Merge changes Idf197043,Iafb61b9e am: 50861777d5 am: 74bc76fa1f (aeaa1086) · Commits · e / os / android_frameworks_native-old

libs/binder/tests/parcel_fuzzer/include_random_parcel/fuzzbinder/random_parcel.h

+10 −5

Original line number	Diff line number	Diff line
		@@ -19,13 +19,18 @@
		#include <binder/Parcel.h>
		#include <fuzzer/FuzzedDataProvider.h>

		#include <functional>

		namespace android {
		/**
		* Fill parcel data, including some random binder objects and FDs
		*
		* p - the Parcel to fill
		* provider - takes ownership and completely consumes provider
		* writeHeader - optional function to write a specific header once the format of the parcel is
		* picked (for instance, to write an interface header)
		*/
		void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider);
		/**
		* Fill parcel data, but don't fill any objects.
		*/
		void fillRandomParcelData(Parcel* p, FuzzedDataProvider&& provider);
		void fillRandomParcel(
		Parcel* p, FuzzedDataProvider&& provider,
		std::function<void(Parcel* p, FuzzedDataProvider& provider)> writeHeader = nullptr);
		} // namespace android

+8 −1

Original line number	Diff line number	Diff line
		@@ -27,7 +27,14 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) {

		std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>(
		provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes()));
		fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()));
		fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()),
		[&binder](Parcel* p, FuzzedDataProvider& provider) {
		// most code will be behind checks that the head of the Parcel
		// is exactly this, so make it easier for fuzzers to reach this
		if (provider.ConsumeBool()) {
		p->writeInterfaceToken(binder->getInterfaceDescriptor());
		}
		});

		Parcel reply;
		(void)binder->transact(code, data, &reply, flags);

+12 −6

Original line number	Diff line number	Diff line
		@@ -34,15 +34,26 @@ private:
		String16 mDescriptor;
		};

		void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider) {
		static void fillRandomParcelData(Parcel* p, FuzzedDataProvider&& provider) {
		std::vector<uint8_t> data = provider.ConsumeBytes<uint8_t>(provider.remaining_bytes());
		CHECK(OK == p->write(data.data(), data.size()));
		}

		void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider,
		std::function<void(Parcel* p, FuzzedDataProvider& provider)> writeHeader) {
		if (provider.ConsumeBool()) {
		auto session = RpcSession::make(RpcTransportCtxFactoryRaw::make());
		CHECK_EQ(OK, session->addNullDebuggingClient());
		p->markForRpc(session);

		writeHeader(p, provider);

		fillRandomParcelData(p, std::move(provider));
		return;
		}

		writeHeader(p, provider);

		while (provider.remaining_bytes() > 0) {
		auto fillFunc = provider.PickValueInArray<const std::function<void()>>({
		// write data
		@@ -85,9 +96,4 @@ void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider) {
		}
		}

		void fillRandomParcelData(Parcel* p, FuzzedDataProvider&& provider) {
		std::vector<uint8_t> data = provider.ConsumeBytes<uint8_t>(provider.remaining_bytes());
		CHECK(OK == p->write(data.data(), data.size()));
		}

		} // namespace android