diff options
| author | 2023-03-07 23:00:34 +0000 | |
|---|---|---|
| committer | 2023-03-07 23:12:09 +0000 | |
| commit | f6226c6be3dc85574e3c57cf88106de5f933a2a1 (patch) | |
| tree | b3fdf2126921ef334d7b34e3b5f5e1058f82641f | |
| parent | 73de090fa5dc7aaeacae3b1e436f862a9e80f7dc (diff) | |
Limit values of data position in fuzzer
Negative values for data position leads to crashes in native code.
Limit domain to positive values only.
Test: m java_binder_parcel_fuzzer && ./jazzer_helper.sh --fuzz_target java_binder_parcel_fuzzer --target_class parcelfuzzer.ParcelFuzzer
Bug: 264673355
Change-Id: I5ce13560c30f96a8562b0b3c0fe98e1c1d7318ab
| -rw-r--r-- | core/tests/fuzzers/ParcelFuzzer/ReadUtils.java | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/core/tests/fuzzers/ParcelFuzzer/ReadUtils.java b/core/tests/fuzzers/ParcelFuzzer/ReadUtils.java index 0eff5f24f7e0..b5e5b258b7d6 100644 --- a/core/tests/fuzzers/ParcelFuzzer/ReadUtils.java +++ b/core/tests/fuzzers/ParcelFuzzer/ReadUtils.java @@ -97,7 +97,7 @@ public class ReadUtils { public static ReadOperation[] READ_OPERATIONS = new ReadOperation[] { (parcel, provider) -> { - parcel.setDataPosition(provider.consumeInt()); + parcel.setDataPosition(provider.consumeInt(0, Integer.MAX_VALUE)); }, (parcel, provider) -> { parcel.setDataCapacity(provider.consumeInt()); @@ -155,6 +155,7 @@ public class ReadUtils { byte[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new byte[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { @@ -166,6 +167,7 @@ public class ReadUtils { char[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new char[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { @@ -177,6 +179,7 @@ public class ReadUtils { int[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new int[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { @@ -188,6 +191,7 @@ public class ReadUtils { double[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new double[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { @@ -199,6 +203,7 @@ public class ReadUtils { float[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new float[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { @@ -210,6 +215,7 @@ public class ReadUtils { boolean[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new boolean[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { @@ -221,6 +227,7 @@ public class ReadUtils { long[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new long[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { @@ -232,6 +239,7 @@ public class ReadUtils { IBinder[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new IBinder[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { @@ -274,6 +282,7 @@ public class ReadUtils { SingleDataParcelable[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new SingleDataParcelable[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { @@ -293,6 +302,7 @@ public class ReadUtils { EmptyParcelable[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new EmptyParcelable[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { @@ -312,6 +322,7 @@ public class ReadUtils { GenericDataParcelable[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new GenericDataParcelable[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { @@ -334,6 +345,7 @@ public class ReadUtils { SomeParcelable[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new SomeParcelable[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { @@ -390,6 +402,7 @@ public class ReadUtils { TestInterface[] array; if (provider.consumeBoolean()) { int pos = parcel.dataPosition(); + if (pos < 0) return; array = new TestInterface[Math.min(MAX_LEN, parcel.readInt())]; parcel.setDataPosition(pos); } else { |