1 /******************************************************************************
2  *
3  * Copyright (C) 2020 The Android Open Source Project
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  *****************************************************************************
18  * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
19  */
20 #include <string.h>
21 #include <algorithm>
22 #include "gsmamr_dec.h"
23 
24 // Constants for AMR-NB
25 constexpr int32_t kSamplesPerFrame = L_FRAME;
26 constexpr int32_t kBitsPerSample = 16;
27 constexpr int32_t kOutputBufferSize = kSamplesPerFrame * kBitsPerSample / 8;
28 const bitstream_format kBitStreamFormats[2] = {MIME_IETF, IF2};
29 const int32_t kLocalWmfDecBytesPerFrame[16] = {12, 13, 15, 17, 19, 20, 26, 31,
30                                                5,  6,  5,  5,  0,  0,  0,  0};
31 const int32_t kLocalIf2DecBytesPerFrame[16] = {13, 14, 16, 18, 19, 21, 26, 31,
32                                                13, 14, 16, 18, 19, 21, 26, 31};
33 
34 class Codec {
35  public:
36   Codec() = default;
~Codec()37   ~Codec() { deInitDecoder(); }
38   int16_t initDecoder();
39   void deInitDecoder();
40   void decodeFrames(const uint8_t *data, size_t size);
41 
42  private:
43   void *mAmrHandle = nullptr;
44 };
45 
initDecoder()46 int16_t Codec::initDecoder() { return GSMInitDecode(&mAmrHandle, (Word8 *)"AMRNBDecoder"); }
47 
deInitDecoder()48 void Codec::deInitDecoder() { GSMDecodeFrameExit(&mAmrHandle); }
49 
decodeFrames(const uint8_t * data,size_t size)50 void Codec::decodeFrames(const uint8_t *data, size_t size) {
51   while (size > 0) {
52     uint8_t mode = *data;
53     bool bit = mode & 0x01;
54     bitstream_format bitsreamFormat = kBitStreamFormats[bit];
55     int32_t frameSize = 0;
56     /* Find frame type */
57     Frame_Type_3GPP frameType = static_cast<Frame_Type_3GPP>((mode >> 3) & 0x0f);
58     ++data;
59     --size;
60     if (bit) {
61       frameSize = kLocalIf2DecBytesPerFrame[frameType];
62     } else {
63       frameSize = kLocalWmfDecBytesPerFrame[frameType];
64     }
65     int16_t outputBuf[kOutputBufferSize];
66     uint8_t *inputBuf = new uint8_t[frameSize];
67     if (!inputBuf) {
68       return;
69     }
70     int32_t minSize = std::min((int32_t)size, frameSize);
71     memcpy(inputBuf, data, minSize);
72     AMRDecode(mAmrHandle, frameType, inputBuf, outputBuf, bitsreamFormat);
73     /* AMRDecode() decodes minSize number of bytes if decode is successful.
74      * AMRDecode() returns -1 if decode fails.
75      * Even if no bytes are decoded, increment by minSize to ensure fuzzer proceeds
76      * to feed next data */
77     data += minSize;
78     size -= minSize;
79     delete[] inputBuf;
80   }
81 }
82 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)83 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
84   if (size < 2) {
85     return 0;
86   }
87   Codec *codec = new Codec();
88   if (!codec) {
89     return 0;
90   }
91   if (codec->initDecoder() == 0) {
92     codec->decodeFrames(data, size);
93   }
94   delete codec;
95   return 0;
96 }
97