Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 39a846d5 authored by Frederick Mayle's avatar Frederick Mayle Committed by Automerger Merge Worker
Browse files

Merge "binder: Fuzz Parcel::appendFrom" am: e5d403de 

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2112505



Change-Id: I936b583b844ba57ccafcded49da94d3cb54b0687
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents b8c51a24 e5d403de

libs/binder/tests/parcel_fuzzer/binder_ndk.h

+4 −0
Original line number Diff line number Diff line
@@ -43,6 +43,10 @@ public: 
        return aParcel()->get()->setData(buffer, len);

    }



    android::status_t appendFrom(const NdkParcelAdapter* parcel, int32_t start, int32_t len) {

        return AParcel_appendFrom(parcel->aParcel(), aParcel(), start, len);

    }



private:

    ndk::ScopedAParcel mParcel;

};

libs/binder/tests/parcel_fuzzer/main.cpp

+25 −0
Original line number Diff line number Diff line
@@ -94,6 +94,25 @@ void doReadFuzz(const char* backend, const std::vector<ParcelRead<P>>& reads, 
    }

}



// Append two random parcels.

template <typename P>

void doAppendFuzz(const char* backend, FuzzedDataProvider&& provider) {

    int32_t start = provider.ConsumeIntegral<int32_t>();

    int32_t len = provider.ConsumeIntegral<int32_t>();



    std::vector<uint8_t> bytes = provider.ConsumeBytes<uint8_t>(

            provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes()));



    P p0, p1;

    fillRandomParcel(&p0, FuzzedDataProvider(bytes.data(), bytes.size()));

    fillRandomParcel(&p1, std::move(provider));



    FUZZ_LOG() << "backend: " << backend;

    FUZZ_LOG() << "start: " << start << " len: " << len;



    p0.appendFrom(&p1, start, len);

}



void* NothingClass_onCreate(void* args) {

    return args;

}
@@ -143,6 +162,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 
                doReadFuzz<NdkParcelAdapter>("binder_ndk", BINDER_NDK_PARCEL_READ_FUNCTIONS,

                                             std::move(provider));

            },

            [](FuzzedDataProvider&& provider) {

                doAppendFuzz<::android::Parcel>("binder", std::move(provider));

            },

            [](FuzzedDataProvider&& provider) {

                doAppendFuzz<NdkParcelAdapter>("binder_ndk", std::move(provider));

            },

    };



    provider.PickValueInArray(fuzzBackend)(std::move(provider));