8000 Merge pull request #869 from github/antonio-morales-patch-2 · github/securitylab@797155f · GitHub
[go: up one dir, main page]
Skip to content

Commit 797155f

Browse files
antonio-moralesantonio-morales
authored
Merge pull request #869 from github/antonio-morales-patch-2
Fuzzing Gstreamer - MP4 generator
2 parents f2b2910 + df384de commit 797155f

File tree

10 files changed

+1178
-0
lines changed

10 files changed

+1178
-0
lines changed

Fuzzing/GStreamer/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
# MP4 corpus generator
2+
An MP4 corpus generator

Fuzzing/GStreamer/aux.h

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
#pragma once
2+
3+
#include <random>
4+
#include <filesystem>
5+
#include <fstream>
6+
7+
inline uint32_t rand_uint32(uint32_t min_value, uint32_t max_value) {
8+
9+
static std::random_device rd;
10+
static std::mt19937 gen(rd());
11+
12+
uint32_t rand_number;
13+
14+
std::uniform_int_distribution<> dist(min_value, max_value);
15+
16+
rand_number = dist(gen);
17+
18+
return rand_number;
19+
}
20+
21+
22+
inline std::string uint32_to_string(uint32_t fourcc){
23+
24+
std::string output = "";
25+
26+
output += fourcc & 0xFF;
27+
output += (fourcc >> 8) & 0xFF;
28+
output += (fourcc >> 16) & 0xFF;
29+
output += (fourcc >> 24) & 0xFF;
30+
31+
return output;
32+
}
33+
34+
35+
inline std::string uint32_to_string_BE(uint32_t fourcc){
36+
37+
std::string output = "";
38+
39+
output += (fourcc >> 24) & 0xFF;
40+
output += (fourcc >> 16) & 0xFF;
41+
output += (fourcc >> 8) & 0xFF;
42+
output += fourcc & 0xFF;
43+
44+
return output;
45+
}
46+
47+
48+
inline bool write_to_file(const std::string &content, std::filesystem::path file){
49+
50+
std::ofstream ofs(file, std::ios::out | std::ios::binary);
51+
52+
if (!ofs) {
53+
return false;
54+
}
55+
56+
ofs << content;
57+
58+
ofs.close();
59+
60+
return true;
61+
}

Fuzzing/GStreamer/labeler/MP4.cc

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
#include <aux.h>
2+
3+
#include "MP4.h"
4+
5+
6+
std::string MP4_labeler::traverse(Node &node){
7+
8+
std::string output;
9+
10+
for(int i=0; i < node.children().size(); i++){
11+
12+
Node &child = tree->get_node(node.children()[i]);
13+
14+
output += traverse(child);
15+
}
16+
17+
18+
uint32_t size;
19+
20+
if(node.get_id() == 0){
21+
size = 20;
22+
}else{
23+
size = node.get_label().size() + output.size() + 4;
24+
}
25+
26+
std::string label = node.get_label();
27+
uint32_t label_size = label.size();
28+
29+
output = uint32_to_string_BE(size) + label + output;
30+
31+
return output;
32+
}
33+
34+
35+
36+
MP4_labeler::MP4_labeler(RandomTree *in_tree) {
37+
38+
this->tree = in_tree;
39+
40+
priv_name = "MP4";
41+
42+
Node &root = this->tree->get_node(0);
43+
44+
std::string root_label = "ftyp";
45+
root_label += "dash";
46+
root_label += "AAAABBBB";
47+
48+
root.set_label(root_label);
49+
50+
for(int i=1; i < this->tree->size(); i++){
51+
52+
Node &node = this->tree->get_node(i);
53+
54+
55+
uint32_t fourcc;
56+
57+
uint32_t padding;
58+
59+
uint32_t random_data;
60+
61+
62+
if(node.children().size() == 0){
63+
64+
//LEAF
65+
66+
uint32_t random = rand_uint32(0, FOURCC_LIST_SIZE-1);
67+
68+
fourcc = FOURCC_LIST[random].fourcc;
69+
70+
padding = FOURCC_LIST[random].min_size;
71+
72+
random_data = rand_uint32(4, 16);
73+
74+
75+
}else{
76+
77+
//CONTAINER
78+
79+
uint32_t random = rand_uint32(0, CONTAINER_LIST_SIZE-1);
80+
81+
fourcc = CONTAINER_LIST[random].fourcc;
82+
83+
padding = CONTAINER_LIST[random].min_size;
84+
85+
random_data = 0;
86+
87+
}
88+
89+
std::string label = uint32_to_string(fourcc);
90+
91+
label += std::string(padding, '\x00');
92+
93+
label += std::string(random_data, '\x41');
94+
95+
node.set_label(label);
96+
97+
}
98+
}
99+
100+
101+
102+
103+
std::string MP4_labeler::serialize(){
104+
105+
std::string output;
106+
107+
Node &root = tree->get_node(0);
108+
109+
output = traverse(root);
110+
111+
return output;
112+
113+
}
114+

Fuzzing/GStreamer/labeler/MP4.h

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
#pragma once
2+
3+
#include <string>
4+
#include <iostream>
5+
6+
#include <tree.h>
7+
8+
#include "fourcc.h"
9+
#include "labeler.h"
10+
11+
12+
class MP4_labeler : public Labeler{
13+
14+
private:
15+
16+
RandomTree *tree;
17+
18+
std::string traverse(Node &node);
19+
20+
public:
21+
22+
MP4_labeler(RandomTree *in_tree);
23+
24+
std::string serialize();
25+
};

0 commit comments

Comments
 (0)
0