Loading media/ndk/fuzzer/Android.bp +5 −0 Original line number Diff line number Diff line Loading @@ -71,6 +71,11 @@ cc_fuzz { name: "ndk_crypto_fuzzer", srcs: ["ndk_crypto_fuzzer.cpp"], defaults: ["libmediandk_fuzzer_defaults"], fuzz_config: { libfuzzer_options: [ "max_len=10000", ], }, } cc_fuzz { Loading media/ndk/fuzzer/ndk_crypto_fuzzer.cpp +10 −1 Original line number Diff line number Diff line Loading @@ -20,10 +20,12 @@ constexpr size_t kMaxString = 256; constexpr size_t kMinBytes = 0; constexpr size_t kMaxBytes = 1000; constexpr size_t kMaxRuns = 100; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { FuzzedDataProvider fdp(data, size); AMediaUUID uuid = {}; size_t apiCount = 0; int32_t maxLen = fdp.ConsumeIntegralInRange<size_t>(kMinBytes, (size_t)sizeof(AMediaUUID)); for (size_t idx = 0; idx < maxLen; ++idx) { uuid[idx] = fdp.ConsumeIntegral<uint8_t>(); Loading @@ -31,7 +33,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { std::vector<uint8_t> initData = fdp.ConsumeBytes<uint8_t>(fdp.ConsumeIntegralInRange<size_t>(kMinBytes, kMaxBytes)); AMediaCrypto* crypto = AMediaCrypto_new(uuid, initData.data(), initData.size()); while (fdp.remaining_bytes()) { /* * The AMediaCrypto_isCryptoSchemeSupported API doesn't consume any input bytes, * so when PickValueInArray() selects it repeatedly, only one byte is consumed by 'fdp'. * As a result, on larger inputs, AMediaCrypto_isCryptoSchemeSupported can run a large * number of times, potentially causing a timeout crash. * Therefore, to prevent this issue, while loop is limited to kMaxRuns. */ while (fdp.remaining_bytes() && ++apiCount <= kMaxRuns) { auto invokeNdkCryptoFuzzer = fdp.PickValueInArray<const std::function<void()>>({ [&]() { AMediaCrypto_requiresSecureDecoderComponent( Loading Loading
media/ndk/fuzzer/Android.bp +5 −0 Original line number Diff line number Diff line Loading @@ -71,6 +71,11 @@ cc_fuzz { name: "ndk_crypto_fuzzer", srcs: ["ndk_crypto_fuzzer.cpp"], defaults: ["libmediandk_fuzzer_defaults"], fuzz_config: { libfuzzer_options: [ "max_len=10000", ], }, } cc_fuzz { Loading
media/ndk/fuzzer/ndk_crypto_fuzzer.cpp +10 −1 Original line number Diff line number Diff line Loading @@ -20,10 +20,12 @@ constexpr size_t kMaxString = 256; constexpr size_t kMinBytes = 0; constexpr size_t kMaxBytes = 1000; constexpr size_t kMaxRuns = 100; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { FuzzedDataProvider fdp(data, size); AMediaUUID uuid = {}; size_t apiCount = 0; int32_t maxLen = fdp.ConsumeIntegralInRange<size_t>(kMinBytes, (size_t)sizeof(AMediaUUID)); for (size_t idx = 0; idx < maxLen; ++idx) { uuid[idx] = fdp.ConsumeIntegral<uint8_t>(); Loading @@ -31,7 +33,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { std::vector<uint8_t> initData = fdp.ConsumeBytes<uint8_t>(fdp.ConsumeIntegralInRange<size_t>(kMinBytes, kMaxBytes)); AMediaCrypto* crypto = AMediaCrypto_new(uuid, initData.data(), initData.size()); while (fdp.remaining_bytes()) { /* * The AMediaCrypto_isCryptoSchemeSupported API doesn't consume any input bytes, * so when PickValueInArray() selects it repeatedly, only one byte is consumed by 'fdp'. * As a result, on larger inputs, AMediaCrypto_isCryptoSchemeSupported can run a large * number of times, potentially causing a timeout crash. * Therefore, to prevent this issue, while loop is limited to kMaxRuns. */ while (fdp.remaining_bytes() && ++apiCount <= kMaxRuns) { auto invokeNdkCryptoFuzzer = fdp.PickValueInArray<const std::function<void()>>({ [&]() { AMediaCrypto_requiresSecureDecoderComponent( Loading
