Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 391613ca authored by Pawan Wagh's avatar Pawan Wagh
Browse files

Fuzz AParcel_marshal and AParcel_unmarshal APIs 

Adding both APIs to binder_parcel_fuzzer

Test: m binder_parcel_fuzzer &&
	out/host/linux-x86/fuzz/x86_64/binder_parcel_fuzzer/binder_parcel_fuzzer
Bug: 264550130
Change-Id: I107525f168c5c446adc758498905c1b4ceaaff9b
parent dc44a31e

libs/binder/tests/parcel_fuzzer/binder_ndk.cpp

+18 −0
Original line number Diff line number Diff line
@@ -199,5 +199,23 @@ std::vector<ParcelRead<NdkParcelAdapter>> BINDER_NDK_PARCEL_READ_FUNCTIONS{ 
            binder_status_t status = genericDataParcelable.readFromParcel(p.aParcel());

            FUZZ_LOG() << "status: " << status;

        },

        [](const NdkParcelAdapter& p, FuzzedDataProvider& provider) {

            FUZZ_LOG() << "about to marshal AParcel";

            size_t start = provider.ConsumeIntegral<size_t>();

            // limit 1MB to avoid OOM issues

            size_t len = provider.ConsumeIntegralInRange<size_t>(0, 1000000);

            uint8_t buffer[len];

            binder_status_t status = AParcel_marshal(p.aParcel(), buffer, start, len);

            FUZZ_LOG() << "status: " << status;

        },

        [](const NdkParcelAdapter& /*p*/, FuzzedDataProvider& provider) {

            FUZZ_LOG() << "about to unmarshal AParcel";

            size_t len = provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes());

            std::vector<uint8_t> parcelData = provider.ConsumeBytes<uint8_t>(len);

            const uint8_t* buffer = parcelData.data();

            binder_status_t status = AParcel_unmarshal(AParcel_create(), buffer, len);

            FUZZ_LOG() << "status: " << status;

        },



};

// clang-format on