From 5a748a122c75575ca00c362ceb0ccfaf83940f38 Mon Sep 17 00:00:00 2001 From: Edward Hervey Date: Mon, 30 Oct 2017 03:53:52 +0100 Subject: [PATCH] projects: Add GStreamer (#905) * projects: Add GStreamer This is an initial fuzzer which goes over ogg/theora/vorbis files using the discoverer process * gstreamer/build.sh: Cleanup file * gstreamer/Dockerfile: Update copyright date * gstreamer: Update project.yaml Use the security mailing list as the primary contact Remove explicit sanitizer listing * gstreamer: Simplify base fuzzer Removed almost all outputting I am the original author of the code this is taken for, relicensing an ultra-simplified version of my original code to Apache. * gstreamer: Cleanup of build file and dockerfile * gstreamer: Code minimization and avoid leaks Data provided by the fuzzer shouldn't be freed (but the wrapping GstBuffer should). Avoid logging by default * gstreamer: Download corpus in Dockerfile And extract in build.sh * gstreamer: Move code to repository and more cleanups Remove custom LDFLAGS (not needed) Use fuzzing target code from upstream repository --- projects/gstreamer/Dockerfile | 40 ++++++++++++++ projects/gstreamer/build.sh | 97 +++++++++++++++++++++++++++++++++ projects/gstreamer/project.yaml | 6 ++ 3 files changed, 143 insertions(+) create mode 100644 projects/gstreamer/Dockerfile create mode 100755 projects/gstreamer/build.sh create mode 100644 projects/gstreamer/project.yaml diff --git a/projects/gstreamer/Dockerfile b/projects/gstreamer/Dockerfile new file mode 100644 index 000000000..da67b6f8a --- /dev/null +++ b/projects/gstreamer/Dockerfile @@ -0,0 +1,40 @@ +# Copyright 2017 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +MAINTAINER bilboed@bilboed.com +# Install the build dependencies + +# install the minimum + +RUN sed -i '/^#\sdeb-src /s/^#//' "/etc/apt/sources.list" && \ + apt-get update && \ + apt-get install -y make autoconf automake libtool build-essential \ + autopoint pkg-config bison flex gettext libglib2.0-dev libffi-dev liblzma-dev \ + libvorbis-dev libtheora-dev libogg-dev git-annex + +# Checkout all development repositories +#RUN for i in orc gstreamer gst-plugins-base gst-plugins-good gst-plugins-bad gst-plugins-ugly gst-libav; do git clone --depth 1 --recursive https://anongit.freedesktop.org/git/gstreamer/$i $i; done +RUN \ + git clone --depth 1 --recursive https://anongit.freedesktop.org/git/gstreamer/orc orc && \ + git clone --depth 1 --recursive https://anongit.freedesktop.org/git/gstreamer/gstreamer gstreamer && \ + git clone --depth 1 --recursive https://anongit.freedesktop.org/git/gstreamer/gst-plugins-base gst-plugins-base && \ + git clone --depth 1 --recursive https://anongit.freedesktop.org/git/gstreamer/gst-ci gst-ci + +ADD https://people.freedesktop.org/~bilboed/gst-discoverer_seed_corpus.zip $SRC + +WORKDIR gstreamer +COPY build.sh $SRC/ diff --git a/projects/gstreamer/build.sh b/projects/gstreamer/build.sh new file mode 100755 index 000000000..dc1a5c4f9 --- /dev/null +++ b/projects/gstreamer/build.sh @@ -0,0 +1,97 @@ +#!/bin/bash -eu +# Copyright 2017 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +echo "CFLAGS" $CFLAGS +echo "CXXFLAGS" $CXXFLAGS +PREFIX=$WORK/prefix +PLUGIN_DIR=$PREFIX/lib/gstreamer-1.0 +export PKG_CONFIG_PATH=$PREFIX/lib/pkgconfig +mkdir -p $PREFIX +cd $WORK + +# Minimize gst-debug level/code +export CFLAGS="$CFLAGS -DGST_LEVEL_MAX=2" + +for i in orc gstreamer gst-plugins-base; +do + mkdir -p $i + cd $i + $SRC/$i/autogen.sh --prefix=$PREFIX --disable-shared --enable-static --disable-examples \ + --disable-gtk-doc --disable-introspection --enable-static-plugins \ + --disable-gst-tracer-hooks --disable-registry + make -j$(nproc) + make install + cd .. +done + +#finally build the binary \o/ +BUILD_CFLAGS="$CFLAGS `pkg-config --static --cflags glib-2.0 gstreamer-1.0 gstreamer-pbutils-1.0 gstreamer-video-1.0 gstreamer-audio-1.0 gstreamer-app-1.0 orc-0.4`" + +# List of dependencies libraries we grab from pkg-config +# Should also include dependencies of dependencies (ex: libvorbis depends on libogg) + +PKG_DEPS="glib-2.0 gstreamer-1.0 gstreamer-pbutils-1.0 gstreamer-video-1.0 gstreamer-audio-1.0 orc-0.4 \ + gstreamer-riff-1.0 gstreamer-tag-1.0 gstreamer-app-1.0 zlib \ + ogg vorbis vorbisenc theoraenc theoradec theora" + +# List of all plugins to include +PLUGINS="$PLUGIN_DIR/libgstcoreelements.a \ + $PLUGIN_DIR/libgsttypefindfunctions.a \ + $PLUGIN_DIR/libgstplayback.a \ + $PLUGIN_DIR/libgstapp.a \ + $PLUGIN_DIR/libgstvorbis.a \ + $PLUGIN_DIR/libgsttheora.a \ + $PLUGIN_DIR/libgstogg.a" + +# We want to statically link everything, except for shared libraries that are present on +# the base image. Those need to be specified beforehad and explicitely linked dynamically +# If any of the static dependencies require a pre-installed shared library, you need +# to add that library to the following list +PREDEPS_LDFLAGS="-Wl,-Bdynamic -ldl -lm -pthread -lrt -lpthread" + +# The libraries we want to statically link to +# This includes dependencies of the gst plugins +BUILD_LDFLAGS="-Wl,-static `pkg-config --static --libs $PKG_DEPS`" + +echo +echo "PREDEPS_LDFLAGS" $PREDEPS_LDFLAGS +echo +echo "BUILD_LDFLAGS" $BUILD_LDFLAGS +echo +echo ">>>> BUILDING gst-discoverer.o" +echo + +$CC $CFLAGS $BUILD_CFLAGS -c $SRC/gst-ci/fuzzing/gst-discoverer.c -o $SRC/gst-ci/fuzzing/gst-discoverer.o + +echo +echo ">>>> LINKING" +echo + +$CXX $CXXFLAGS \ + -o $OUT/gst-discoverer \ + $PREDEPS_LDFLAGS \ + $SRC/gst-ci/fuzzing/gst-discoverer.o \ + $PLUGINS \ + $BUILD_LDFLAGS \ + $LIB_FUZZING_ENGINE \ + -Wl,-Bdynamic + +echo +echo ">>>> Installing OGG corpus" +echo + +cp $SRC/*_seed_corpus.zip $OUT diff --git a/projects/gstreamer/project.yaml b/projects/gstreamer/project.yaml new file mode 100644 index 000000000..6280d00b8 --- /dev/null +++ b/projects/gstreamer/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://gstreamer.freedesktop.org/" +primary_contact: "gstreamer-security@lists.freedesktop.org" +auto_ccs: + - "bilboed@bilboed.com" + +