New method to be fuzzed in rtp_fuzzer. Add a couple of crash files fo…

…r RTP. Specify crash file as the second argument of run.sh
3dEYE · Mar 15, 2019 · b945f76 · b945f76
1 parent f154a43
commit b945f76
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 5 deletions.
diff --git a/...rs/corpora/rtp_fuzzer/1meetecho/rtp_fuzzer-crash-6182bab7f385f555b8503bd8ebbb344722dcb7fe b/...rs/corpora/rtp_fuzzer/1meetecho/rtp_fuzzer-crash-6182bab7f385f555b8503bd8ebbb344722dcb7fe
diff --git a/...rs/corpora/rtp_fuzzer/1meetecho/rtp_fuzzer-crash-b1bc002713327153b0fa53f64015df8526fe5279 b/...rs/corpora/rtp_fuzzer/1meetecho/rtp_fuzzer-crash-b1bc002713327153b0fa53f64015df8526fe5279
diff --git a/fuzzers/rtp_fuzzer.c b/fuzzers/rtp_fuzzer.c
@@ -62,6 +62,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 	janus_rtp_header_extension_parse_audio_level((char *)data, size, 1, NULL);
 	janus_rtp_header_extension_parse_playout_delay((char *)data, size, 1, NULL, NULL);
 	janus_rtp_header_extension_parse_rtp_stream_id((char *)data, size, 1, sdes_item, sizeof(sdes_item));
+	janus_rtp_header_extension_parse_mid((char *)data, size, 1, sdes_item, sizeof(sdes_item));
 	janus_rtp_header_extension_parse_transport_wide_cc((char *)data, size, 1, &transport_seq_num);
 
 	/* Extract codec payload */

diff --git a/fuzzers/run.sh b/fuzzers/run.sh
@@ -3,6 +3,7 @@
 set -eu
 
 TARGET=${1:-"rtcp_fuzzer"}
+CRASH_FILE=${2:-""}
 HALF_NCORES=$(expr $(nproc) / 2)
 HALF_NCORES=$(($HALF_NCORES > 0 ? $HALF_NCORES : 1))
 JOBS=${JOBS:-${HALF_NCORES}}
@@ -20,8 +21,13 @@ if [ -f "${TARGET}_seed_corpus.zip" ]; then
 	unzip -oq "$TARGET"_seed_corpus.zip -d "$TARGET"_seed_corpus
 fi
 # Use -max_len=65535 for network protocols
-ASAN_OPTIONS=detect_leaks=1 ./$TARGET -artifact_prefix="./$TARGET-" -print_final_stats=0 -print_corpus_stats=0 -print_coverage=0 -jobs=${JOBS} -workers=${WORKERS} "$TARGET"_corpus "$TARGET"_seed_corpus
-# tail -f fuzz*.log
+if [ -z "$CRASH_FILE" ]; then
+	ASAN_OPTIONS=detect_leaks=1 ./$TARGET -artifact_prefix="./$TARGET-" -print_final_stats=0 -print_corpus_stats=0 -print_coverage=0 -jobs=${JOBS} -workers=${WORKERS} "$TARGET"_corpus "$TARGET"_seed_corpus
+	# tail -f fuzz*.log
+else
+	# rerun to reproduce with a supplied crash file
+	./$TARGET $CRASH_FILE
+fi
 
 # run standalone fuzzer or libFuzzer without fuzzing (regression testing)
 # ASAN_OPTIONS=detect_leaks=1 ./$TARGET "$TARGET"_seed_corpus/*
@@ -34,9 +40,6 @@ ASAN_OPTIONS=detect_leaks=1 ./$TARGET -artifact_prefix="./$TARGET-" -print_final
 # dump crashing pattern
 # hexdump -C "$TARGET"-crash-458003b01372ea8ae6456f86da40d3b1d32d905d
 
-# rerun to reproduce
-# ./$TARGET "$TARGET"-crash-458003b01372ea8ae6456f86da40d3b1d32d905d
-
 # rerun with GDB to reproduce and debug
 # ASAN_OPTIONS=abort_on_error=1 gdb --args ./$TARGET "$TARGET"-crash-458003b01372ea8ae6456f86da40d3b1d32d905d