• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Fuzzer for libmedia_codecserviceregistrant
2
3## Plugin Design Considerations
4The fuzzer plugin for libmedia_codecserviceregistrant is designed based on the understanding of the library and tries to achieve the following:
5
6##### Maximize code coverage
7The configuration parameters are not hardcoded, but instead selected based on
8incoming data. This ensures more code paths are reached by the fuzzer.
9
10libmedia_codecserviceregistrant supports the following parameters:
111. C2String (parameter name: `c2String`)
122. Width (parameter name: `width`)
133. Height (parameter name: `height`)
144. SamplingRate (parameter name: `samplingRate`)
155. Channels (parameter name: `channels`)
166. Stream (parameter name: `stream`)
17
18| Parameter| Valid Values| Configured Value|
19|------------- |-------------| ----- |
20| `c2String` |`String` | Value obtained from FuzzedDataProvider|
21| `width` |`UINT32_MIN` to `UINT32_MAX` | Value obtained from FuzzedDataProvider|
22| `height` |`UINT32_MIN` to `UINT32_MAX` | Value obtained from FuzzedDataProvider|
23| `samplingRate` |`UINT32_MIN` to `UINT32_MAX` | Value obtained from FuzzedDataProvider|
24| `channels` |`UINT32_MIN` to `UINT32_MAX` | Value obtained from FuzzedDataProvider|
25| `stream` |`UINT32_MIN` to `UINT32_MAX` | Value obtained from FuzzedDataProvider|
26
27This also ensures that the plugin is always deterministic for any given input.
28
29##### Maximize utilization of input data
30The plugin feeds the entire input data to the libmedia_codecserviceregistrant module.
31This ensures that the plugin tolerates any kind of input (empty, huge,
32malformed, etc) and doesnt `exit()` on any input and thereby increasing the
33chance of identifying vulnerabilities.
34
35## Build
36
37This describes steps to build codecServiceRegistrant_fuzzer binary.
38
39### Android
40
41#### Steps to build
42Build the fuzzer
43```
44  $ mm -j$(nproc) codecServiceRegistrant_fuzzer
45```
46#### Steps to run
47
48To run on device
49```
50  $ adb sync data
51  $ adb shell /data/fuzz/${TARGET_ARCH}/codecServiceRegistrant_fuzzer/codecServiceRegistrant_fuzzer
52```
53
54## References:
55 * http://llvm.org/docs/LibFuzzer.html
56 * https://github.com/google/oss-fuzz
57