Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9ea1230e authored by Yurii Zubrytskyi's avatar Yurii Zubrytskyi
Browse files

[res] Fix the fuzzer's use after free 

ResXMLTree doesn't copy the passed data by default, so the
fuzzing code needs to make sure the data outlives the tree.

Bug: 332013774
Test: manual
Change-Id: I44de100e5005548b041c15a99b0c317cdace0722
parent 61e25300

libs/androidfw/fuzz/resxmlparser_fuzzer/resxmlparser_fuzzer.cpp

+3 −2
Original line number Diff line number Diff line
@@ -52,10 +52,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 


    // Populate the DynamicRefTable with fuzzed data

    populateDynamicRefTableWithFuzzedData(*dynamic_ref_table, fuzzedDataProvider);

    std::vector<uint8_t> xmlData = fuzzedDataProvider.ConsumeRemainingBytes<uint8_t>();



    // Make sure the object here outlives the vector it's set to, otherwise it will try

    // accessing an already freed buffer and crash.

    auto tree = android::ResXMLTree(std::move(dynamic_ref_table));



    std::vector<uint8_t> xmlData = fuzzedDataProvider.ConsumeRemainingBytes<uint8_t>();

    if (tree.setTo(xmlData.data(), xmlData.size()) != android::NO_ERROR) {

        return 0; // Exit early if unable to parse XML data

    }