commit bc1e6f6c310f74add0bd1480313cd71a2b071d26 parent 41835f0c822d3e73c3517b98fbef895aca2c2dff Author: Dan Baker <dbaker@mozilla.com> Date: Mon, 1 Dec 2025 19:26:22 -0700 Bug 2000941 - Vendor libwebrtc from 5429aa5cbf Upstream commit: https://webrtc.googlesource.com/src/+/5429aa5cbf9f7227279ba6513366d2b7d8442773 Avoid out of bound access in audio decoder opus fuzzer on empty input Bug: webrtc:444013301 Change-Id: I05275bd186277741614e4464c1f80be2c927d83f Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/408907 Reviewed-by: Sam Zackrisson <saza@webrtc.org> Commit-Queue: Danil Chapovalov <danilchap@webrtc.org> Cr-Commit-Position: refs/heads/main@{#45622} Diffstat:
4 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/third_party/libwebrtc/README.mozilla.last-vendor b/third_party/libwebrtc/README.mozilla.last-vendor @@ -1,4 +1,4 @@ # ./mach python dom/media/webrtc/third_party_build/vendor-libwebrtc.py --from-local /Users/danielbaker/elm/.moz-fast-forward/moz-libwebrtc --commit mozpatches libwebrtc -libwebrtc updated from /Users/danielbaker/elm/.moz-fast-forward/moz-libwebrtc commit mozpatches on 2025-12-02T02:23:37.109232+00:00. +libwebrtc updated from /Users/danielbaker/elm/.moz-fast-forward/moz-libwebrtc commit mozpatches on 2025-12-02T02:26:02.494718+00:00. # base of lastest vendoring -aeb99a056b +5429aa5cbf diff --git a/third_party/libwebrtc/moz-patch-stack/s0102.patch b/third_party/libwebrtc/moz-patch-stack/s0102.patch @@ -782,7 +782,7 @@ index b24e6d2957..329313d232 100644 deps = [ ":google_test_runner_delegate" ] } diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn -index 0271277265..a9117c962d 100644 +index e7a254c85d..eb2cb6c937 100644 --- a/test/fuzzers/BUILD.gn +++ b/test/fuzzers/BUILD.gn @@ -6,7 +6,7 @@ diff --git a/third_party/libwebrtc/test/fuzzers/BUILD.gn b/third_party/libwebrtc/test/fuzzers/BUILD.gn @@ -379,6 +379,7 @@ webrtc_fuzzer_test("audio_decoder_multiopus_fuzzer") { sources = [ "audio_decoder_multistream_opus_fuzzer.cc" ] deps = [ ":audio_decoder_fuzzer", + "../../api:array_view", "../../api/audio_codecs/opus:audio_decoder_multiopus", "../../api/audio_codecs/opus:audio_decoder_opus_config", "../../rtc_base:checks", diff --git a/third_party/libwebrtc/test/fuzzers/audio_decoder_multistream_opus_fuzzer.cc b/third_party/libwebrtc/test/fuzzers/audio_decoder_multistream_opus_fuzzer.cc @@ -13,13 +13,17 @@ #include <memory> #include <vector> +#include "api/array_view.h" #include "api/audio_codecs/opus/audio_decoder_multi_channel_opus.h" #include "api/audio_codecs/opus/audio_decoder_multi_channel_opus_config.h" #include "rtc_base/checks.h" #include "test/fuzzers/audio_decoder_fuzzer.h" +#include "test/fuzzers/fuzz_data_helper.h" namespace webrtc { +using test::FuzzDataHelper; + AudioDecoderMultiChannelOpusConfig MakeDecoderConfig( int num_channels, int num_streams, @@ -34,7 +38,7 @@ AudioDecoderMultiChannelOpusConfig MakeDecoderConfig( } void FuzzOneInput(const uint8_t* data, size_t size) { - const std::vector<AudioDecoderMultiChannelOpusConfig> surround_configs = { + const AudioDecoderMultiChannelOpusConfig kSurroundConfigs[] = { MakeDecoderConfig(1, 1, 0, {0}), // Mono MakeDecoderConfig(2, 2, 0, {0, 0}), // Copy the first (of @@ -50,7 +54,9 @@ void FuzzOneInput(const uint8_t* data, size_t size) { MakeDecoderConfig(8, 5, 3, {0, 6, 1, 2, 3, 4, 5, 7}) // 7.1 }; - const auto config = surround_configs[data[0] % surround_configs.size()]; + FuzzDataHelper helper(MakeArrayView(data, size)); + + const auto config = helper.SelectOneOf(kSurroundConfigs); RTC_CHECK(config.IsOk()); std::unique_ptr<AudioDecoder> dec = AudioDecoderMultiChannelOpus::MakeAudioDecoder(config);