1 /*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <fstream>
18 #include <memory>
19 #include <stddef.h>
20 #include <stdint.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <string>
24 #include <sys/types.h>
25 #include <unistd.h>
26 #include "audio_utils/sndfile.h"
27 #include <android-base/scopeguard.h>
28
29 #define MAX_BUFFER_SIZE 0x00005000
30 #define MAX_FRAME_READ_COUNT 100
31 #define MAX_FRAME_COUNT 1000
32
33 #ifdef SNDFILE_FUZZER_HOST
34 // the path is located in shared memory, so it can accelerate fuzzing on host
35 // however, the path is not supported on device
36 #define TEMP_DATA_PATH "/dev/shm/sndfile_fuzzer.tmp"
37 #else
38 #define TEMP_DATA_PATH "/data/local/tmp/sndfile_fuzzer.tmp"
39 #endif
40
41 // create a unique path so that the fuzzer can be run parallelly
getUniquePath()42 std::string getUniquePath() {
43 pid_t pid = getpid();
44 std::string unique_path = TEMP_DATA_PATH + std::to_string(pid);
45 return unique_path;
46 }
47
parseValue(const uint8_t * src,int index,void * dst,size_t size)48 int parseValue(const uint8_t *src, int index, void *dst, size_t size) {
49 memcpy(dst, &src[index], size);
50 return size;
51 }
52
getSizeByType(uint32_t input_format)53 size_t getSizeByType(uint32_t input_format) {
54 switch (input_format) {
55 case 0: return sizeof(short);
56 case 1: return sizeof(int);
57 case 2: return sizeof(float);
58 default: return sizeof(short);
59 }
60 }
61
sfReadfWithType(uint32_t input_format,SNDFILE * handle,const void * ptr,sf_count_t desired)62 sf_count_t sfReadfWithType(uint32_t input_format, SNDFILE *handle,
63 const void *ptr, sf_count_t desired) {
64 switch (input_format) {
65 case 0: return sf_readf_short(handle, (short *)ptr, desired);
66 case 1: return sf_readf_int(handle, (int *)ptr, desired);
67 case 2: return sf_readf_float(handle, (float *)ptr, desired);
68 default: return 0;
69 }
70 }
71
72 // the corpus of this fuzzer is generated by :
73 // printf "\x01\x00\x00\x00\x01\x00\x00\x00" | \
74 // cat - 2020_06_10_15_56_20.wav > merged_corpus
LLVMFuzzerTestOneInput(const uint8_t * bytes,size_t size)75 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *bytes, size_t size) {
76 uint32_t desired_frame_count = 1;
77 uint32_t input_format = 0;
78
79 size_t metadata_size = sizeof(desired_frame_count) + sizeof(input_format);
80 if (size < metadata_size) {
81 return 0;
82 }
83
84 int idx = 0;
85 idx +=
86 parseValue(bytes, idx, &desired_frame_count, sizeof(desired_frame_count));
87 idx += parseValue(bytes, idx, &input_format, sizeof(input_format));
88
89 desired_frame_count %= MAX_FRAME_READ_COUNT;
90 input_format %= 3;
91
92 // write bytes to a file
93 std::string path = getUniquePath();
94 std::ofstream file;
95 file.open(path.c_str(), std::ios::trunc | std::ios::binary | std::ios::out);
96 if (!file.is_open()) {
97 return 0;
98 }
99
100 file.write((char *)(bytes + idx), size - idx);
101 file.close();
102 // ensure file is unlinked after use
103 auto scope_guard =
104 android::base::make_scope_guard([path] { remove(path.c_str()); });
105
106 SF_INFO info;
107 // when format is set to zero, all other field are filled in by the lib
108 info.format = 0;
109 std::unique_ptr<SNDFILE, decltype(&sf_close)> handle(
110 sf_open(path.c_str(), SFM_READ, &info), &sf_close);
111
112 if (handle == nullptr) {
113 return 0;
114 }
115
116 // sndfile support three different data types to read regardless the original
117 // data type in file. the library handles the data conversion. The size of
118 // input is parsed from file; malloc buffer by the size is risky, but it
119 // cannot be fuzzed at this level. Here, we only ensure the read APIs does not
120 // write memory outside the buffer.
121 size_t input_size =
122 getSizeByType(input_format) * desired_frame_count * info.channels;
123
124 if (input_size > MAX_BUFFER_SIZE) {
125 return 0;
126 }
127
128 void *dst_buffer = malloc(input_size);
129 if (dst_buffer == nullptr) {
130 return 0;
131 }
132
133 sf_count_t read_frame_count = 0;
134 sf_count_t frame_count = 0;
135 do {
136 read_frame_count = sfReadfWithType(input_format, handle.get(), dst_buffer,
137 desired_frame_count);
138 frame_count += read_frame_count;
139 } while (read_frame_count > 0 && frame_count < MAX_FRAME_COUNT);
140 free(dst_buffer);
141
142 return 0;
143 }