1 #include <stdint.h>
2 #include <stddef.h>
3 #include <stdlib.h>
4
5 #include <glib.h>
6 #include "../debug.h"
7 #include "../utils.h"
8 #include "../rtp.h"
9
10 int janus_log_level = LOG_NONE;
11 gboolean janus_log_timestamps = FALSE;
12 gboolean janus_log_colors = FALSE;
13 char *janus_log_global_prefix = NULL;
14 int lock_debug = 0;
15
16 /* This is to avoid linking with openSSL */
RAND_bytes(uint8_t * key,int len)17 int RAND_bytes(uint8_t *key, int len) {
18 return 0;
19 }
20
21 /* Clone libsrtp srtp_validate_rtp_header */
22 #define octets_in_rtp_header 12
23 #define uint32s_in_rtp_header 3
24 #define octets_in_rtp_extn_hdr 4
25
srtp_validate_rtp_header(char * data,int pkt_octet_len)26 static int srtp_validate_rtp_header(char *data, int pkt_octet_len) {
27 if (pkt_octet_len < octets_in_rtp_header)
28 return -1;
29
30 janus_rtp_header *hdr = (janus_rtp_header *)data;
31
32 /* Check RTP header length */
33 int rtp_header_len = octets_in_rtp_header + 4 * hdr->csrccount;
34 if (hdr->extension == 1)
35 rtp_header_len += octets_in_rtp_extn_hdr;
36
37 if (pkt_octet_len < rtp_header_len)
38 return -1;
39
40 /* Verifing profile length. */
41 if (hdr->extension == 1) {
42 janus_rtp_header_extension *xtn_hdr =
43 (janus_rtp_header_extension *)((uint32_t *)hdr + uint32s_in_rtp_header +
44 hdr->csrccount);
45 int profile_len = ntohs(xtn_hdr->length);
46 rtp_header_len += profile_len * 4;
47 /* profile length counts the number of 32-bit words */
48 if (pkt_octet_len < rtp_header_len)
49 return -1;
50 }
51 return 0;
52 }
53
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)54 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
55 /* Sanity Checks */
56 /* Max UDP payload with MTU=1500 */
57 if (size > 1472) return 0;
58 /* libnice checks that a packet length is positive */
59 if (size <= 0) return 0;
60 /* Janus checks for a minimum packet length
61 * and the RTP header type value */
62 if (!janus_is_rtp((char *)data, size)) return 0;
63 /* Do same checks that libsrtp does */
64 if (srtp_validate_rtp_header((char *)data, size) < 0) return 0;
65
66 /* RTP extensions parsers */
67 char sdes_item[16];
68 guint16 transport_seq_num;
69 guint8 temporal_layer_id;
70 janus_rtp_header_extension_parse_audio_level((char *)data, size, 1, NULL, NULL);
71 janus_rtp_header_extension_parse_playout_delay((char *)data, size, 1, NULL, NULL);
72 janus_rtp_header_extension_parse_rid((char *)data, size, 1, sdes_item, sizeof(sdes_item));
73 janus_rtp_header_extension_parse_mid((char *)data, size, 1, sdes_item, sizeof(sdes_item));
74 janus_rtp_header_extension_parse_transport_wide_cc((char *)data, size, 1, &transport_seq_num);
75 janus_rtp_header_extension_parse_abs_sent_time((char *)data, size, 1, NULL);
76
77 /* Extract codec payload */
78 int plen = 0;
79 char *payload = janus_rtp_payload((char *)data, size, &plen);
80 if (!payload) return 0;
81 /* Make a copy of payload */
82 char copy_payload[plen];
83 memcpy(copy_payload, payload, plen);
84
85 /* H.264 targets */
86 janus_h264_is_keyframe(payload, plen);
87
88 /* VP8 targets */
89 uint16_t picid = 0;
90 uint8_t tlzi = 0, tid = 0, ybit = 0, keyidx = 0;
91 janus_vp8_simulcast_context vp8_context;
92 memset(&vp8_context, 0, sizeof(janus_vp8_simulcast_context));
93 janus_vp8_is_keyframe(payload, plen);
94 janus_vp8_parse_descriptor(payload, plen, &picid, &tlzi, &tid, &ybit, &keyidx);
95 janus_vp8_simulcast_descriptor_update(copy_payload, plen, &vp8_context, TRUE);
96
97 /* VP9 targets */
98 int found = 0;
99 janus_vp9_svc_info info;
100 janus_vp9_is_keyframe(payload, plen);
101 janus_vp9_parse_svc(payload, plen, &found, &info);
102
103 /* Free resources */
104
105 return 0;
106 }
107