← All libraries
Audio/Video · C
How to fuzz libvpx
VP8 and VP9 reference codec library used by Chrome, WebRTC, and Android
libvpx decodes attacker-controlled VP8/VP9 bitstreams in every Chrome and Android device. Codec parsers are dense with arithmetic edge cases; OSS-Fuzz has found dozens of CVEs here and the surface is still productive.
Common bug classes
- •Heap overflows in motion-vector decode
- •Out-of-bounds reads in entropy / probability tables
- •Integer overflow in tile / superblock arithmetic
- •Use-after-free in frame-buffer recycling
Recommended setup
Fuzzers
- → libFuzzer
- → AFL++
Sanitizers
- → ASan
- → UBSan
- → MSan
Harness scaffold
#include <vpx/vpx_decoder.h>
#include <vpx/vp8dx.h>
#include <stddef.h>
#include <stdint.h>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
vpx_codec_ctx_t ctx;
if (vpx_codec_dec_init(&ctx, vpx_codec_vp9_dx(), nullptr, 0)) return 0;
vpx_codec_decode(&ctx, data, (unsigned int)size, nullptr, 0);
vpx_codec_iter_t iter = nullptr;
while (vpx_codec_get_frame(&ctx, &iter)) {}
vpx_codec_destroy(&ctx);
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Notable CVEs found by fuzzing
- → CVE-2023-5217
Push the harness above + a Dockerfile. First month 50% off.