Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit afa80e1e authored by Devendra Singhi's avatar Devendra Singhi
Browse files

mtp_fuzzer: Bug fix 

Updated MtpMockHandle to prevent OOB read. The buffer size check in read() is updated to consider remaining number of bytes instead of total number of bytes.

Bug: b/319146213
Test: ./mtp_fuzzer clusterfuzz-testcase-minimized-mtp_fuzzer-6063056382656512

Change-Id: Ic3850f71b63fbf57139f4a26f1676ebb5f0048ac
parent 99a096a9

media/mtp/tests/MtpFuzzer/MtpMockHandle.h

+3 −3
Original line number Diff line number Diff line
@@ -45,18 +45,18 @@ public: 
                  pkt.size());



            // packet is bigger than what the caller can handle,

            if (pkt.size() > len) {

            if (pkt.size() - mPacketOffset > len) {

                memcpy(data, pkt.data() + mPacketOffset, len);



                mPacketOffset += len;

                readAmt = len;

                // packet is equal or smaller than the caller buffer

            } else {

                memcpy(data, pkt.data() + mPacketOffset, pkt.size());

                memcpy(data, pkt.data() + mPacketOffset, pkt.size() - mPacketOffset);



                mPacketNumber++;

                mPacketOffset = 0;

                readAmt = pkt.size();

                readAmt = pkt.size() - mPacketOffset;

            }



            return readAmt;