/src/janus-gateway/fuzzers/rtp_fuzzer.c

Source (jump to first uncovered line)
#include <stdint.h>
#include <stddef.h>
#include <stdlib.h>

#include <glib.h>
#include "../src/debug.h"
#include "../src/utils.h"
#include "../src/rtp.h"

int janus_log_level = LOG_NONE;
gboolean janus_log_timestamps = FALSE;
gboolean janus_log_colors = FALSE;
char *janus_log_global_prefix = NULL;
int lock_debug = 0;

/* This is to avoid linking with openSSL */
int RAND_bytes(uint8_t *key, int len) {
  return 0;
}

/* Clone libsrtp srtp_validate_rtp_header */
#define octets_in_rtp_header 12
#define uint32s_in_rtp_header 3
#define octets_in_rtp_extn_hdr 4

static int srtp_validate_rtp_header(char *data, int pkt_octet_len) {
    if (pkt_octet_len < octets_in_rtp_header)
        return -1;

    janus_rtp_header *hdr = (janus_rtp_header *)data;

    /* Check RTP header length */
    int rtp_header_len = octets_in_rtp_header + 4 * hdr->csrccount;
    if (hdr->extension == 1)
        rtp_header_len += octets_in_rtp_extn_hdr;

    if (pkt_octet_len < rtp_header_len)
        return -1;

    /* Verifing profile length. */
    if (hdr->extension == 1) {
      janus_rtp_header_extension *xtn_hdr =
            (janus_rtp_header_extension *)((uint32_t *)hdr + uint32s_in_rtp_header +
                                hdr->csrccount);
        int profile_len = ntohs(xtn_hdr->length);
        rtp_header_len += profile_len * 4;
        /* profile length counts the number of 32-bit words */
        if (pkt_octet_len < rtp_header_len)
            return -1;
    }
    return 0;
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  /* Sanity Checks */
  /* Max UDP payload with MTU=1500 */
  if (size > 1472) return 0;
  /* libnice checks that a packet length is positive */
  if (size <= 0) return 0;
  /* Janus checks for a minimum packet length
   * and the RTP header type value */
  if (!janus_is_rtp((char *)data, size)) return 0;

  char sdes_item[16];
  janus_rtp_header_extension_parse_rid((char *)data, size, 1, sdes_item, sizeof(sdes_item));
  janus_rtp_header_extension_parse_mid((char *)data, size, 1, sdes_item, sizeof(sdes_item));

  /* Do same checks that libsrtp does */
  if (srtp_validate_rtp_header((char *)data, size) < 0) return 0;

  /* RTP extensions parsers */
  guint16 transport_seq_num;
  gboolean c, f, r1, r0;
  uint8_t dd[256];
  int sizedd = sizeof(dd);
  janus_rtp_header_extension_parse_audio_level((char *)data, size, 1, NULL, NULL);
  janus_rtp_header_extension_parse_playout_delay((char *)data, size, 1, NULL, NULL);
  janus_rtp_header_extension_parse_transport_wide_cc((char *)data, size, 1, &transport_seq_num);
  janus_rtp_header_extension_parse_abs_send_time((char *)data, size, 1, NULL);
  janus_rtp_header_extension_parse_abs_capture_time((char *)data, size, 1, NULL);
  janus_rtp_header_extension_parse_video_orientation((char * )data, size, 1, &c, &f, &r1, &r0);
  janus_rtp_header_extension_parse_dependency_desc((char *)data, size, 1, (uint8_t *)&dd, &sizedd);
  janus_rtp_header_extension_parse_video_layers_allocation((char *)data, size, 1, NULL, NULL);

  /* Extract codec payload */
  int plen = 0;
  char *payload = janus_rtp_payload((char *)data, size, &plen);
  if (!payload) return 0;
  /* Make a copy of payload */
  char copy_payload[plen];
  memcpy(copy_payload, payload, plen);

  /* H.264 targets */
  janus_h264_is_keyframe(payload, plen);

  /* VP8 targets */
  gboolean m = FALSE;
  uint16_t picid = 0;
  uint8_t tlzi = 0, tid = 0, ybit = 0, keyidx = 0;
  janus_vp8_simulcast_context vp8_context;
  memset(&vp8_context, 0, sizeof(janus_vp8_simulcast_context));
  janus_vp8_is_keyframe(payload, plen);
  janus_vp8_parse_descriptor(payload, plen, &m, &picid, &tlzi, &tid, &ybit, &keyidx);
  janus_vp8_simulcast_descriptor_update(copy_payload, plen, &vp8_context, TRUE);

  /* VP9 targets */
  int found = 0;
  janus_vp9_svc_info info;
  janus_vp9_is_keyframe(payload, plen);
  janus_vp9_parse_svc(payload, plen, &found, &info);

  /* Free resources */

  return 0;
}

Line	Count	Source (jump to first uncovered line)
1		#include <stdint.h>
2		#include <stddef.h>
3		#include <stdlib.h>
4
5		#include <glib.h>
6		#include "../src/debug.h"
7		#include "../src/utils.h"
8		#include "../src/rtp.h"
9
10		int janus_log_level = LOG_NONE;
11		gboolean janus_log_timestamps = FALSE;
12		gboolean janus_log_colors = FALSE;
13		char *janus_log_global_prefix = NULL;
14		int lock_debug = 0;
15
16		/* This is to avoid linking with openSSL */
17	0	int RAND_bytes(uint8_t *key, int len) {
18	0	return 0;
19	0	}
20
21		/* Clone libsrtp srtp_validate_rtp_header */
22	1.44k	#define octets_in_rtp_header 12
23	346	#define uint32s_in_rtp_header 3
24	364	#define octets_in_rtp_extn_hdr 4
25
26	722	static int srtp_validate_rtp_header(char *data, int pkt_octet_len) {
27	722	if (pkt_octet_len < octets_in_rtp_header)
28	0	return -1;
29
30	722	janus_rtp_header hdr = (janus_rtp_header )data;
31
32		/* Check RTP header length */
33	722	int rtp_header_len = octets_in_rtp_header + 4 * hdr->csrccount;
34	722	if (hdr->extension == 1)
35	364	rtp_header_len += octets_in_rtp_extn_hdr;
36
37	722	if (pkt_octet_len < rtp_header_len)
38	20	return -1;
39
40		/* Verifing profile length. */
41	702	if (hdr->extension == 1) {
42	346	janus_rtp_header_extension *xtn_hdr =
43	346	(janus_rtp_header_extension )((uint32_t )hdr + uint32s_in_rtp_header +
44	346	hdr->csrccount);
45	346	int profile_len = ntohs(xtn_hdr->length);
46	346	rtp_header_len += profile_len * 4;
47		/* profile length counts the number of 32-bit words */
48	346	if (pkt_octet_len < rtp_header_len)
49	60	return -1;
50	346	}
51	642	return 0;
52	702	}
53
54	745	int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
55		/* Sanity Checks */
56		/* Max UDP payload with MTU=1500 */
57	745	if (size > 1472) return 0;
58		/* libnice checks that a packet length is positive */
59	735	if (size <= 0) return 0;
60		/* Janus checks for a minimum packet length
61		* and the RTP header type value */
62	735	if (!janus_is_rtp((char *)data, size)) return 0;
63
64	722	char sdes_item[16];
65	722	janus_rtp_header_extension_parse_rid((char *)data, size, 1, sdes_item, sizeof(sdes_item));
66	722	janus_rtp_header_extension_parse_mid((char *)data, size, 1, sdes_item, sizeof(sdes_item));
67
68		/* Do same checks that libsrtp does */
69	722	if (srtp_validate_rtp_header((char *)data, size) < 0) return 0;
70
71		/* RTP extensions parsers */
72	642	guint16 transport_seq_num;
73	642	gboolean c, f, r1, r0;
74	642	uint8_t dd[256];
75	642	int sizedd = sizeof(dd);
76	642	janus_rtp_header_extension_parse_audio_level((char *)data, size, 1, NULL, NULL);
77	642	janus_rtp_header_extension_parse_playout_delay((char *)data, size, 1, NULL, NULL);
78	642	janus_rtp_header_extension_parse_transport_wide_cc((char *)data, size, 1, &transport_seq_num);
79	642	janus_rtp_header_extension_parse_abs_send_time((char *)data, size, 1, NULL);
80	642	janus_rtp_header_extension_parse_abs_capture_time((char *)data, size, 1, NULL);
81	642	janus_rtp_header_extension_parse_video_orientation((char * )data, size, 1, &c, &f, &r1, &r0);
82	642	janus_rtp_header_extension_parse_dependency_desc((char )data, size, 1, (uint8_t )&dd, &sizedd);
83	642	janus_rtp_header_extension_parse_video_layers_allocation((char *)data, size, 1, NULL, NULL);
84
85		/* Extract codec payload */
86	642	int plen = 0;
87	642	char payload = janus_rtp_payload((char )data, size, &plen);
88	642	if (!payload) return 0;
89		/* Make a copy of payload */
90	629	char copy_payload[plen];
91	629	memcpy(copy_payload, payload, plen);
92
93		/* H.264 targets */
94	629	janus_h264_is_keyframe(payload, plen);
95
96		/* VP8 targets */
97	629	gboolean m = FALSE;
98	629	uint16_t picid = 0;
99	629	uint8_t tlzi = 0, tid = 0, ybit = 0, keyidx = 0;
100	629	janus_vp8_simulcast_context vp8_context;
101	629	memset(&vp8_context, 0, sizeof(janus_vp8_simulcast_context));
102	629	janus_vp8_is_keyframe(payload, plen);
103	629	janus_vp8_parse_descriptor(payload, plen, &m, &picid, &tlzi, &tid, &ybit, &keyidx);
104	629	janus_vp8_simulcast_descriptor_update(copy_payload, plen, &vp8_context, TRUE);
105
106		/* VP9 targets */
107	629	int found = 0;
108	629	janus_vp9_svc_info info;
109	629	janus_vp9_is_keyframe(payload, plen);
110	629	janus_vp9_parse_svc(payload, plen, &found, &info);
111
112		/* Free resources */
113
114	629	return 0;
115	642	}

Coverage Report

Created: 2025-07-12 06:53