Google Git
Sign in
android / platform / system / bt / ea7ab70a711e642653dd5922b83aa04a53af9e0e / . / osi / test / fuzzers / allocator / fuzz_allocator.cc
blob: bdfd99a1d4aa1030547b7e291e14a385c1430136 [file] [log] [blame]
/*
* Copyright 2020 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <fuzzer/FuzzedDataProvider.h>
#include "osi/include/allocator.h"
#include "osi/test/fuzzers/include/libosiFuzzHelperFunctions.h"
#define MAX_NUM_FUNCTIONS 512
#define MAX_BUF_SIZE 256
void callArbitraryFunction(std::vector<void*>* alloc_vector,
FuzzedDataProvider* dataProvider) {
// Get our function identifier
char func_id = dataProvider->ConsumeIntegralInRange<char>(0, 6);
switch (func_id) {
// Let 0 be a NO-OP, as ConsumeIntegral will return 0 on an empty buffer
// (This will likely bias whatever action is here to run more often)
case 0:
return;
// Let case 1 be osi_malloc, and 2 be osi_calloc
case 1:
case 2: {
size_t size =
dataProvider->ConsumeIntegralInRange<size_t>(0, MAX_BUF_SIZE);
void* ptr = nullptr;
if (size == 0) {
return;
}
if (func_id == 1) {
ptr = osi_malloc(size);
} else {
ptr = osi_calloc(size);
}
if (ptr) {
alloc_vector->push_back(ptr);
}
}
return;
// Let case 3 be osi_free, and 4 be osi_free_and_reset
case 3:
case 4: {
if (alloc_vector->size() == 0) {
return;
}
size_t index = dataProvider->ConsumeIntegralInRange<size_t>(
0, alloc_vector->size() - 1);
void* ptr = alloc_vector->at(index);
if (ptr) {
if (func_id == 3) {
osi_free(ptr);
} else {
osi_free_and_reset(&ptr);
}
}
alloc_vector->erase(alloc_vector->begin() + index);
}
return;
// Let case 5 be osi_strdup, and 6 be osi_strdup
case 5:
case 6: {
// Make a src buffer
char* buf = generateBuffer(dataProvider, MAX_BUF_SIZE, true);
char* str = nullptr;
if (buf == nullptr) {
return;
}
if (func_id == 5) {
str = osi_strdup(buf);
} else {
size_t size =
dataProvider->ConsumeIntegralInRange<size_t>(1, MAX_BUF_SIZE);
str = osi_strndup(buf, size);
}
free(buf);
if (str) {
alloc_vector->push_back(str);
}
}
return;
default:
return;
}
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
// Init our wrapper
FuzzedDataProvider dataProvider(Data, Size);
// Keep a vector of our allocated objects for freeing later
std::vector<void*> alloc_vector;
// Call some functions, create some buffers
size_t num_functions =
dataProvider.ConsumeIntegralInRange<size_t>(0, MAX_NUM_FUNCTIONS);
for (size_t i = 0; i < num_functions; i++) {
callArbitraryFunction(&alloc_vector, &dataProvider);
}
// Free anything we've allocated
for (const auto& alloc : alloc_vector) {
if (alloc != nullptr) {
osi_free(alloc);
}
}
alloc_vector.clear();
return 0;
}