1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <fuzzer/FuzzedDataProvider.h>
18 #include "osi/include/array.h"
19 
20 // Capping the element size at sizeof(uint32_t)+1
21 // because it looks like there's a buffer overread
22 #define MAX_ELEMENT_SIZE sizeof(uint32_t)
23 #define MAX_ARRAY_LEN 1024
24 
LLVMFuzzerTestOneInput(const uint8_t * Data,size_t Size)25 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
26   // Init our wrapper
27   FuzzedDataProvider dataProvider(Data, Size);
28 
29   // Attempt to init an array
30   size_t element_size =
31       dataProvider.ConsumeIntegralInRange<size_t>(1, MAX_ELEMENT_SIZE);
32   array_t* arr = array_new(element_size);
33 
34   // Functions can only be called on a non-null array_t, according to the .h
35   if (arr != nullptr) {
36     // How large do we want our array?
37     size_t arr_len =
38         dataProvider.ConsumeIntegralInRange<size_t>(0, MAX_ARRAY_LEN);
39     if (arr_len > 0) {
40       for (size_t i = 0; i < arr_len; i++) {
41         uint32_t new_val = dataProvider.ConsumeIntegral<uint32_t>();
42         // append_value() just derefs and calls append_ptr(),
43         // so no need to fuzz separately
44         array_append_value(arr, new_val);
45       }
46 
47       // Pull the ptr to an element in the array
48       size_t get_index =
49           dataProvider.ConsumeIntegralInRange<size_t>(0, array_length(arr) - 1);
50       array_at(arr, get_index);
51 
52       // Grab the array pointer
53       array_ptr(arr);
54     }
55   }
56 
57   // Free the array (this can be performed on a nullptr)
58   array_free(arr);
59 
60   return 0;
61 }
62