ndk_crypto_fuzzer: Bug fix (72abec2a) · Commits · e / devices / smdk4412 / android_frameworks_av

media/ndk/fuzzer/Android.bp

+5 −0

Original line number	Diff line number	Diff line
		@@ -63,6 +63,11 @@ cc_fuzz {
		name: "ndk_crypto_fuzzer",
		srcs: ["ndk_crypto_fuzzer.cpp"],
		defaults: ["libmediandk_fuzzer_defaults"],
		fuzz_config: {
		libfuzzer_options: [
		"max_len=10000",
		],
		},
		}

		cc_fuzz {

+10 −1

Original line number	Diff line number	Diff line
		@@ -20,10 +20,12 @@
		constexpr size_t kMaxString = 256;
		constexpr size_t kMinBytes = 0;
		constexpr size_t kMaxBytes = 1000;
		constexpr size_t kMaxRuns = 100;

		extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
		FuzzedDataProvider fdp(data, size);
		AMediaUUID uuid = {};
		size_t apiCount = 0;
		int32_t maxLen = fdp.ConsumeIntegralInRange<size_t>(kMinBytes, (size_t)sizeof(AMediaUUID));
		for (size_t idx = 0; idx < maxLen; ++idx) {
		uuid[idx] = fdp.ConsumeIntegral<uint8_t>();
		@@ -31,7 +33,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
		std::vector<uint8_t> initData =
		fdp.ConsumeBytes<uint8_t>(fdp.ConsumeIntegralInRange<size_t>(kMinBytes, kMaxBytes));
		AMediaCrypto* crypto = AMediaCrypto_new(uuid, initData.data(), initData.size());
		while (fdp.remaining_bytes()) {
		/*
		* The AMediaCrypto_isCryptoSchemeSupported API doesn't consume any input bytes,
		* so when PickValueInArray() selects it repeatedly, only one byte is consumed by 'fdp'.
		* As a result, on larger inputs, AMediaCrypto_isCryptoSchemeSupported can run a large
		* number of times, potentially causing a timeout crash.
		* Therefore, to prevent this issue, while loop is limited to kMaxRuns.
		*/
		while (fdp.remaining_bytes() && ++apiCount <= kMaxRuns) {
		auto invokeNdkCryptoFuzzer = fdp.PickValueInArray<const std::function<void()>>({
		[&]() {
		AMediaCrypto_requiresSecureDecoderComponent(