fenix
/
fdk-aac
mirror of https://github.com/mstorsjo/fdk-aac.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
fdk-aac/fuzzer
History
Jean-Michel Trivi f451278f0e Fix fuzzer's use of aacDecoder_DecodeFrame 
The aacDecoder_DecodeFrame function takes a size in numbers of
samples (INT_PCM), not a number of bytes. Using a number of
bytes caused the FDK to believe the array was larger than it
really was. Therefore on invalid frames, it would try to
clear a size larger than was really available, causing an OOB
crash.

Bug: 161014225
Test: check clusterfuzz results for case 6217304556437504
Change-Id: I9278898a17c1c961c568e841c6037d0c14bcc8b4
 		2020-10-05 16:27:56 -07:00
..
Android.bp Added fuzz_config field in aac_dec_fuzzer 2020-05-19 11:59:34 +05:30
README.md Added aac_dec_fuzzer 2020-03-27 11:11:27 +05:30
aac_dec_fuzzer.cpp Fix fuzzer's use of aacDecoder_DecodeFrame 2020-10-05 16:27:56 -07:00

README.md

Fuzzer for libFraunhoferAAC decoder

Plugin Design Considerations

The fuzzer plugin for aac decoder is designed based on the understanding of the codec and tries to achieve the following:

Maximize code coverage

This fuzzer makes use of the following config parameters:

  1. Transport type (parameter name: TRANSPORT_TYPE)
Parameter Valid Values Configured Value
TRANSPORT_TYPE 0.TT_UNKNOWN 1.TT_MP4_RAW 2.TT_MP4_ADIF 3.TT_MP4_ADTS 4.TT_MP4_LATM_MCP1 5.TT_MP4_LATM_MCP0 6.TT_MP4_LOAS 7.TT_DRM TT_MP4_ADIF

Note: Value of TRANSPORT_TYPE could be set to any of these values. It is set to TT_MP4_ADIF in the fuzzer plugin.

Maximize utilization of input data

The plugin feeds the entire input data to the codec using a loop.

  • If the decode operation was successful, the input is advanced by an offset calculated using valid bytes.
  • If the decode operation was un-successful, the input is advanced by 1 byte till it reaches a valid frame or end of stream.

This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) and doesnt exit() on any input and thereby increasing the chance of identifying vulnerabilities.

Build

This describes steps to build aac_dec_fuzzer binary.

Android

Steps to build

Build the fuzzer

  $ mm -j$(nproc) aac_dec_fuzzer

Steps to run

Create a directory CORPUS_DIR and copy some aac files to that folder. Push this directory to device.

To run on device

  $ adb sync data
  $ adb shell /data/fuzz/arm64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR

To run on host

  $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR

References: