Add fuzzers for 'cenc' and 'cbcs' decryption functions

BUG=658026 TEST=new fuzzers run Change-Id: I8251f3b77a561985f626e079cecd18a756cca240 Reviewed-on: https://chromium-review.googlesource.com/1067494 Commit-Queue: John Rummell <jrummell@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Reviewed-by: Xiaohan Wang <xhwang@chromium.org> Cr-Commit-Position: refs/heads/master@{#561320}

Add fuzzers for 'cenc' and 'cbcs' decryption functions
BUG=658026 TEST=new fuzzers run Change-Id: I8251f3b77a561985f626e079cecd18a756cca240 Reviewed-on: https://chromium-review.googlesource.com/1067494 Commit-Queue: John Rummell <jrummell@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Reviewed-by: Xiaohan Wang <xhwang@chromium.org> Cr-Commit-Position: refs/heads/master@{#561320}
fb38830c · John Rummell · Commit Bot · fcadaceb · fb38830c · fb38830c
Commit fb38830c authored May 24, 2018 by John Rummell Committed by Commit Bot May 24, 2018
Showing with 163 additions and 0 deletions

media/BUILD.gn media/BUILD.gn +22 -0

media/cdm/cbcs_decryptor_fuzzer.cc media/cdm/cbcs_decryptor_fuzzer.cc +75 -0

media/cdm/cenc_decryptor_fuzzer.cc media/cdm/cenc_decryptor_fuzzer.cc +66 -0

No files found.
--- a/media/BUILD.gn
+++ b/media/BUILD.gn
@@ -353,6 +353,28 @@ fuzzer_test("media_webm_muxer_fuzzer") {
  ]
 }
+fuzzer_test("cbcs_decryptor_fuzzer") {
+  sources = [
+    "cdm/cbcs_decryptor_fuzzer.cc",
+  ]
+  deps = [
+    ":media",
+    "//base",
+    "//crypto",
+  ]
+}
+fuzzer_test("cenc_decryptor_fuzzer") {
+  sources = [
+    "cdm/cenc_decryptor_fuzzer.cc",
+  ]
+  deps = [
+    ":media",
+    "//base",
+    "//crypto",
+  ]
+}
 if (proprietary_codecs) {
  fuzzer_test("media_mp4_avcc_parser_fuzzer") {
    sources = [

--- a/media/cdm/cbcs_decryptor_fuzzer.cc
+++ b/media/cdm/cbcs_decryptor_fuzzer.cc
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include <stdint.h>
+#include <array>
+#include <memory>
+#include <string>
+#include <vector>
+#include "crypto/symmetric_key.h"
+#include "media/base/decoder_buffer.h"
+#include "media/base/encryption_pattern.h"
+#include "media/base/subsample_entry.h"
+#include "media/cdm/cbcs_decryptor.h"
+const std::array<uint8_t, 16> kKey = {0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
+                                      0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+                                      0x10, 0x11, 0x12, 0x13};
+const std::array<uint8_t, 16> kIv = {0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
+                                     0x26, 0x27, 0x00, 0x00, 0x00, 0x00,
+                                     0x00, 0x00, 0x00, 0x00};
+// For disabling noisy logging.
+struct Environment {
+  Environment() { logging::SetMinLogLevel(logging::LOG_FATAL); }
+};
+Environment* env = new Environment();
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // From the data provided:
+  // 1) Use the first byte to determine how much of the buffer is "clear".
+  // 2) Use the second byte to determine the pattern.
+  // 3) Rest of the buffer is the input data (which must be at least 1 byte).
+  // So the input buffer needs at least 3 bytes.
+  if (size < 3)
+    return 0;
+  const uint8_t clear_bytes = data[0];
+  const uint8_t encryption_pattern = data[1];
+  data += 2;
+  size -= 2;
+  static std::unique_ptr<crypto::SymmetricKey> key =
+      crypto::SymmetricKey::Import(
+          crypto::SymmetricKey::AES,
+          std::string(std::begin(kKey), std::end(kKey)));
+  // |clear_bytes| is used to determine how much of the buffer is "clear".
+  // Since the code checks SubsampleEntries, use |clear_bytes| as the actual
+  // number of bytes clear, and the rest as encrypted. To avoid size_t problems,
+  // only set |subsamples| if |clear_bytes| <= |size|. If |subsamples| is
+  // empty, the complete buffer is treated as encrypted.
+  std::vector<media::SubsampleEntry> subsamples;
+  if (clear_bytes <= size)
+    subsamples.push_back({clear_bytes, size - clear_bytes});
+  // |encryption_pattern| is used to determine the encryption pattern. Since
+  // |crypt_byte_block| must be > 0, use 1 for it. |skip_byte_block| can be 0.
+  // This will try patterns (1,0), (1,1), ... (1,9), which should be sufficient.
+  media::EncryptionPattern pattern(1, encryption_pattern % 10);
+  auto encrypted_buffer = media::DecoderBuffer::CopyFrom(data, size);
+  // Key_ID is never used.
+  encrypted_buffer->set_decrypt_config(media::DecryptConfig::CreateCbcsConfig(
+      "key_id", std::string(std::begin(kIv), std::end(kIv)), subsamples,
+      pattern));
+  media::DecryptCbcsBuffer(*encrypted_buffer, *key);
+  return 0;
+}
--- a/media/cdm/cenc_decryptor_fuzzer.cc
+++ b/media/cdm/cenc_decryptor_fuzzer.cc
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include <stdint.h>
+#include <array>
+#include <memory>
+#include <string>
+#include <vector>
+#include "crypto/symmetric_key.h"
+#include "media/base/decoder_buffer.h"
+#include "media/base/subsample_entry.h"
+#include "media/cdm/cenc_decryptor.h"
+const std::array<uint8_t, 16> kKey = {0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
+                                      0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+                                      0x10, 0x11, 0x12, 0x13};
+const std::array<uint8_t, 16> kIv = {0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
+                                     0x26, 0x27, 0x00, 0x00, 0x00, 0x00,
+                                     0x00, 0x00, 0x00, 0x00};
+// For disabling noisy logging.
+struct Environment {
+  Environment() { logging::SetMinLogLevel(logging::LOG_FATAL); }
+};
+Environment* env = new Environment();
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // From the data provided:
+  // 1) Use the first byte to determine how much of the buffer is "clear".
+  // 2) Rest of the buffer is the input data (which must be at least 1 byte).
+  // So the input buffer needs at least 2 bytes.
+  if (size < 2)
+    return 0;
+  const uint8_t clear_bytes = data[0];
+  data += 1;
+  size -= 1;
+  static std::unique_ptr<crypto::SymmetricKey> key =
+      crypto::SymmetricKey::Import(
+          crypto::SymmetricKey::AES,
+          std::string(std::begin(kKey), std::end(kKey)));
+  // |clear_bytes| is used to determine how much of the buffer is "clear".
+  // Since the code checks SubsampleEntries, use |clear_bytes| as the actual
+  // number of bytes clear, and the rest as encrypted. To avoid size_t problems,
+  // only set |subsamples| if |clear_bytes| <= |size|. If |subsamples| is
+  // empty, the complete buffer is treated as encrypted.
+  std::vector<media::SubsampleEntry> subsamples;
+  if (clear_bytes <= size)
+    subsamples.push_back({clear_bytes, size - clear_bytes});
+  auto encrypted_buffer = media::DecoderBuffer::CopyFrom(data, size);
+  // Key_ID is never used.
+  encrypted_buffer->set_decrypt_config(media::DecryptConfig::CreateCencConfig(
+      "key_id", std::string(std::begin(kIv), std::end(kIv)), subsamples));
+  media::DecryptCencBuffer(*encrypted_buffer, *key);
+  return 0;
+}