sysmocom
/
pjproject
11
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into coverity01

This commit is contained in:
sauwming 2023-03-20 18:29:57 +08:00
parent 86b2ed38be 74b0df1b04
commit 29d872af40
26 changed files with 660 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
.github/workflows/cifuzz.yml vendored Normal file
View File

@ -0,0 +1,32 @@
name: CIFuzz
on: [pull_request]
jobs:
Fuzzing:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
sanitizer: [address, undefined, memory]
steps:
- name: Build Fuzzers (${{ matrix.sanitizer }})
id: build
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
with:
oss-fuzz-project-name: 'pjsip'
dry-run: false
language: c
sanitizer: ${{ matrix.sanitizer }}
- name: Run Fuzzers (${{ matrix.sanitizer }})
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
with:
oss-fuzz-project-name: 'pjsip'
dry-run: false
language: c
fuzz-seconds: 300
sanitizer: ${{ matrix.sanitizer }}
- name: Upload Crash
uses: actions/upload-artifact@v1
if: failure() && steps.build.outcome == 'success'
with:
name: ${{ matrix.sanitizer }}-artifacts
path: ./out/artifacts

2
aconfigure
View File

@ -4858,7 +4858,7 @@ if test "$LIBEXT" = ""; then LIBEXT='a'; fi
if test "$LIBEXT2" = ""; then LIBEXT2=""; fi
if test "$CC_OUT" = ""; then CC_OUT="-o "; fi
if test "$CC_OUT" = ""; then CC_OUT="-c -o "; fi
if test "$CC_INC" = ""; then CC_INC="-I"; fi

2
aconfigure.ac
View File

@ -56,7 +56,7 @@ if test "$LIBEXT" = ""; then LIBEXT='a'; fi
AC_SUBST(LIBEXT)
if test "$LIBEXT2" = ""; then LIBEXT2=""; fi
AC_SUBST(LIBEXT2)
if test "$CC_OUT" = ""; then CC_OUT="-o "; fi
if test "$CC_OUT" = ""; then CC_OUT="-c -o "; fi
AC_SUBST(CC_OUT)
if test "$CC_INC" = ""; then CC_INC="-I"; fi
AC_SUBST(CC_INC)

4
build/cc-auto.mak.in
View File

@ -1,5 +1,5 @@
export CC = @CC@ -c
export CXX = @CXX@ -c
export CC = @CC@
export CXX = @CXX@
export AR = @AR@
export AR_FLAGS = @AR_FLAGS@
export LD = @LD@

4
pjlib/include/pj/config.h
View File

@ -668,10 +668,10 @@
* Libraries sometimes needs to make copy of an address to stack buffer;
* the value here affects the stack usage.
*
* Default: 128
* Default: 253
*/
#ifndef PJ_MAX_HOSTNAME
# define PJ_MAX_HOSTNAME (128)
# define PJ_MAX_HOSTNAME (253)
#endif
/**

15
pjlib/src/pj/sock_common.c
View File

@ -1068,6 +1068,21 @@ PJ_DEF(pj_status_t) pj_getipinterface(int af,
return PJ_ENOTFOUND;
}
#if defined(PJ_HAS_IPV6) && PJ_HAS_IPV6
/* Check if the local address is link-local but the destination
* is not link-local.
*/
if (af == pj_AF_INET6() &&
IN6_IS_ADDR_LINKLOCAL(&itf_addr->ipv6.sin6_addr) &&
(!IN6_IS_ADDR_LINKLOCAL(&dst_addr.ipv6.sin6_addr)))
{
TRACE_((THIS_FILE, "Local interface address is link-local and "
"the destination host is external"));
return PJ_ENOTFOUND;
}
#endif
if (p_dst_addr)
*p_dst_addr = dst_addr;

1
pjsip/include/pjsip/sip_dialog.h
View File

@ -160,6 +160,7 @@ struct pjsip_dialog
pj_bool_t uac_has_2xx;/**< UAC has received 2xx response? */
pj_bool_t secure; /**< Use secure transport? */
pj_bool_t add_allow; /**< Add Allow header in requests? */
pj_bool_t ack_sent; /**< ACK has been sent? */
pjsip_cid_hdr *call_id; /**< Call-ID header. */
pjsip_route_hdr route_set; /**< Route set. */
pj_bool_t route_set_frozen; /**< Route set has been set. */

5
pjsip/src/pjsip/sip_dialog.c
View File

@ -1363,6 +1363,8 @@ PJ_DEF(pj_status_t) pjsip_dlg_send_request( pjsip_dialog *dlg,
}
} else {
dlg->ack_sent = PJ_TRUE;
/* Set transport selector */
pjsip_tx_data_set_transport(tdata, &dlg->tp_sel);
@ -2079,7 +2081,8 @@ void pjsip_dlg_on_rx_response( pjsip_dialog *dlg, pjsip_rx_data *rdata )
pj_status_t status;
if (rdata->msg_info.cseq->method.id==PJSIP_INVITE_METHOD &&
rdata->msg_info.msg->line.status.code/100 == 2)
rdata->msg_info.msg->line.status.code/100 == 2 &&
!dlg->ack_sent)
{
pjsip_tx_data *ack;

32
pjsip/src/pjsua-lib/pjsua_aud.c
View File

@ -138,7 +138,7 @@ PJ_DEF(pj_status_t) pjsua_call_get_stream_info( pjsua_call_id call_id,
{
pjsua_call *call;
pjsua_call_media *call_med;
pj_status_t status;
pj_status_t status = PJ_EINVAL;
PJ_ASSERT_RETURN(call_id>=0 && call_id<(int)pjsua_var.ua_cfg.max_calls,
PJ_EINVAL);
@ -148,12 +148,17 @@ PJ_DEF(pj_status_t) pjsua_call_get_stream_info( pjsua_call_id call_id,
call = &pjsua_var.calls[call_id];
if (med_idx >= call->med_cnt) {
PJSUA_UNLOCK();
return PJ_EINVAL;
}
if (med_idx >= call->med_cnt)
goto on_return;
call_med = &call->media[med_idx];
if ((call_med->type == PJMEDIA_TYPE_AUDIO && !call_med->strm.a.stream) ||
(call_med->type == PJMEDIA_TYPE_VIDEO && !call_med->strm.v.stream))
{
goto on_return;
}
psi->type = call_med->type;
switch (call_med->type) {
case PJMEDIA_TYPE_AUDIO:
@ -171,6 +176,7 @@ PJ_DEF(pj_status_t) pjsua_call_get_stream_info( pjsua_call_id call_id,
break;
}
on_return:
PJSUA_UNLOCK();
return status;
}
@ -185,7 +191,7 @@ PJ_DEF(pj_status_t) pjsua_call_get_stream_stat( pjsua_call_id call_id,
{
pjsua_call *call;
pjsua_call_media *call_med;
pj_status_t status;
pj_status_t status = PJ_EINVAL;
PJ_ASSERT_RETURN(call_id>=0 && call_id<(int)pjsua_var.ua_cfg.max_calls,
PJ_EINVAL);
@ -195,12 +201,17 @@ PJ_DEF(pj_status_t) pjsua_call_get_stream_stat( pjsua_call_id call_id,
call = &pjsua_var.calls[call_id];
if (med_idx >= call->med_cnt) {
PJSUA_UNLOCK();
return PJ_EINVAL;
}
if (med_idx >= call->med_cnt)
goto on_return;
call_med = &call->media[med_idx];
if ((call_med->type == PJMEDIA_TYPE_AUDIO && !call_med->strm.a.stream) ||
(call_med->type == PJMEDIA_TYPE_VIDEO && !call_med->strm.v.stream))
{
goto on_return;
}
switch (call_med->type) {
case PJMEDIA_TYPE_AUDIO:
status = pjmedia_stream_get_stat(call_med->strm.a.stream,
@ -223,6 +234,7 @@ PJ_DEF(pj_status_t) pjsua_call_get_stream_stat( pjsua_call_id call_id,
break;
}
on_return:
PJSUA_UNLOCK();
return status;
}

8
pjsip/src/pjsua-lib/pjsua_call.c
View File

@ -5106,7 +5106,7 @@ pjsip_dialog* on_dlg_forked(pjsip_dialog *dlg, pjsip_rx_data *res)
res->msg_info.msg->line.status.code/100 == 2)
{
pjsip_dialog *forked_dlg;
pjsip_tx_data *bye;
pjsip_tx_data *bye, *ack;
pj_status_t status;
/* Create forked dialog */
@ -5116,6 +5116,12 @@ pjsip_dialog* on_dlg_forked(pjsip_dialog *dlg, pjsip_rx_data *res)
pjsip_dlg_inc_lock(forked_dlg);
/* Respond with ACK first */
status = pjsip_dlg_create_request(forked_dlg, &pjsip_ack_method,
res->msg_info.cseq->cseq, &ack);
if (status == PJ_SUCCESS)
pjsip_dlg_send_request(forked_dlg, ack, -1, NULL);
/* Disconnect the call */
status = pjsip_dlg_create_request(forked_dlg, pjsip_get_bye_method(),
-1, &bye);

14
tests/fuzz/Makefile
View File

@ -16,6 +16,10 @@ RTCP=fuzz-rtcp
DNS=fuzz-dns
H264=fuzz-h264
VPX=fuzz-vpx
HTTP=fuzz-http
URL=fuzz-url
URI=fuzz-uri
CRYPTO=fuzz-crypto
EXTFLAGS=-Wall -Werror
@ -31,6 +35,10 @@ $(TARGET):
$(CC) $(PJ_CFLAGS) $(EXTFLAGS) -c $(DNS).c
$(CC) $(PJ_CFLAGS) $(EXTFLAGS) -c $(H264).c
$(CC) $(PJ_CFLAGS) $(EXTFLAGS) -c $(VPX).c
$(CC) $(PJ_CFLAGS) $(EXTFLAGS) -c $(HTTP).c
$(CC) $(PJ_CFLAGS) $(EXTFLAGS) -c $(URL).c
$(CC) $(PJ_CFLAGS) $(EXTFLAGS) -c $(URI).c
$(CC) $(PJ_CFLAGS) $(EXTFLAGS) -c $(CRYPTO).c
$(CXX) $(PJ_CFLAGS) -o $(JSON) $(JSON).o $(PJ_LDFLAGS) $(PJ_LDLIBS) $(LDFLAGS) $(LIB_FUZZING_ENGINE)
$(CXX) $(PJ_CFLAGS) -o $(XML) $(XML).o $(PJ_LDFLAGS) $(PJ_LDLIBS) $(LDFLAGS) $(LIB_FUZZING_ENGINE)
@ -41,6 +49,10 @@ $(TARGET):
$(CXX) $(PJ_CFLAGS) -o $(DNS) $(DNS).o $(PJ_LDFLAGS) $(PJ_LDLIBS) $(LDFLAGS) $(LIB_FUZZING_ENGINE)
$(CXX) $(PJ_CFLAGS) -o $(H264) $(H264).o $(PJ_LDFLAGS) $(PJ_LDLIBS) $(LDFLAGS) $(LIB_FUZZING_ENGINE)
$(CXX) $(PJ_CFLAGS) -o $(VPX) $(VPX).o $(PJ_LDFLAGS) $(PJ_LDLIBS) $(LDFLAGS) $(LIB_FUZZING_ENGINE)
$(CXX) $(PJ_CFLAGS) -o $(HTTP) $(HTTP).o $(PJ_LDFLAGS) $(PJ_LDLIBS) $(LDFLAGS) $(LIB_FUZZING_ENGINE)
$(CXX) $(PJ_CFLAGS) -o $(URL) $(URL).o $(PJ_LDFLAGS) $(PJ_LDLIBS) $(LDFLAGS) $(LIB_FUZZING_ENGINE)
$(CXX) $(PJ_CFLAGS) -o $(URI) $(URI).o $(PJ_LDFLAGS) $(PJ_LDLIBS) $(LDFLAGS) $(LIB_FUZZING_ENGINE)
$(CXX) $(PJ_CFLAGS) -o $(CRYPTO) $(CRYPTO).o $(PJ_LDFLAGS) $(PJ_LDLIBS) $(LDFLAGS) $(LIB_FUZZING_ENGINE) -lssl -lcrypto -lz
clean:
rm $(JSON) $(XML) $(SDP) $(STUN) $(SIP) $(RTCP) $(DNS) $(H264) ($VPX) *.o
rm $(JSON) $(XML) $(SDP) $(STUN) $(SIP) $(RTCP) $(DNS) $(H264) $(VPX) $(HTTP) $(URL) $(URI) $(CRYPTO) *.o

178
tests/fuzz/fuzz-crypto.c Normal file
View File

@ -0,0 +1,178 @@
/*
* Copyright (C) 2023 Teluu Inc. (http://www.teluu.com)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <pjlib.h>
#include <pjlib-util.h>
#define OPENSSL_SUPPRESS_DEPRECATED 1
#include <openssl/bio.h>
#include <openssl/evp.h>
#include <openssl/sha.h>
#include <openssl/md5.h>
#include <zlib.h>
#define kMinInputLength 10
#define kMaxInputLength 1024
#define MAXSIZE 5120
void encode_base64_differential(const uint8_t *Data, size_t Size) {
//PJSIP
char pj_output[MAXSIZE];
int pj_output_len = MAXSIZE;
memset(pj_output, 0, MAXSIZE);
pj_base64_encode(Data, Size, pj_output, &pj_output_len);
//OPENSSL
BIO *bio, *bio_mem;
char *ssl_output;
int ssl_output_len;
bio = BIO_new(BIO_f_base64());
BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
bio_mem = BIO_new(BIO_s_mem());
BIO_push(bio, bio_mem);
BIO_write(bio, Data, Size);
BIO_flush(bio);
ssl_output_len = BIO_get_mem_data(bio_mem, &ssl_output);
//Differential
int result = memcmp(pj_output, ssl_output, ssl_output_len);
if(result != 0){
abort();
}
BIO_free_all(bio);
//PJSIP Decode After encode.
pj_str_t pj_input;
uint8_t pj_output_dec[MAXSIZE];
int pj_output_dec_len = MAXSIZE;
pj_input.ptr = pj_output;
pj_input.slen = ssl_output_len;
memset(pj_output_dec, 0, MAXSIZE);
pj_base64_decode(&pj_input, pj_output_dec, &pj_output_dec_len);
//Differential
int result_dec = memcmp(pj_output_dec, Data, Size);
if(result_dec != 0) {
abort();
}
}
void decode_base64_differential(const uint8_t *Data, size_t Size) {
//PJSIP
pj_str_t pj_input;
uint8_t pj_output[MAXSIZE];
int pj_output_len = MAXSIZE;
pj_input.ptr = (char *)Data;
pj_input.slen = Size;
memset(pj_output, 0, MAXSIZE);
pj_base64_decode(&pj_input, pj_output, &pj_output_len);
}
void md5_differential(const uint8_t *Data, size_t Size) {
//PJSIP
pj_md5_context ctx;
pj_uint8_t pj_md5_hash[MD5_DIGEST_LENGTH];
pj_md5_init(&ctx);
pj_md5_update(&ctx, Data,Size);
pj_md5_final(&ctx, pj_md5_hash);
//OPENSSL
uint8_t ssl_md5_hash[MD5_DIGEST_LENGTH] = {};
MD5(Data, Size, ssl_md5_hash);
//Differential
int result = memcmp(pj_md5_hash, ssl_md5_hash, MD5_DIGEST_LENGTH);
if(result != 0){
abort();
}
}
void sha1_differential(const uint8_t *Data, size_t Size) {
//PJSIP
pj_sha1_context pj_sha;
pj_uint8_t pj_sha_hash[SHA_DIGEST_LENGTH];
pj_sha1_init(&pj_sha);
pj_sha1_update(&pj_sha,Data,Size);
pj_sha1_final(&pj_sha,pj_sha_hash);
//OPENSSL
uint8_t ssl_sha_hash[SHA_DIGEST_LENGTH] = {};
SHA_CTX ctx;
SHA1_Init(&ctx);
SHA1_Update(&ctx,Data,Size);
SHA1_Final(ssl_sha_hash, &ctx);
//Differential
int result = memcmp(pj_sha_hash, ssl_sha_hash, SHA_DIGEST_LENGTH);
if(result != 0){
abort();
}
}
void crc32_differential(const uint8_t *Data, size_t Size) {
//PJSIP
pj_uint32_t pj_crc;
pj_crc = pj_crc32_calc(Data, Size);
//zlib
uint32_t zlib_crc;
zlib_crc = crc32(0L, Data, Size);
//Differential
if (pj_crc != zlib_crc) {
abort();
}
}
extern int
LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
if (Size < kMinInputLength || Size > kMaxInputLength) {
return 1;
}
encode_base64_differential(Data, Size);
decode_base64_differential(Data, Size);
md5_differential(Data, Size);
sha1_differential(Data, Size);
crc32_differential(Data, Size);
return 0;
}

15
tests/fuzz/fuzz-h264.c
View File

@ -20,9 +20,9 @@
#include <stdlib.h>
#include <pjlib.h>
#include <pjmedia-codec/h264_packetizer.h>
#if defined(PJMEDIA_HAS_VIDEO) && (PJMEDIA_HAS_VIDEO != 0)
#define kMinInputLength 10
#define kMaxInputLength 5120
@ -31,10 +31,9 @@ pj_pool_factory *mem;
int h264_unpacketizer(const uint8_t *data, size_t size,
uint8_t *output, size_t output_size)
{
int ret = 0;
pj_pool_t *pool;
pj_status_t status;
pj_pool_t *pool;
pj_status_t status;
pjmedia_h264_packetizer_cfg cfg;
pjmedia_h264_packetizer *pktz;
unsigned bits_pos = 0;
@ -92,3 +91,11 @@ extern int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
return ret;
}
#else
extern int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
PJ_UNUSED_ARG(Data);
PJ_UNUSED_ARG(Size);
return 0;
}
#endif

77
tests/fuzz/fuzz-http.c Normal file
View File

@ -0,0 +1,77 @@
/*
* Copyright (C) 2023 Teluu Inc. (http://www.teluu.com)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <pjlib.h>
#include <pjlib-util.h>
#include "../../pjlib-util/src/pjlib-util/http_client.c"
#define kMinInputLength 10
#define kMaxInputLength 1024
pj_pool_factory *mem;
int http_parse(uint8_t *data, size_t Size) {
int ret;
pj_pool_t *pool;
pj_size_t rem;
pj_http_resp response;
pool = pj_pool_create(mem, "http", 1000, 1000, NULL);
ret = http_response_parse(pool, &response, data, Size, &rem);
pj_pool_release(pool);
return ret;
}
extern int
LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
if (Size < kMinInputLength || Size > kMaxInputLength) {
return 1;
}
int ret = 0;
uint8_t *data;
pj_caching_pool caching_pool;
/* Add NULL byte */
data = (uint8_t *)calloc((Size+1), sizeof(uint8_t));
memcpy((void *)data, (void *)Data, Size);
/* init Calls */
pj_init();
pj_caching_pool_init( &caching_pool, &pj_pool_factory_default_policy, 0);
pj_log_set_level(0);
mem = &caching_pool.factory;
/* Call fuzzer */
ret = http_parse(data, Size);
free(data);
pj_caching_pool_destroy(&caching_pool);
return ret;
}

66
tests/fuzz/fuzz-json.c
View File

@ -1,6 +1,5 @@
/*
* Copyright (C) 2008-2011 Teluu Inc. (http://www.teluu.com)
* Copyright (C) 2003-2008 Benny Prijono <benny@prijono.org>
* Copyright (C) 2023 Teluu Inc. (http://www.teluu.com)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -19,69 +18,74 @@
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdbool.h>
#include <pjlib.h>
#include <pjlib-util.h>
#include <pjlib-util/json.h>
#include <pj/log.h>
#include <pj/string.h>
#define kMinInputLength 10
#define kMaxInputLength 5120
pj_pool_factory *mem;
int Json_parse(char *DataFx,size_t Size){
int ret = 0;
int Json_parse(uint8_t *data, size_t Size) {
pj_pool_t *pool;
pj_json_elem *elem;
pj_json_err_info err;
char *output;
unsigned int output_size;
pool = pj_pool_create(mem, "json", 1000, 1000, NULL);
elem = pj_json_parse(pool, DataFx,(unsigned *)&Size, &err);
elem = pj_json_parse(pool, (char *)data, (unsigned *)&Size, &err);
if (!elem) {
goto on_error;
}
if (!elem)
ret = 1;
output_size = Size * 2;
output = pj_pool_alloc(pool, output_size);
if (pj_json_write(elem, output, &output_size)) {
goto on_error;
}
pj_pool_release(pool);
return 0;
return ret;
on_error:
pj_pool_release(pool);
return 1;
}
extern int
LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{/*pjproject/pjlib-util/src/pjlib-util-test/json_test.c*/
{
if (Size < kMinInputLength || Size > kMaxInputLength){
if (Size < kMinInputLength || Size > kMaxInputLength) {
return 1;
}
/*Add Extra byte */
char *DataFx;
DataFx = (char *)calloc((Size+1),sizeof(char));
memcpy((void *)DataFx,(void *)Data,Size);
/*init*/
int ret = 0;
uint8_t *data;
pj_caching_pool caching_pool;
mem = &caching_pool.factory;
/* Add NULL byte */
data = (uint8_t *)calloc((Size+1), sizeof(uint8_t));
memcpy((void *)data, (void *)Data, Size);
/* init Calls */
pj_init();
pj_caching_pool_init( &caching_pool, &pj_pool_factory_default_policy, 0);
pj_log_set_level(0);
ret = pj_init();
ret = pjlib_util_init();
mem = &caching_pool.factory;
pj_dump_config();
pj_caching_pool_init( &caching_pool, &pj_pool_factory_default_policy, 0);
/* Call fuzzer */
ret = Json_parse(data, Size);
/*Calls*/
ret = Json_parse(DataFx,Size);
free(DataFx);
free(data);
pj_caching_pool_destroy(&caching_pool);
return ret;
}

4
tests/fuzz/fuzz-rtcp.c
View File

@ -35,6 +35,8 @@ int rtcp_parser(char *data, size_t size)
pjmedia_rtcp_session session;
pjmedia_rtcp_session_setting_default(&setting);
setting.clock_rate = 8000;
setting.samples_per_frame = 160;
pjmedia_rtcp_init2(&session, &setting);
pjmedia_rtcp_rx_rtcp(&session, data, size);
@ -70,6 +72,8 @@ extern int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
free(data);
pjmedia_event_mgr_destroy(pjmedia_event_mgr_instance());
pj_pool_release(pool);
pj_caching_pool_destroy(&caching_pool);
return ret;
}

75
tests/fuzz/fuzz-stun.c
View File

@ -1,6 +1,5 @@
/*
* Copyright (C) 2008-2011 Teluu Inc. (http://www.teluu.com)
* Copyright (C) 2003-2008 Benny Prijono <benny@prijono.org>
* Copyright (C) 2023 Teluu Inc. (http://www.teluu.com)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -20,11 +19,9 @@
#include <stdint.h>
#include <stdlib.h>
#include <pjlib.h>
#include <pj/compat/socket.h>
#include <pjlib.h>
#include <pjlib-util.h>
#include <pjnath.h>
#define kMinInputLength 10
@ -32,58 +29,68 @@
pj_pool_factory *mem;
int stun_parse(char *DataFx,size_t Size){
int ret = 0;
int stun_parse(uint8_t *data,size_t Size) {
pj_status_t status;
pj_pool_t *pool;
pj_stun_msg *msg;
pj_status_t status;
pj_stun_auth_cred cred;
const pj_str_t USERNAME = {"A", 1};
const pj_str_t PASSWORD = {"A", 1};
pool = pj_pool_create(mem, "decode_test", 1024, 1024, NULL);
status = pj_stun_msg_decode(pool, (pj_uint8_t*)DataFx,Size,
PJ_STUN_IS_DATAGRAM | PJ_STUN_CHECK_PACKET,
&msg, NULL, NULL);
status = pj_stun_msg_decode(pool, data, Size, PJ_STUN_IS_DATAGRAM | PJ_STUN_CHECK_PACKET, &msg, NULL, NULL);
if(status != PJ_SUCCESS){
goto ret_error;
}
if(status)
ret = 1;
pj_bzero(&cred, sizeof(cred));
cred.type = PJ_STUN_AUTH_CRED_STATIC;
cred.data.static_cred.username = USERNAME;
cred.data.static_cred.data_type = PJ_STUN_PASSWD_PLAIN;
cred.data.static_cred.data = PASSWORD;
pj_stun_authenticate_request(data, (unsigned)Size, msg, &cred, pool, NULL, NULL);
pj_pool_release(pool);
return status;
return ret;
ret_error:
pj_pool_release(pool);
return status;
}
extern int
LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{/*pjproject/pjnath/src/pjnath-test/stun.c*/
{
if (Size < kMinInputLength || Size > kMaxInputLength){
if (Size < kMinInputLength || Size > kMaxInputLength) {
return 1;
}
/*Add Extra byte */
char *DataFx;
DataFx = (char *)calloc((Size+1),sizeof(char));
memcpy((void *)DataFx,(void *)Data,Size);
/*init*/
int ret = 0;
uint8_t *data;
pj_caching_pool caching_pool;
/* Add NULL byte */
data = (uint8_t *)calloc((Size+1), sizeof(uint8_t));
memcpy((void *)data, (void *)Data, Size);
/* init Calls */
pj_init();
pj_caching_pool_init( &caching_pool, &pj_pool_factory_default_policy, 0);
pj_log_set_level(0);
mem = &caching_pool.factory;
pj_log_set_level(0);
/* Call fuzzer */
ret = stun_parse(data, Size);
pj_init();
free(data);
pj_caching_pool_destroy(&caching_pool);
pj_dump_config();
pj_caching_pool_init( &caching_pool, &pj_pool_factory_default_policy, 0 );
pjlib_util_init();
pjnath_init();
/*call*/
ret = stun_parse(DataFx,Size);
free(DataFx);
return ret;
}

96
tests/fuzz/fuzz-uri.c Normal file
View File

@ -0,0 +1,96 @@
/*
* Copyright (C) 2023 Teluu Inc. (http://www.teluu.com)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <pjlib.h>
#include <pjlib-util.h>
//#include <sip_uri.h>
#include <pjlib.h>
#include <pjlib-util.h>
#include <pjsip.h>
#include <pjsip/sip_types.h>
#include <pjsip.h>
#include <pjlib.h>
#define kMinInputLength 10
#define kMaxInputLength 1024
/* Defined in sip_parser.c */
void init_sip_parser(void);
void deinit_sip_parser(void);
pj_pool_factory *mem;
int uri_parse(uint8_t *data, size_t Size) {
pj_status_t status = 0 ;
pj_pool_t *pool;
pjsip_uri *uri;
pool = pj_pool_create(mem, "uri", 1000, 1000, NULL);
uri = pjsip_parse_uri(pool, (char *)data, Size, 0);
if (!uri) {
status = 1;
}
pj_pool_release(pool);
return status;
}
extern int
LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
if (Size < kMinInputLength || Size > kMaxInputLength) {
return 1;
}
int ret = 0;
uint8_t *data;
pj_caching_pool caching_pool;
/* Add NULL byte */
data = (uint8_t *)calloc((Size+1), sizeof(uint8_t));
memcpy((void *)data, (void *)Data, Size);
/* init Calls */
pj_init();
pj_caching_pool_init( &caching_pool, &pj_pool_factory_default_policy, 0);
pj_log_set_level(0);
mem = &caching_pool.factory;
init_sip_parser();
/* Call fuzzer */
ret = uri_parse(data, Size);
free(data);
deinit_sip_parser();
pj_caching_pool_destroy(&caching_pool);
return ret;
}

71
tests/fuzz/fuzz-url.c Normal file
View File

@ -0,0 +1,71 @@
/*
* Copyright (C) 2023 Teluu Inc. (http://www.teluu.com)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <pjlib.h>
#include <pjlib-util.h>
#define kMinInputLength 10
#define kMaxInputLength 1024
pj_pool_factory *mem;
int url_parse(uint8_t *data, size_t Size) {
pj_str_t surl;
pj_http_url hurl;
surl.ptr = (char *)data;
surl.slen = Size;
return pj_http_req_parse_url(&surl, &hurl);
}
extern int
LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
if (Size < kMinInputLength || Size > kMaxInputLength) {
return 1;
}
int ret = 0;
uint8_t *data;
pj_caching_pool caching_pool;
/* Add NULL byte */
data = (uint8_t *)calloc((Size+1), sizeof(uint8_t));
memcpy((void *)data, (void *)Data, Size);
/* init Calls */
pj_init();
pj_caching_pool_init( &caching_pool, &pj_pool_factory_default_policy, 0);
pj_log_set_level(0);
mem = &caching_pool.factory;
/* Call fuzzer */
ret = url_parse(data, Size);
free(data);
pj_caching_pool_destroy(&caching_pool);
return ret;
}

15
tests/fuzz/fuzz-vpx.c
View File

@ -20,9 +20,9 @@
#include <stdlib.h>
#include <pjlib.h>
#include <pjmedia-codec/vpx_packetizer.h>
#if defined(PJMEDIA_HAS_VIDEO) && (PJMEDIA_HAS_VIDEO != 0)
#define kMinInputLength 10
#define kMaxInputLength 5120
@ -30,10 +30,9 @@ pj_pool_factory *mem;
int vpx_unpacketizer(const uint8_t *data, size_t size)
{
int ret = 0;
pj_pool_t *pool;
pj_status_t status;
pj_pool_t *pool;
pj_status_t status;
pjmedia_vpx_packetizer_cfg cfg;
pjmedia_vpx_packetizer *pktz;
unsigned desc_len = 0;
@ -82,3 +81,11 @@ extern int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
return ret;
}
#else
extern int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
PJ_UNUSED_ARG(Data);
PJ_UNUSED_ARG(Size);
return 0;
}
#endif

62
tests/fuzz/fuzz-xml.c
View File

@ -1,6 +1,5 @@
/*
* Copyright (C) 2008-2011 Teluu Inc. (http://www.teluu.com)
* Copyright (C) 2003-2008 Benny Prijono <benny@prijono.org>
* Copyright (C) 2023 Teluu Inc. (http://www.teluu.com)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -19,66 +18,71 @@
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdbool.h>
#include <pjlib.h>
#include <pjlib-util.h>
#include <pjlib-util/xml.h>
#define kMinInputLength 10
#define kMaxInputLength 5120
pj_pool_factory *mem;
int XML_parse(char *DataFx,size_t Size){
int XML_parse(uint8_t *data, size_t Size) {
int ret = 0;
pj_pool_t *pool;
pj_xml_node *root;
char *output;
size_t output_size;
pool = pj_pool_create(mem, "xml", 4096, 1024, NULL);
root = pj_xml_parse(pool, (char *)data, Size);
if (!root) {
goto on_error;
}
root = pj_xml_parse(pool, DataFx, Size);
if (!root)
ret += 1;
output = (char*)pj_pool_zalloc(pool, Size + 512);
output_size = pj_xml_print(root, output, Size + 512, PJ_TRUE);
if (output_size < 1) {
goto on_error;
}
pj_pool_release(pool);
return 0;
return ret;
on_error:
pj_pool_release(pool);
return 1;
}
extern int
LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{/*pjproject/pjlib-util/src/pjlib-util-test/xml.c*/
{
if (Size < kMinInputLength || Size > kMaxInputLength){
if (Size < kMinInputLength || Size > kMaxInputLength) {
return 1;
}
/*Add Extra byte */
char *DataFx;
DataFx = (char *)calloc((Size+1),sizeof(char));
memcpy((void *)DataFx,(void *)Data,Size);
/*init*/
int ret = 0;
uint8_t *data;
pj_caching_pool caching_pool;
mem = &caching_pool.factory;
/* Add NULL byte */
data = (uint8_t *)calloc((Size+1), sizeof(uint8_t));
memcpy((void *)data, (void *)Data, Size);
/* init Calls */
pj_init();
pj_caching_pool_init( &caching_pool, &pj_pool_factory_default_policy, 0);
pj_log_set_level(0);
ret = pj_init();
ret = pjlib_util_init();
mem = &caching_pool.factory;
pj_dump_config();
pj_caching_pool_init( &caching_pool, &pj_pool_factory_default_policy, 0 );
/*Calls fuzzer*/
ret = XML_parse(data, Size);
/*Call*/
ret = XML_parse(DataFx,Size);
free(DataFx);
free(data);
pj_caching_pool_destroy(&caching_pool);
return ret;
}

BIN
tests/fuzz/seed/fuzz-crypto_seed_corpus.zip Normal file
View File

Binary file not shown.

BIN
tests/fuzz/seed/fuzz-http_seed_corpus.zip Normal file
View File

Binary file not shown.

BIN
tests/fuzz/seed/fuzz-uri_seed_corpus.zip Normal file
View File

Binary file not shown.

BIN
tests/fuzz/seed/fuzz-url_seed_corpus.zip Normal file
View File

Binary file not shown.

8
tests/pjsua/scripts-sipp/uas-forked-200.xml
View File

@ -97,6 +97,9 @@
]]>
</send>
<!-- Receive ACK -->
<recv request="ACK" optional="false">
</recv>
<!-- Receive BYE (for leg 2) -->
<recv request="BYE" optional="false">
@ -115,11 +118,6 @@
</send>
<!-- Receive ACK -->
<recv request="ACK" optional="false">
</recv>
<!-- definition of the response time repartition table (unit is ms) -->
<ResponseTimeRepartition value="10, 20, 30, 40, 50, 100, 150, 200"/>