configured Value
drc_profile AACENC_METADATA_DRC_NONE AACENC_METADATA_DRC_FILMSTANDARD AACENC_METADATA_DRC_FILMLIGHT AACENC_METADATA_DRC_MUSICSTANDARD AACENC_METADATA_DRC_MUSICLIGHT AACENC_METADATA_DRC_SPEECH AACENC_METADATA_DRC_NOT_PRESENT Calculated using tenth byte of data
comp_profile AACENC_METADATA_DRC_NONE AACENC_METADATA_DRC_FILMSTANDARD AACENC_METADATA_DRC_FILMLIGHT AACENC_METADATA_DRC_MUSICSTANDARD AACENC_METADATA_DRC_MUSICLIGHT AACENC_METADATA_DRC_SPEECH AACENC_METADATA_DRC_NOT_PRESENT Calculated using eleventh byte of data
drc_TargetRefLevel In range 0 to 255 Calculated using twelfth byte of data
comp_TargetRefLevel In range 0 to 255 Calculated using thirteenth byte of data
prog_ref_level_present 0 1 Calculated using fourteenth byte of data
prog_ref_level In range 0 to 255 Calculated using fifteenth byte of data
PCE_mixdown_idx_present 0 1 Calculated using sixteenth byte of data
ETSI_DmxLvl_present 0 1 Calculated using seventeenth byte of data
centerMixLevel In range 0 to 7 Calculated using eighteenth byte of data
surroundMixLevel In range 0 to 7 Calculated using nineteenth byte of data
dolbySurroundMode In range 0 to 2 Calculated using twentieth byte of data
drcPresentationMode In range 0 to 2 Calculated using twenty-first byte of data
extAncDataEnable 0 1 Calculated using twenty-second byte of data
extDownmixLevelEnable 0 1 Calculated using twenty-third byte of data
extDownmixLevel_A In range 0 to 7 Calculated using twenty-fourth byte of data
extDownmixLevel_B In range 0 to 7 Calculated using twenty-fifth byte of data
dmxGainEnable 0 1 Calculated using twenty-sixth byte of data
dmxGain5 In range 0 to 255 Calculated using twenty-seventh byte of data
dmxGain2 In range 0 to 255 Calculated using twenty-eighth byte of data
lfeDmxEnable 0 1 Calculated using twenty-ninth byte of data
lfeDmxLevel In range 0 to 15 Calculated using thirtieth byte of data

Indexes mInBufferIdx_1, mInBufferIdx_2 and mInBufferIdx_3(in range 0 to 2) are calculated using the thirty-first, thirty-second and thirty-third byte respectively.

Maximize utilization of input data

The plugin feeds the entire input data to the codec and continues with the encoding even on a failure. This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) and doesnt exit() on any input and thereby increasing the chance of identifying vulnerabilities.

Build

This describes steps to build aac_enc_fuzzer binary.

Android

Steps to build

Build the fuzzer

  $ mm -j$(nproc) aac_enc_fuzzer

Steps to run

Create a directory CORPUS_DIR and copy some raw files to that folder. Push this directory to device.

To run on device

  $ adb sync data
  $ adb shell /data/fuzz/arm64/aac_enc_fuzzer/aac_enc_fuzzer CORPUS_DIR

To run on host

  $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_enc_fuzzer/aac_enc_fuzzer CORPUS_DIR

References: