[res] Fix the fuzzer's use after free

ResXMLTree doesn't copy the passed data by default, so the fuzzing code needs to make sure the data outlives the tree. Bug: 332013774 Test: manual Change-Id: I44de100e5005548b041c15a99b0c317cdace0722
author: Yurii Zubrytskyi <zyy@google.com> 2024-05-29 17:31:19 -0700
committer: Yurii Zubrytskyi <zyy@google.com> 2024-05-29 17:31:19 -0700
commit: 9ea1230e6a904ca3bf01e27018fa59f17216c34b (patch)
tree: 7ae0502702887a2e336bbcba9e2f25d53e02bca4
parent: 61e25300319471919274e69867f4940279e63ba8 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/libs/androidfw/fuzz/resxmlparser_fuzzer/resxmlparser_fuzzer.cpp b/libs/androidfw/fuzz/resxmlparser_fuzzer/resxmlparser_fuzzer.cpp
index 829a39617012..a218a1ff1eb6 100644
--- a/libs/androidfw/fuzz/resxmlparser_fuzzer/resxmlparser_fuzzer.cpp
+++ b/libs/androidfw/fuzz/resxmlparser_fuzzer/resxmlparser_fuzzer.cpp
@@ -52,10 +52,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
     // Populate the DynamicRefTable with fuzzed data
     populateDynamicRefTableWithFuzzedData(*dynamic_ref_table, fuzzedDataProvider);
+    std::vector<uint8_t> xmlData = fuzzedDataProvider.ConsumeRemainingBytes<uint8_t>();
 
+    // Make sure the object here outlives the vector it's set to, otherwise it will try
+    // accessing an already freed buffer and crash.
     auto tree = android::ResXMLTree(std::move(dynamic_ref_table));
-
-    std::vector<uint8_t> xmlData = fuzzedDataProvider.ConsumeRemainingBytes<uint8_t>();
     if (tree.setTo(xmlData.data(), xmlData.size()) != android::NO_ERROR) {
         return 0; // Exit early if unable to parse XML data
     }
author	Yurii Zubrytskyi <zyy@google.com>	2024-05-29 17:31:19 -0700
committer	Yurii Zubrytskyi <zyy@google.com>	2024-05-29 17:31:19 -0700
commit	9ea1230e6a904ca3bf01e27018fa59f17216c34b (patch)
tree	7ae0502702887a2e336bbcba9e2f25d53e02bca4
parent	61e25300319471919274e69867f4940279e63ba8 (diff)