1# Fuzzer for libFraunhoferAAC decoder 2 3## Plugin Design Considerations 4The fuzzer plugin for aac decoder is designed based on the understanding of the 5codec and tries to achieve the following: 6 7##### Maximize code coverage 8 9This fuzzer makes use of the following config parameters: 101. Transport type (parameter name: `TRANSPORT_TYPE`) 11 12| Parameter| Valid Values| Configured Value| 13|------------- |-------------| ----- | 14| `TRANSPORT_TYPE` | 0.`TT_UNKNOWN ` 1.`TT_MP4_RAW ` 2.`TT_MP4_ADIF ` 3.`TT_MP4_ADTS ` 4.`TT_MP4_LATM_MCP1 ` 5.`TT_MP4_LATM_MCP0 ` 6.`TT_MP4_LOAS ` 7.`TT_DRM ` | `TT_MP4_ADIF ` | 15 16Note: Value of `TRANSPORT_TYPE` could be set to any of these values. 17It is set to `TT_MP4_ADIF` in the fuzzer plugin. 18 19##### Maximize utilization of input data 20The plugin feeds the entire input data to the codec using a loop. 21 * If the decode operation was successful, the input is advanced by an 22 offset calculated using valid bytes. 23 * If the decode operation was un-successful, the input is advanced by 1 byte 24 till it reaches a valid frame or end of stream. 25 26This ensures that the plugin tolerates any kind of input (empty, huge, 27malformed, etc) and doesnt `exit()` on any input and thereby increasing the 28chance of identifying vulnerabilities. 29 30## Build 31 32This describes steps to build aac_dec_fuzzer binary. 33 34## Android 35 36### Steps to build 37Build the fuzzer 38``` 39 $ mm -j$(nproc) aac_dec_fuzzer 40``` 41 42### Steps to run 43Create a directory CORPUS_DIR and copy some aac files to that folder. 44Push this directory to device. 45 46To run on device 47``` 48 $ adb sync data 49 $ adb shell /data/fuzz/arm64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR 50``` 51To run on host 52``` 53 $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_dec_fuzzer/aac_dec_fuzzer CORPUS_DIR 54``` 55 56# Fuzzer for libFraunhoferAAC encoder 57 58## Plugin Design Considerations 59The fuzzer plugin for aac encoder is designed based on the understanding of the 60codec and tries to achieve the following: 61 62##### Maximize code coverage 63 64The configuration parameters are not hardcoded, but instead selected based on 65incoming data. This ensures more code paths are reached by the fuzzer. 66 67Following arguments are passed to aacEncoder_SetParam to set the respective AACENC_PARAM parameter: 68 69| AACENC_PARAM param| Valid Values| Configured Value| 70|-------------| ----- |----- | 71|`AACENC_SBR_MODE` | `-1 ` `0 ` `1 ` `2 ` | Calculated using first byte of data | 72|`AACENC_AOT` |`AOT_NONE ` `AOT_NULL_OBJECT ` `AOT_AAC_MAIN ` `AOT_AAC_LC ` `AOT_AAC_SSR ` `AOT_AAC_LTP ` `AOT_SBR ` `AOT_AAC_SCAL ` `AOT_TWIN_VQ ` `AOT_CELP ` `AOT_HVXC ` `AOT_RSVD_10 ` `AOT_RSVD_11 ` `AOT_TTSI ` `AOT_MAIN_SYNTH ` `AOT_WAV_TAB_SYNTH ` `AOT_GEN_MIDI ` `AOT_ALG_SYNTH_AUD_FX ` `AOT_ER_AAC_LC ` `AOT_RSVD_18 ` `AOT_ER_AAC_LTP ` `AOT_ER_AAC_SCAL ` `AOT_ER_TWIN_VQ ` `AOT_ER_BSAC ` `AOT_ER_AAC_LD ` `AOT_ER_CELP ` `AOT_ER_HVXC ` `AOT_ER_HILN ` `AOT_ER_PARA ` `AOT_RSVD_28 ` `AOT_PS ` `AOT_MPEGS ` `AOT_ESCAPE ` `AOT_MP3ONMP4_L1 ` `AOT_MP3ONMP4_L2 ` `AOT_MP3ONMP4_L3 ` `AOT_RSVD_35 ` `AOT_RSVD_36 ` `AOT_AAC_SLS ` `AOT_SLS ` `AOT_ER_AAC_ELD ` `AOT_USAC ` `AOT_SAOC ` `AOT_LD_MPEGS ` `AOT_MP2_AAC_LC ` `AOT_MP2_SBR ` `AOT_DRM_AAC ` `AOT_DRM_SBR ` `AOT_DRM_MPEG_PS ` `AOT_DRM_SURROUND ` `AOT_DRM_USAC ` | Calculated using second byte of data | 73|`AACENC_SAMPLERATE` | `8000 ` `11025 ` `12000 ` `16000 ` `22050 ` `24000 ` `32000 ` `44100 ` `48000 ` `64000 ` `88200 ` `96000 `| Calculated using third byte of data | 74|`AACENC_BITRATE` | In range `8000 ` to `960000 ` | Calculated using fourth, fifth and sixth byte of data | 75|`AACENC_CHANNELMODE` | `MODE_1 ` `MODE_2 ` `MODE_1_2 ` `MODE_1_2_1 ` `MODE_1_2_2 ` `MODE_1_2_2_1 ` `MODE_1_2_2_2_1 ` `MODE_6_1 ` `MODE_7_1_BACK ` `MODE_7_1_TOP_FRONT ` `MODE_7_1_REAR_SURROUND ` `MODE_7_1_FRONT_CENTER ` `MODE_212 ` | Calculated using seventh byte of data | 76|`AACENC_TRANSMUX` | `TT_MP4_RAW ` `TT_MP4_ADIF ` `TT_MP4_ADTS ` `TT_MP4_LATM_MCP1 ` `TT_MP4_LATM_MCP0 ` `TT_MP4_LOAS ` `TT_DRM ` | Calculated using eight byte of data |`AACENC_SBR_RATIO` |`-1 ` `0 ` `1 ` `2 ` | Calculated using ninth byte of data | 77|`AACENC_BITRATEMODE` |`AACENC_BR_MODE_INVALID ` `AACENC_BR_MODE_CBR ` `AACENC_BR_MODE_VBR_1 ` `AACENC_BR_MODE_VBR_2 ` `AACENC_BR_MODE_VBR_3 ` `AACENC_BR_MODE_VBR_4 ` `AACENC_BR_MODE_VBR_5 ` `AACENC_BR_MODE_FF ` `AACENC_BR_MODE_SFR ` | Calculated using thirty-fourth byte of data | 78|`AACENC_GRANULE_LENGTH` |`120 ` `128 ` `240 ` `256 ` `480 ` `512 ` `1024 ` | Calculated using thirty-fifth byte of data | 79|`AACENC_CHANNELORDER` |`CH_ORDER_MPEG ` `CH_ORDER_WAV ` | Calculated using thirty-sixth byte of data | 80|`AACENC_AFTERBURNER` |`0 ` `1 ` | Calculated using thirty-seventh byte of data | 81|`AACENC_BANDWIDTH` |`0 ` `1` | Calculated using thirty-eigth byte of data | 82|` AACENC_IDX_PEAK_BITRATE` | In range `8000 ` to `960000 ` | Calculated using thirty-ninth byte of data | 83|` AACENC_HEADER_PERIOD` |In range `0 ` to `255 ` | Calculated using fortieth byte of data | 84|` AACENC_SIGNALING_MODE` |`-1 ` `0 ` `1 ` `2 ` `3 ` | Calculated using forty-first byte of data | 85|` AACENC_TPSUBFRAMES` |In range `0 ` to `255 ` | Calculated using forty-second byte of data | 86|` AACENC_AUDIOMUXVER` |`-1 ` `0 ` `1 ` `2 ` | Calculated using forty-third byte of data | 87|` AACENC_PROTECTION` |`0 ` `1 ` | Calculated using forty-fourth of data | 88|`AACENC_ANCILLARY_BITRATE` |In range `0 ` to `960000 `| Calculated using forty-fifth byte of data | 89|`AACENC_METADATA_MODE ` |`0 ` `1 ` `2 ` `3 ` | Calculated using forty-sixth byte of data | 90 91Following values are configured to set up the meta data represented by the class variable `mMetaData ` : 92 93| Variable name| Possible Values| Configured Value| 94|------------- | ----- |----- | 95| `drc_profile` | `AACENC_METADATA_DRC_NONE ` `AACENC_METADATA_DRC_FILMSTANDARD ` `AACENC_METADATA_DRC_FILMLIGHT ` `AACENC_METADATA_DRC_MUSICSTANDARD ` `AACENC_METADATA_DRC_MUSICLIGHT ` `AACENC_METADATA_DRC_SPEECH ` `AACENC_METADATA_DRC_NOT_PRESENT ` | Calculated using tenth byte of data | 96| `comp_profile` | `AACENC_METADATA_DRC_NONE ` `AACENC_METADATA_DRC_FILMSTANDARD ` `AACENC_METADATA_DRC_FILMLIGHT ` `AACENC_METADATA_DRC_MUSICSTANDARD ` `AACENC_METADATA_DRC_MUSICLIGHT ` `AACENC_METADATA_DRC_SPEECH ` `AACENC_METADATA_DRC_NOT_PRESENT ` | Calculated using eleventh byte of data | 97| `drc_TargetRefLevel` | In range `0 ` to `255 ` | Calculated using twelfth byte of data | 98| `comp_TargetRefLevel` | In range `0 ` to `255 ` | Calculated using thirteenth byte of data | 99| `prog_ref_level_present` | `0 ` `1 ` | Calculated using fourteenth byte of data | 100| `prog_ref_level` | In range `0 ` to `255 ` | Calculated using fifteenth byte of data | 101| `PCE_mixdown_idx_present` | `0 ` `1 ` | Calculated using sixteenth byte of data | 102| `ETSI_DmxLvl_present` | `0 ` `1 ` | Calculated using seventeenth byte of data | 103| `centerMixLevel` | In range `0 ` to `7 ` | Calculated using eighteenth byte of data | 104| `surroundMixLevel` | In range `0 ` to `7 ` | Calculated using nineteenth byte of data | 105| `dolbySurroundMode` | In range `0 ` to `2 ` | Calculated using twentieth byte of data | 106| `drcPresentationMode` | In range `0 ` to `2 ` | Calculated using twenty-first byte of data | 107| `extAncDataEnable` | `0 ` `1 ` | Calculated using twenty-second byte of data | 108| `extDownmixLevelEnable` | `0 ` `1 ` | Calculated using twenty-third byte of data | 109| `extDownmixLevel_A` | In range `0 ` to `7 ` | Calculated using twenty-fourth byte of data | 110| `extDownmixLevel_B` | In range `0 ` to `7 ` | Calculated using twenty-fifth byte of data | 111| `dmxGainEnable` | `0 ` `1 ` | Calculated using twenty-sixth byte of data | 112| `dmxGain5` | In range `0 ` to `255 ` | Calculated using twenty-seventh byte of data | 113| `dmxGain2` | In range `0 ` to `255 ` | Calculated using twenty-eighth byte of data | 114| `lfeDmxEnable` | `0 ` `1 ` | Calculated using twenty-ninth byte of data | 115| `lfeDmxLevel` | In range `0 ` to `15 ` | Calculated using thirtieth byte of data | 116 117Indexes `mInBufferIdx_1`, `mInBufferIdx_2` and `mInBufferIdx_3`(in range `0 ` to `2`) are calculated using the thirty-first, thirty-second and thirty-third byte respectively. 118 119##### Maximize utilization of input data 120The plugin feeds the entire input data to the codec and continues with the encoding even on a failure. This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) and doesnt `exit()` on any input and thereby increasing the chance of identifying vulnerabilities. 121 122## Build 123 124This describes steps to build aac_enc_fuzzer binary. 125 126## Android 127 128### Steps to build 129Build the fuzzer 130``` 131 $ mm -j$(nproc) aac_enc_fuzzer 132``` 133 134### Steps to run 135Create a directory CORPUS_DIR and copy some raw files to that folder. 136Push this directory to device. 137 138To run on device 139``` 140 $ adb sync data 141 $ adb shell /data/fuzz/arm64/aac_enc_fuzzer/aac_enc_fuzzer CORPUS_DIR 142``` 143To run on host 144``` 145 $ $ANDROID_HOST_OUT/fuzz/x86_64/aac_enc_fuzzer/aac_enc_fuzzer CORPUS_DIR 146``` 147 148## References: 149 * http://llvm.org/docs/LibFuzzer.html 150 * https://github.com/google/oss-fuzz 151