1 /*
2 * Copyright 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <fuzzer/FuzzedDataProvider.h>
18 #include "osi/include/array.h"
19
20 // Capping the element size at sizeof(uint32_t)+1
21 // because it looks like there's a buffer overread
22 #define MAX_ELEMENT_SIZE sizeof(uint32_t)
23 #define MAX_ARRAY_LEN 1024
24
LLVMFuzzerTestOneInput(const uint8_t * Data,size_t Size)25 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
26 // Init our wrapper
27 FuzzedDataProvider dataProvider(Data, Size);
28
29 // Attempt to init an array
30 size_t element_size =
31 dataProvider.ConsumeIntegralInRange<size_t>(1, MAX_ELEMENT_SIZE);
32 array_t* arr = array_new(element_size);
33
34 // Functions can only be called on a non-null array_t, according to the .h
35 if (arr != nullptr) {
36 // How large do we want our array?
37 size_t arr_len =
38 dataProvider.ConsumeIntegralInRange<size_t>(0, MAX_ARRAY_LEN);
39 if (arr_len > 0) {
40 for (size_t i = 0; i < arr_len; i++) {
41 uint32_t new_val = dataProvider.ConsumeIntegral<uint32_t>();
42 // append_value() just derefs and calls append_ptr(),
43 // so no need to fuzz separately
44 array_append_value(arr, new_val);
45 }
46
47 // Pull the ptr to an element in the array
48 size_t get_index =
49 dataProvider.ConsumeIntegralInRange<size_t>(0, array_length(arr) - 1);
50 array_at(arr, get_index);
51
52 // Grab the array pointer
53 array_ptr(arr);
54 }
55 }
56
57 // Free the array (this can be performed on a nullptr)
58 array_free(arr);
59
60 return 0;
61 }
62