Shaleen Jain

(Updated: ) ยท 3 min read

Fuzzing libVLC - Final Report

Update: My fuzz targets have been merged into the VLC mainline tree by commits 74e7bd2, b83e9f2.

Introduction to my GSoC project here

Majority of the parsing code of VLC has been successfully setup to be fuzzed by:

These two fuzz targets cover over 35 demux modules and 64 different codec modules or 163k lines of code which is 20.7% of the VLC code base.

Actual code coverage as measured by libFuzzer would be different if not more but since as of now VLC is unable to build with the clang linker, I do not have that coverage information.

๐Ÿ”— Some additional challenges and features were

๐Ÿ”— Code

Since VideoLAN has still not decided whether to use Google's OSS-fuzz or agree to their terms and doesn't want this code to be misused by hackers, they have decided not to keep this in the mainline tree to minimize exposure.

And so here are all of my out of tree patches:

My main work repo has been code.videolan.org/GSoC2017/shalzz/vlc with all my commit history in the master branch and final patches in the release branch. There is a clone of the repo on github as well.

To run the code,

  1. clone the repo and build vlc instrumented with one or more of the sanitizers using the new --with-sanitizer= switch.
  2. Get and build libFuzzer by changing into the test/fuzz/ directory and using the ./build-libfuzzer.sh script
  3. Build the fuzz target binaries by running make check.
  4. Run the fuzz targets manually or by using the ./run-fuzzer.sh helper script

๐Ÿ”— Bug Trophy

As for the number of bugs found by the initial fuzzing done on my small laptop there have been quite a few, all of which have been fixed, by me and other VLC developers. Few of them:

๐Ÿ”— Continuous Fuzzing

One thing that's left to do is setting up of a continuous fuzzing server. Since OSS-fuzz is not in the picture right now, that is something VLC devs will have to do on their own infrastructure.

Liked this article? Buy me a beer on the Bitcoin Lightning Network

Got any questions or comments? Drop me a message on Twitter @shalzzj or comment below.