[opus] Adding a decoder fuzz target
Ralph Giles
giles at thaumas.net
Fri Jan 27 22:51:40 UTC 2017
On 2017-01-27 11:48 AM, Felicia Lim wrote:
> I'm working on fuzzing Opus with OSS-Fuzz and have started with the
> decoder. Attached is a patch to add the corresponding fuzz target.
Thanks for writing the fuzzer harness! Some comments below.
> + * Copyright (c) 2017 Google Inc.
> + * Redistribution and use in source and binary forms, with or without
> + [...]
Please format this to look like the other copyright headers. I think
maybe your editor's auto-indent mangled the previous layout.
In ParseToc everything here looks correct.
> + info->frame_size = frame_sizes_ms_x2[row][col] * info->fs / 2000;
This rounds correctly because everything in as even multple of 1000.
In LLVMFuzzerTestOneInput:
> + decoder = opus_decoder_create(toc.fs, toc.channels, &err);
I guess the fuzzer will vary the packet's declared sample rate and
channel count independently of the data, so taking these values from the
input data allows exploration of all valid values for the setup without
loss of coverage?
> + fec = data[1] & 1;
As far as I can tell this isn't an independent mechanism, since this bit
will be interpreted as packet data half the time and as a byte count for
the second packet in others. It seems like this will limit coverage. Is
there another channel you can pass data through?
I also expect only running one packet at a time through the decoder will
limit converage. This is fine for a place to start, but the codec
explicitly accumulates state over a window of about 80 ms. With only one
packet per run the fuzzer won't be able to explore mode switching, or
FEC or PLC on top of more than one initial state.
Cheers,
-r
More information about the opus
mailing list