Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 005321cf authored by Anuj Joshi's avatar Anuj Joshi Committed by Ayushi Khopkar
Browse files

Updated fuzzer for libaaudio 

Made changes to use 'maxInputFrames' instead of 'framesPerDataCallback' to make sure there is no OOB access in AAudioStream_read() and AAudioStream_write()

Test: ./libaaudio_fuzzer
Bug: 204666804

Change-Id: I92ae92905b3d6bf0e27315c133128ec05c84fa20
(cherry picked from commit a941a18e71adce324a0664b2da78a54775fc564c)
parent 6edb019e

media/libaaudio/fuzzer/libaaudio_fuzzer.cpp

+13 −15
Original line number Diff line number Diff line
@@ -202,7 +202,7 @@ void LibAaudioFuzzer::process(const uint8_t *data, size_t size) { 


  int32_t framesPerBurst = AAudioStream_getFramesPerBurst(mAaudioStream);

  uint8_t numberOfBursts = fdp.ConsumeIntegral<uint8_t>();

  int32_t maxInputFrames = numberOfBursts * framesPerBurst;

  int32_t maxFrames = numberOfBursts * framesPerBurst;

  int32_t requestedBufferSize =

      fdp.ConsumeIntegral<uint16_t>() * framesPerBurst;

  AAudioStream_setBufferSizeInFrames(mAaudioStream, requestedBufferSize);
@@ -218,26 +218,24 @@ void LibAaudioFuzzer::process(const uint8_t *data, size_t size) { 


  int32_t count = fdp.ConsumeIntegral<int32_t>();

  direction = AAudioStream_getDirection(mAaudioStream);

  framesPerDataCallback = AAudioStream_getFramesPerDataCallback(mAaudioStream);



  if (actualFormat == AAUDIO_FORMAT_PCM_I16) {

    std::vector<int16_t> inputShortData(maxInputFrames * actualChannelCount,

                                        0x0);

      std::vector<int16_t> inputShortData(maxFrames * actualChannelCount, 0x0);

      if (direction == AAUDIO_DIRECTION_INPUT) {

      AAudioStream_read(mAaudioStream, inputShortData.data(),

                        framesPerDataCallback, count * kNanosPerMillisecond);

          AAudioStream_read(mAaudioStream, inputShortData.data(), maxFrames,

                            count * kNanosPerMillisecond);

    } else if (direction == AAUDIO_DIRECTION_OUTPUT) {

      AAudioStream_write(mAaudioStream, inputShortData.data(),

                         framesPerDataCallback, count * kNanosPerMillisecond);

        AAudioStream_write(mAaudioStream, inputShortData.data(), maxFrames,

                           count * kNanosPerMillisecond);

    }

  } else if (actualFormat == AAUDIO_FORMAT_PCM_FLOAT) {

    std::vector<float> inputFloatData(maxInputFrames * actualChannelCount, 0x0);

      std::vector<float> inputFloatData(maxFrames * actualChannelCount, 0x0);

      if (direction == AAUDIO_DIRECTION_INPUT) {

      AAudioStream_read(mAaudioStream, inputFloatData.data(),

                        framesPerDataCallback, count * kNanosPerMillisecond);

          AAudioStream_read(mAaudioStream, inputFloatData.data(), maxFrames,

                            count * kNanosPerMillisecond);

    } else if (direction == AAUDIO_DIRECTION_OUTPUT) {

      AAudioStream_write(mAaudioStream, inputFloatData.data(),

                         framesPerDataCallback, count * kNanosPerMillisecond);

        AAudioStream_write(mAaudioStream, inputFloatData.data(), maxFrames,

                           count * kNanosPerMillisecond);

    }

  }