Fuzzer codecs

[ibc]

Details

• Add fuzzer for audio and video codecs (for those we can parse).
• Run then:

  MS_FUZZ_CODECS=1 LSAN_OPTIONS=verbosity=1:log_threads=1 ./out/Release/mediasoup-worker-fuzzer -artifact_prefix=fuzzer/reports/ -max_len=1400 fuzzer/new-corpus
  

TODO

Added fuzzers only use the Parse() static method of the PayloadDescriptor class of every supported codec. Should we also call more methods in generated PayloadDescriptor instances?

[ibc]

ERROR 1 (H264_SVC): AddressSanitizer: heap-buffer-overflow

==4508==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200011d032 at pc 0x556081bfb8f1 bp 0x7ffda03b4dd0 sp 0x7ffda03b4dc8
READ of size 1 at 0x60200011d032 thread T0
    #0 0x556081bfb8f0 in RTC::Codecs::H264_SVC::ParseSingleNalu(unsigned char const*, unsigned long, std::unique_ptr<RTC::Codecs::H264_SVC::PayloadDescriptor, std::default_delete<RTC::Codecs::H264_SVC::PayloadDescriptor> >, bool) /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:188:21
    #1 0x556081bfad76 in RTC::Codecs::H264_SVC::Parse(unsigned char const*, unsigned long, RTC::RtpPacket::FrameMarking*, unsigned char) /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:139:28
    #2 0x556081e21aea in Fuzzer::RTC::Codecs::H264_SVC::Fuzz(unsigned char const*, unsigned long) /mediasoup/worker/out/Release/build/../../../fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp:6:59
    #3 0x556081e16703 in LLVMFuzzerTestOneInput /mediasoup/worker/out/Release/build/../../../fuzzer/src/fuzzer.cpp:77:3
    #4 0x556081523853 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41d853) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #5 0x556081522fa9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41cfa9) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #6 0x556081524799 in fuzzer::Fuzzer::MutateAndTestOne() (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41e799) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #7 0x556081525315 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41f315) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #8 0x556081513452 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x40d452) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #9 0x55608153d142 in main (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x437142) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #10 0x7fa4d8587d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #11 0x7fa4d8587e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #12 0x556081507e94 in _start (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x401e94) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)

0x60200011d032 is located 0 bytes to the right of 2-byte region [0x60200011d030,0x60200011d032)
allocated by thread T0 here:
    #0 0x5560815fad8d in operator new[](unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x4f4d8d) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #1 0x556081523762 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41d762) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #2 0x556081522fa9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41cfa9) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #3 0x556081524799 in fuzzer::Fuzzer::MutateAndTestOne() (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41e799) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #4 0x556081525315 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41f315) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #5 0x556081513452 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x40d452) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #6 0x55608153d142 in main (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x437142) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #7 0x7fa4d8587d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:188:21 in RTC::Codecs::H264_SVC::ParseSingleNalu(unsigned char const*, unsigned long, std::unique_ptr<RTC::Codecs::H264_SVC::PayloadDescriptor, std::default_delete<RTC::Codecs::H264_SVC::PayloadDescriptor> >, bool)
Shadow bytes around the buggy address:
  0x0c048001b9b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048001b9c0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048001b9d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048001b9e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c048001b9f0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
=>0x0c048001ba00: fa fa fd fd fa fa[02]fa fa fa fd fd fa fa fd fd
  0x0c048001ba10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048001ba20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048001ba30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048001ba40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048001ba50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4508==ABORTING
MS: 3 ShuffleBytes-CrossOver-EraseBytes-; base unit: c714e0c774f48ed63f54465f6bc9a85871e364f1
0x9d,0xce,
\235\316
artifact_prefix='fuzzer/reports/'; Test unit written to fuzzer/reports/crash-9f66ca4ef3883597fad0dc412148f03a5ac794b6
Base64: nc4=

[ibc]

ERROR 2 (H264_SVC): AddressSanitizer: heap-buffer-overflow

=================================================================
==4375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001df514 at pc 0x562d2ee778f1 bp 0x7ffc28ec9d50 sp 0x7ffc28ec9d48
READ of size 1 at 0x6020001df514 thread T0
    #0 0x562d2ee778f0 in RTC::Codecs::H264_SVC::ParseSingleNalu(unsigned char const*, unsigned long, std::unique_ptr<RTC::Codecs::H264_SVC::PayloadDescriptor, std::default_delete<RTC::Codecs::H264_SVC::PayloadDescriptor> >, bool) /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:184:21
    #1 0x562d2ee7698a in RTC::Codecs::H264_SVC::Parse(unsigned char const*, unsigned long, RTC::RtpPacket::FrameMarking*, unsigned char) /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:101:28
    #2 0x562d2f09daea in Fuzzer::RTC::Codecs::H264_SVC::Fuzz(unsigned char const*, unsigned long) /mediasoup/worker/out/Release/build/../../../fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp:6:59
    #3 0x562d2f092703 in LLVMFuzzerTestOneInput /mediasoup/worker/out/Release/build/../../../fuzzer/src/fuzzer.cpp:77:3
    #4 0x562d2e79f853 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41d853) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #5 0x562d2e79efa9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41cfa9) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #6 0x562d2e7a0799 in fuzzer::Fuzzer::MutateAndTestOne() (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41e799) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #7 0x562d2e7a1315 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41f315) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #8 0x562d2e78f452 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x40d452) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #9 0x562d2e7b9142 in main (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x437142) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #10 0x7f7e98295d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #11 0x7f7e98295e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #12 0x562d2e783e94 in _start (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x401e94) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)

0x6020001df514 is located 0 bytes to the right of 4-byte region [0x6020001df510,0x6020001df514)
allocated by thread T0 here:
    #0 0x562d2e876d8d in operator new[](unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x4f4d8d) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #1 0x562d2e79f762 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41d762) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #2 0x562d2e79efa9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41cfa9) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #3 0x562d2e7a0799 in fuzzer::Fuzzer::MutateAndTestOne() (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41e799) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #4 0x562d2e7a1315 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41f315) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #5 0x562d2e78f452 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x40d452) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #6 0x562d2e7b9142 in main (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x437142) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #7 0x7f7e98295d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:184:21 in RTC::Codecs::H264_SVC::ParseSingleNalu(unsigned char const*, unsigned long, std::unique_ptr<RTC::Codecs::H264_SVC::PayloadDescriptor, std::default_delete<RTC::Codecs::H264_SVC::PayloadDescriptor> >, bool)
Shadow bytes around the buggy address:
  0x0c0480033e50: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c0480033e60: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480033e70: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480033e80: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c0480033e90: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
=>0x0c0480033ea0: fa fa[04]fa fa fa fd fd fa fa fd fd fa fa fa fa
  0x0c0480033eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480033ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480033ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480033ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480033ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4375==ABORTING
MS: 3 CopyPart-CMP-ChangeASCIIInt- DE: "\004\000"-; base unit: e62d7f1eb43d87c202d2f164ba61297e71be80f4
0x38,0x4,0x0,0x34,
8\004\0004
artifact_prefix='fuzzer/reports/'; Test unit written to fuzzer/reports/crash-9cc885b84ba02d766f422c6512ead3808ded0189
Base64: OAQANA==

[ibc]

Only problem is in H264_SVC in H264_SVC::ParseSingleNalu() which most probably doesn't check buffer length before reading some bytes.

I also see something suspicious:

There is no break in case 5. On purpose?

[ibc]

There is no break in case 5. On purpose?

@prtmD could you please check this? Is that missing break on purpose or is it a bug?

[ibc]

Here a lib that could help, but... hehe
https://github.com/chemag/h264nal/

[ibc]

AddressSanitizer: heap-buffer-overflow error is solved here: dd0136f

[ibc]

Let's address the possible missing break in a separate issue: #1356