/src/janus-gateway/fuzzers/rtcp_fuzzer.c
Line | Count | Source |
1 | | #include <stdint.h> |
2 | | #include <stddef.h> |
3 | | #include <stdlib.h> |
4 | | |
5 | | #include <glib.h> |
6 | | #include "../src/debug.h" |
7 | | #include "../src/rtcp.h" |
8 | | #include "../src/rtp.h" |
9 | | |
10 | | int janus_log_level = LOG_NONE; |
11 | | gboolean janus_log_timestamps = FALSE; |
12 | | gboolean janus_log_colors = FALSE; |
13 | | char *janus_log_global_prefix = NULL; |
14 | | int lock_debug = 0; |
15 | | |
16 | | /* This is to avoid linking with openSSL */ |
17 | 0 | int RAND_bytes(uint8_t *key, int len) { |
18 | 0 | return 0; |
19 | 0 | } |
20 | | |
21 | 1.28k | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
22 | | /* Sanity Checks */ |
23 | | /* Max UDP payload with MTU=1500 */ |
24 | 1.28k | if (size > 1472) return 0; |
25 | | /* libnice checks that a packet length is positive */ |
26 | 1.27k | if (size <= 0) return 0; |
27 | | /* Janus checks for a minimum COMPOUND packet length |
28 | | * and the RTP header type value */ |
29 | 1.27k | if (!janus_is_rtcp((char *)data, size)) return 0; |
30 | | /* libsrtp checks that an entire COMPOUND packet must |
31 | | * contain at least a full RTCP header */ |
32 | 1.25k | if (size < 8) return 0; |
33 | | |
34 | | /* Test context setup */ |
35 | | /* Do some copies of input data */ |
36 | 1.25k | uint8_t copy_data0[size], copy_data1[size], |
37 | 1.25k | copy_data2[size], copy_data3[size], |
38 | 1.25k | copy_data4[size], copy_data5[size]; |
39 | 1.25k | uint8_t *copy_data[6] = { copy_data0, copy_data1, |
40 | 1.25k | copy_data2, copy_data3, |
41 | 1.25k | copy_data4, copy_data5 }; |
42 | 1.25k | int idx, newlen; |
43 | 8.80k | for (idx=0; idx < 6; idx++) { |
44 | 7.54k | memcpy(copy_data[idx], data, size); |
45 | 7.54k | } |
46 | 1.25k | idx = 0; |
47 | | /* Create some void RTCP contexts */ |
48 | 1.25k | janus_rtcp_context ctx0, ctx1; |
49 | 1.25k | memset(&ctx0, 0, sizeof(janus_rtcp_context)); |
50 | 1.25k | memset(&ctx1, 0, sizeof(janus_rtcp_context)); |
51 | | |
52 | | /* Targets */ |
53 | | /* Functions that just read data */ |
54 | 1.25k | janus_rtcp_has_bye((char *)data, size); |
55 | 1.25k | janus_rtcp_has_fir((char *)data, size); |
56 | 1.25k | janus_rtcp_has_pli((char *)data, size); |
57 | 1.25k | janus_rtcp_get_receiver_ssrc((char *)data, size); |
58 | 1.25k | janus_rtcp_get_remb((char *)data, size); |
59 | 1.25k | janus_rtcp_get_sender_ssrc((char *)data, size); |
60 | | /* Functions that alter input data */ |
61 | 1.25k | janus_rtcp_cap_remb((char *)copy_data[idx++], size, 256000); |
62 | 1.25k | janus_rtcp_swap_report_blocks((char *)copy_data[idx++], size, 2); |
63 | 1.25k | janus_rtcp_fix_report_data((char *)copy_data[idx++], size, 2000, 1000, 2, 2, 2, TRUE); |
64 | 1.25k | janus_rtcp_fix_ssrc(&ctx0, (char *)copy_data[idx++], size, 1, 2, 2); |
65 | 1.25k | janus_rtcp_parse(&ctx1, (char *)copy_data[idx++], size); |
66 | 1.25k | janus_rtcp_remove_nacks((char *)copy_data[idx++], size); |
67 | | /* Functions that allocate new memory */ |
68 | 1.25k | char *output_data = janus_rtcp_filter((char *)data, size, &newlen); |
69 | 1.25k | GQueue *queue = g_queue_new(); |
70 | 1.25k | janus_rtcp_get_nacks((char *)data, size, queue); |
71 | | |
72 | | /* Free resources */ |
73 | 1.25k | g_free(output_data); |
74 | 1.25k | g_queue_free(queue); |
75 | 1.25k | return 0; |
76 | 1.25k | } |