| /* |
| * Copyright 2020 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include <fuzzer/FuzzedDataProvider.h> |
| #include "osi/include/ringbuffer.h" |
| |
| #define MAX_NUM_FUNCTIONS 512 |
| #define MAX_BUF_SIZE 2048 |
| |
| ringbuffer_t* getArbitraryRingBuf(std::vector<ringbuffer_t*>* ringbuf_vector, |
| FuzzedDataProvider* dataProvider) { |
| if (ringbuf_vector->empty()) { |
| return nullptr; |
| } |
| |
| size_t index = dataProvider->ConsumeIntegralInRange<size_t>( |
| 0, ringbuf_vector->size() - 1); |
| return ringbuf_vector->at(index); |
| } |
| |
| void callArbitraryFunction(std::vector<ringbuffer_t*>* ringbuf_vector, |
| FuzzedDataProvider* dataProvider) { |
| // Get our function identifier |
| char func_id = dataProvider->ConsumeIntegralInRange<char>(0, 8); |
| |
| ringbuffer_t* buf = nullptr; |
| switch (func_id) { |
| // Let 0 be a NO-OP, as ConsumeIntegral will return 0 on an empty buffer |
| // (This will likely bias whatever action is here to run more often) |
| case 0: |
| return; |
| case 1: { |
| size_t size = |
| dataProvider->ConsumeIntegralInRange<size_t>(0, MAX_BUF_SIZE); |
| buf = ringbuffer_init(size); |
| if (buf) { |
| ringbuf_vector->push_back(buf); |
| } |
| } |
| return; |
| case 2: { |
| if (ringbuf_vector->empty()) { |
| return; |
| } |
| size_t index = dataProvider->ConsumeIntegralInRange<size_t>( |
| 0, ringbuf_vector->size() - 1); |
| buf = ringbuf_vector->at(index); |
| if (buf) { |
| ringbuffer_free(buf); |
| ringbuf_vector->erase(ringbuf_vector->begin() + index); |
| } |
| } |
| return; |
| case 3: |
| buf = getArbitraryRingBuf(ringbuf_vector, dataProvider); |
| if (buf) { |
| ringbuffer_available(buf); |
| } |
| return; |
| case 4: |
| buf = getArbitraryRingBuf(ringbuf_vector, dataProvider); |
| if (buf) { |
| ringbuffer_size(buf); |
| } |
| return; |
| case 5: { |
| buf = getArbitraryRingBuf(ringbuf_vector, dataProvider); |
| size_t size = |
| dataProvider->ConsumeIntegralInRange<size_t>(1, MAX_BUF_SIZE); |
| if (buf == nullptr || size == 0) { |
| return; |
| } |
| void* src_buf = malloc(size); |
| if (src_buf == nullptr) { |
| return; |
| } |
| std::vector<uint8_t> bytes = dataProvider->ConsumeBytes<uint8_t>(size); |
| memcpy(src_buf, bytes.data(), bytes.size()); |
| |
| ringbuffer_insert(buf, reinterpret_cast<uint8_t*>(src_buf), size); |
| free(src_buf); |
| } |
| return; |
| case 6: |
| case 7: { |
| buf = getArbitraryRingBuf(ringbuf_vector, dataProvider); |
| if (buf == nullptr) { |
| return; |
| } |
| size_t max_size = ringbuffer_size(buf); |
| if (max_size == 0) { |
| return; |
| } |
| size_t size = dataProvider->ConsumeIntegralInRange<size_t>(1, max_size); |
| |
| // NOTE: 0-size may be a valid case, that crashes currently. |
| if (size == 0) { |
| return; |
| } |
| |
| void* dst_buf = malloc(size); |
| if (dst_buf == nullptr) { |
| return; |
| } |
| if (func_id == 6) { |
| off_t offset = dataProvider->ConsumeIntegral<off_t>(); |
| if (offset >= 0 && |
| static_cast<size_t>(offset) <= ringbuffer_size(buf)) { |
| ringbuffer_peek(buf, offset, reinterpret_cast<uint8_t*>(dst_buf), |
| size); |
| } |
| } else { |
| ringbuffer_pop(buf, reinterpret_cast<uint8_t*>(dst_buf), size); |
| } |
| free(dst_buf); |
| } |
| return; |
| case 8: { |
| buf = getArbitraryRingBuf(ringbuf_vector, dataProvider); |
| size_t size = |
| dataProvider->ConsumeIntegralInRange<size_t>(0, MAX_BUF_SIZE); |
| if (buf) { |
| ringbuffer_delete(buf, size); |
| } |
| } |
| return; |
| default: |
| return; |
| } |
| } |
| |
| extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) { |
| // Init our wrapper |
| FuzzedDataProvider dataProvider(Data, Size); |
| |
| // Keep a vector of our allocated objects for freeing later |
| std::vector<ringbuffer_t*> ringbuf_vector; |
| |
| // Call some functions, create some buffers |
| size_t num_functions = |
| dataProvider.ConsumeIntegralInRange<size_t>(0, MAX_NUM_FUNCTIONS); |
| for (size_t i = 0; i < num_functions; i++) { |
| callArbitraryFunction(&ringbuf_vector, &dataProvider); |
| } |
| |
| // Free anything we've allocated |
| for (const auto& ringbuf : ringbuf_vector) { |
| if (ringbuf != nullptr) { |
| ringbuffer_free(ringbuf); |
| } |
| } |
| ringbuf_vector.clear(); |
| return 0; |
| } |