1# Fuzzer for libvorbis decoder 2## Plugin Design Considerations 3The fuzzer plugin for Vorbis is designed based on the understanding of the 4codec and tries to achieve the following: 5 6##### Maximize code coverage 7Dict file (dictionary file) is created for vorbis to ensure that the required start 8bytes are present in every input file that goes to the fuzzer. 9This ensures that decoder does not reject any input file in the first check 10 11##### Maximize utilization of input data 12The plugin feeds the entire input data to the codec in a loop till the desired headers 13(`01vorbis`, `05vorbis`) are parsed. 14After that, the remaining data is passed at once to the decoder. 15FrameSize in Vorbis is determined only after the call to extractor, so in absence of call to extractor, 16we feed the entire remaining data to the decoder. 17 18This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) 19and doesnt `exit()` on any input and thereby increasing the chance of identifying vulnerabilities. 20 21## Build 22 23This describes steps to build vorbis_dec_fuzzer binary. 24 25### Android 26 27#### Steps to build 28Build the fuzzer 29``` 30 $ mm -j$(nproc) vorbis_dec_fuzzer 31``` 32 33#### Steps to run 34Create a directory CORPUS_DIR and copy some vorbis files to that folder 35Push this directory to device. 36 37To run on device 38``` 39 $ adb sync data 40 $ adb shell /data/fuzz/arm64/vorbis_dec_fuzzer/vorbis_dec_fuzzer CORPUS_DIR 41``` 42To run on host 43``` 44 $ $ANDROID_HOST_OUT/fuzz/x86_64/vorbis_dec_fuzzer/vorbis_dec_fuzzer CORPUS_DIR 45``` 46 47## References: 48 * http://llvm.org/docs/LibFuzzer.html 49 * https://github.com/google/oss-fuzz 50