commit 005321cf92914b3fd4f7e11a6782bffc039cde06
author Anuj Joshi <anuj.joshi@ittiam.com> Fri Feb 04 06:35:28 2022 +0000
committer Ayushi Khopkar <akhopkar@google.com> Fri Feb 04 06:35:28 2022 +0000
tree 338893591f7fde98453401d755ac00538f4a564c
parent 6edb019eaa4bb3d2eefedd5488d7385785e44c19

Updated fuzzer for libaaudio

Made changes to use 'maxInputFrames' instead of 'framesPerDataCallback' to make sure there is no OOB access in AAudioStream_read() and AAudioStream_write()

Test: ./libaaudio_fuzzer
Bug: 204666804

Change-Id: I92ae92905b3d6bf0e27315c133128ec05c84fa20
(cherry picked from commit a941a18e71adce324a0664b2da78a54775fc564c)

media/libaaudio/fuzzer/libaaudio_fuzzer.cpp

diff --git a/media/libaaudio/fuzzer/libaaudio_fuzzer.cpp b/media/libaaudio/fuzzer/libaaudio_fuzzer.cpp
index 1167bb0..0233ee1 100644
--- a/media/libaaudio/fuzzer/libaaudio_fuzzer.cpp
+++ b/media/libaaudio/fuzzer/libaaudio_fuzzer.cpp
@@ -202,7 +202,7 @@
 
   int32_t framesPerBurst = AAudioStream_getFramesPerBurst(mAaudioStream);
   uint8_t numberOfBursts = fdp.ConsumeIntegral<uint8_t>();
-  int32_t maxInputFrames = numberOfBursts * framesPerBurst;
+  int32_t maxFrames = numberOfBursts * framesPerBurst;
   int32_t requestedBufferSize =
       fdp.ConsumeIntegral<uint16_t>() * framesPerBurst;
   AAudioStream_setBufferSizeInFrames(mAaudioStream, requestedBufferSize);
@@ -218,26 +218,24 @@
 
   int32_t count = fdp.ConsumeIntegral<int32_t>();
   direction = AAudioStream_getDirection(mAaudioStream);
-  framesPerDataCallback = AAudioStream_getFramesPerDataCallback(mAaudioStream);
 
   if (actualFormat == AAUDIO_FORMAT_PCM_I16) {
-    std::vector<int16_t> inputShortData(maxInputFrames * actualChannelCount,
-                                        0x0);
-    if (direction == AAUDIO_DIRECTION_INPUT) {
-      AAudioStream_read(mAaudioStream, inputShortData.data(),
-                        framesPerDataCallback, count * kNanosPerMillisecond);
+      std::vector<int16_t> inputShortData(maxFrames * actualChannelCount, 0x0);
+      if (direction == AAUDIO_DIRECTION_INPUT) {
+          AAudioStream_read(mAaudioStream, inputShortData.data(), maxFrames,
+                            count * kNanosPerMillisecond);
     } else if (direction == AAUDIO_DIRECTION_OUTPUT) {
-      AAudioStream_write(mAaudioStream, inputShortData.data(),
-                         framesPerDataCallback, count * kNanosPerMillisecond);
+        AAudioStream_write(mAaudioStream, inputShortData.data(), maxFrames,
+                           count * kNanosPerMillisecond);
     }
   } else if (actualFormat == AAUDIO_FORMAT_PCM_FLOAT) {
-    std::vector<float> inputFloatData(maxInputFrames * actualChannelCount, 0x0);
-    if (direction == AAUDIO_DIRECTION_INPUT) {
-      AAudioStream_read(mAaudioStream, inputFloatData.data(),
-                        framesPerDataCallback, count * kNanosPerMillisecond);
+      std::vector<float> inputFloatData(maxFrames * actualChannelCount, 0x0);
+      if (direction == AAUDIO_DIRECTION_INPUT) {
+          AAudioStream_read(mAaudioStream, inputFloatData.data(), maxFrames,
+                            count * kNanosPerMillisecond);
     } else if (direction == AAUDIO_DIRECTION_OUTPUT) {
-      AAudioStream_write(mAaudioStream, inputFloatData.data(),
-                         framesPerDataCallback, count * kNanosPerMillisecond);
+        AAudioStream_write(mAaudioStream, inputFloatData.data(), maxFrames,
+                           count * kNanosPerMillisecond);
     }
   }