• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <stddef.h>
18 #include <stdint.h>
19 #include <string.h>
20 #include <string>
21 #include <memory>
22 
23 #include "android-base/logging.h"
24 #include "androidfw/CursorWindow.h"
25 #include "binder/Parcel.h"
26 
27 #include <fuzzer/FuzzedDataProvider.h>
28 
29 using android::CursorWindow;
30 using android::Parcel;
31 
LLVMFuzzerInitialize(int *,char ***)32 extern "C" int LLVMFuzzerInitialize(int *, char ***) {
33     setenv("ANDROID_LOG_TAGS", "*:s", 1);
34     android::base::InitLogging(nullptr, &android::base::StderrLogger);
35     return 0;
36 }
37 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)38 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
39     Parcel p;
40     p.setData(data, size);
41 
42     CursorWindow* w = nullptr;
43     if (!CursorWindow::createFromParcel(&p, &w)) {
44         LOG(WARNING) << "Valid cursor with " << w->getNumRows() << " rows, "
45                 << w->getNumColumns() << " cols";
46 
47         // Try obtaining heap allocations for most items; we trim the
48         // search space to speed things up
49         auto rows = std::min(w->getNumRows(), static_cast<uint32_t>(128));
50         auto cols = std::min(w->getNumColumns(), static_cast<uint32_t>(128));
51         for (auto row = 0; row < rows; row++) {
52             for (auto col = 0; col < cols; col++) {
53                 auto field = w->getFieldSlot(row, col);
54                 if (!field) continue;
55                 switch (w->getFieldSlotType(field)) {
56                 case CursorWindow::FIELD_TYPE_STRING: {
57                     size_t size;
58                     w->getFieldSlotValueString(field, &size);
59                     break;
60                 }
61                 case CursorWindow::FIELD_TYPE_BLOB: {
62                     size_t size;
63                     w->getFieldSlotValueBlob(field, &size);
64                     break;
65                 }
66                 }
67             }
68         }
69 
70         // Finally, try obtaining the furthest valid field
71         if (rows > 0 && cols > 0) {
72             w->getFieldSlot(w->getNumRows() - 1, w->getNumColumns() - 1);
73         }
74     }
75     delete w;
76 
77     return 0;
78 }
79