You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1.6 KiB

Fuzzer for libvorbis decoder

Plugin Design Considerations

The fuzzer plugin for Vorbis is designed based on the understanding of the codec and tries to achieve the following:

Maximize code coverage

Dict file (dictionary file) is created for vorbis to ensure that the required start bytes are present in every input file that goes to the fuzzer. This ensures that decoder does not reject any input file in the first check

Maximize utilization of input data

The plugin feeds the entire input data to the codec in a loop till the desired headers (01vorbis, 05vorbis) are parsed. After that, the remaining data is passed at once to the decoder. FrameSize in Vorbis is determined only after the call to extractor, so in absence of call to extractor, we feed the entire remaining data to the decoder.

This ensures that the plugin tolerates any kind of input (empty, huge, malformed, etc) and doesnt exit() on any input and thereby increasing the chance of identifying vulnerabilities.

Build

This describes steps to build vorbis_dec_fuzzer binary.

Android

Steps to build

Build the fuzzer

  $ mm -j$(nproc) vorbis_dec_fuzzer

Steps to run

Create a directory CORPUS_DIR and copy some vorbis files to that folder Push this directory to device.

To run on device

  $ adb sync data
  $ adb shell /data/fuzz/arm64/vorbis_dec_fuzzer/vorbis_dec_fuzzer CORPUS_DIR

To run on host

  $ $ANDROID_HOST_OUT/fuzz/x86_64/vorbis_dec_fuzzer/vorbis_dec_fuzzer CORPUS_DIR

References: