• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Fuzzer for libstagefright_m4vh263dec decoder
2
3## Plugin Design Considerations
4The fuzzer plugin for MPEG4/H263 is designed based on the understanding of the
5codec and tries to achieve the following:
6
7##### Maximize code coverage
8Dict files (dictionary files) are created for MPEG4 and H263 to ensure that the required start
9bytes are present in every input file that goes to the fuzzer.
10This ensures that decoder does not reject any input file in the first check
11
12##### Maximize utilization of input data
13The plugin feeds the entire input data to the codec using a loop.
14 * If the decode operation was successful, the input is advanced by the number of bytes consumed
15   in the decode call.
16 * If the decode operation was un-successful, the input is advanced by 1 byte so that the fuzzer
17   can proceed to feed the next frame.
18
19This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc)
20and doesnt `exit()` on any input and thereby increasing the chance of identifying vulnerabilities.
21
22##### Other considerations
23 * Two fuzzer binaries - mpeg4_dec_fuzzer and h263_dec_fuzzer are generated based on the presence
24   of a flag - 'MPEG4'
25 * The number of decode calls are kept to a maximum of 100 so that the fuzzer does not timeout.
26
27## Build
28
29This describes steps to build mpeg4_dec_fuzzer and h263_dec_fuzzer binary.
30
31### Android
32#### Steps to build
33Build the fuzzer
34```
35  $ mm -j$(nproc) mpeg4_dec_fuzzer
36  $ mm -j$(nproc) h263_dec_fuzzer
37```
38
39#### Steps to run
40Create a directory CORPUS_DIR and copy some MPEG4 or H263 files to that folder
41Push this directory to device.
42
43To run on device
44```
45  $ adb sync data
46  $ adb shell /data/fuzz/arm64/mpeg4_dec_fuzzer/mpeg4_dec_fuzzer CORPUS_DIR
47  $ adb shell /data/fuzz/arm64/h263_dec_fuzzer/h263_dec_fuzzer CORPUS_DIR
48```
49To run on host
50```
51  $ $ANDROID_HOST_OUT/fuzz/x86_64/mpeg4_dec_fuzzer/mpeg4_dec_fuzzer CORPUS_DIR
52  $ $ANDROID_HOST_OUT/fuzz/x86_64/h263_dec_fuzzer/h263_dec_fuzzer CORPUS_DIR
53```
54
55# Fuzzer for libstagefright_m4vh263enc encoder
56
57## Plugin Design Considerations
58The fuzzer plugin for MPEG4/H263 is designed based on the understanding of the
59codec and tries to achieve the following:
60
61##### Maximize code coverage
62The configuration parameters are not hardcoded, but instead selected based on
63incoming data. This ensures more code paths are reached by the fuzzer.
64
65MPEG4/H263 supports the following parameters:
661. Frame Width (parameter name: `encWidth`)
672. Frame Height (parameter name: `encHeight`)
683. Rate control mode (parameter name: `rcType`)
694. Number of bytes per packet (parameter name: `packetSize`)
705. Qp for I-Vop(parameter name: `iQuant`)
716. Qp for P-Vop (parameter name: `pQuant`)
727. Enable RVLC mode (parameter name: `rvlcEnable`)
738. Quantization mode (parameter name: `quantType`)
749. Disable frame skipping (parameter name: `noFrameSkipped`)
7510. Enable scene change detection (parameter name: `sceneDetect`)
7611. Number of intra MBs in P-frame(parameter name: `numIntraMB`)
7712. Search range of ME (parameter name: `searchRange`)
7813. Enable 8x8 ME and MC (parameter name: `mv8x8Enable`)
7914. Enable AC prediction (parameter name: `useACPred`)
8015. Threshold for intra DC VLC (parameter name: `intraDCVlcTh`)
8116. Encoding Mode (parameter name: `encMode`)
82
83| Parameter| Valid Values| Configured Value|
84|------------- |-------------| ----- |
85| `rcType` | 0. `CONSTANT_Q` 1. `CBR_1` 2. `VBR_1` 3. `CBR_2` 4. `VBR_2` 5. `CBR_LOWDELAY` | All the bits of 6th byte of data modulus 6 |
86| `packetSize` | In the range `0 to 255` | All the bits of 7th byte of data |
87| `iQuant` | In the range `1 to 31` | All the bits of 8th byte of data |
88| `pQuant` | In the range `1 to 31` | All the bits of 9th byte of data |
89| `rvlcEnable` | 0. `PV_OFF` 1. `PV_ON` | bit 0 of 10th byte of data |
90| `quantType` | 0. `0` 1. `1` | bit 0 of 11th byte of data |
91| `noFrameSkipped` | 0. `PV_OFF` 1. `PV_ON` | bit 0 of 12th byte of data |
92| `sceneDetect` | 0. `PV_OFF` 1. `PV_ON` | bit 0 of 13th byte of data |
93| `numIntraMB` | In the range `0 to 7` | bit 0, 1 and 2 of 14th byte of data |
94| `searchRange` | In the range `0 to 31` | bit 0, 1, 2, 3 and 4 of 15th byte of data |
95| `mv8x8Enable` | 0. `PV_OFF` 1. `PV_ON` | bit 0 of 16th byte of data |
96| `useACPred` | 0. `PV_OFF` 1. `PV_ON` | bit 0 of 17th byte of data |
97| `intraDCVlcTh` | In the range `0 to 7` | bit 0, 1 and 2 of 18th byte of data |
98
99Following parameters are only for mpeg4_enc_fuzzer
100
101| Parameter| Valid Values| Configured Value|
102|------------- |-------------| ----- |
103| `encWidth` | In the range `0 to 10239` | All the bits of 1st and 2nd byte of data |
104| `encHeight` | In the range `0 to 10239` | All the bits of 3rd and 4th byte of data |
105| `encMode` | 0. `H263_MODE` 1. `H263_MODE_WITH_ERR_RES` 2. `DATA_PARTITIONING_MODE` 3. `COMBINE_MODE_NO_ERR_RES` 4. `COMBINE_MODE_WITH_ERR_RES` | All the bits of 19th byte of data modulus 5 |
106
107Following parameters are only for h263_enc_fuzzer
108
109| Parameter| Valid Values| Configured Value|
110|------------- |-------------| ----- |
111| `encWidth` | 0. `128` 1. `176` 2. `352` 3. `704` 4. `1408` | All the bits of 1st byte of data modulus 5|
112| `encHeight` | 0. `96` 1. `144` 2. `288` 3. `576` 4. `1152 ` | All the bits of 3rd byte of data modulus 5|
113| `encMode` | 0. `SHORT_HEADER` 1. `SHORT_HEADER_WITH_ERR_RES` | All the bits of 19th byte of data modulus 2 |
114
115This also ensures that the plugin is always deterministic for any given input.
116
117##### Maximize utilization of input data
118The plugin feeds the entire input data to the codec using a loop.
119If the encode operation was successful, the input is advanced by the frame size.
120If the encode operation was un-successful, the input is still advanced by frame size so
121that the fuzzer can proceed to feed the next frame.
122
123This ensures that the plugin tolerates any kind of input (empty, huge,
124malformed, etc) and doesnt `exit()` on any input and thereby increasing the
125chance of identifying vulnerabilities.
126
127## Build
128
129This describes steps to build mpeg4_enc_fuzzer and h263_enc_fuzzer binary.
130
131### Android
132
133#### Steps to build
134Build the fuzzer
135```
136  $ mm -j$(nproc) mpeg4_enc_fuzzer
137  $ mm -j$(nproc) h263_enc_fuzzer
138```
139
140#### Steps to run
141Create a directory CORPUS_DIR and copy some yuv files to that folder
142Push this directory to device.
143
144To run on device
145```
146  $ adb sync data
147  $ adb shell /data/fuzz/arm64/m4v_h263_enc_fuzzer/m4v_h263_enc_fuzzer CORPUS_DIR
148  $ adb shell /data/fuzz/arm64/h263_enc_fuzzer/h263_enc_fuzzer CORPUS_DIR
149```
150To run on host
151```
152  $ $ANDROID_HOST_OUT/fuzz/x86_64/mpeg4_enc_fuzzer/mpeg4_enc_fuzzer CORPUS_DIR
153  $ $ANDROID_HOST_OUT/fuzz/x86_64/h263_enc_fuzzer/h263_enc_fuzzer CORPUS_DIR
154```
155
156## References:
157 * http://llvm.org/docs/LibFuzzer.html
158 * https://github.com/google/oss-fuzz
159