binder_rpc_fuzzer: use ConsumeRandomLengthString

This function uses a clever mechanism (by establishing an end-of-string
sequence '\[^\]' and treating '\\' as '\') in order to allow
perterbations from the fuzzer to more easily resize a string being read
without changing the structure of the rest of the fuzz data. In the
previous solution (since FuzzedDataProvider reads integral values off of
the end of the fuzz data), a change in the size of data being read may
shift things in the string in a way that fundamentally changes the
structure of the data being processed. In order to try to allow the
fuzzer to more easily exploit high-coverage strings, changing to this
approach.

Note, ConsumeRandomLengthString will read in binary data as well and it
will also allow null bytes.

Bug: 199324691
Test: binder_rpc_fuzzer
Change-Id: Iaab6e7045add2e0bf541e5218364ffba49138bdc

1 files changed, 1 insertions, 2 deletions

diff --git a/libs/binder/tests/rpc_fuzzer/main.cpp b/libs/binder/tests/rpc_fuzzer/main.cpp
index 230f5c7b77..47a99136b0 100644
--- a/libs/binder/tests/rpc_fuzzer/main.cpp
+++ b/libs/binder/tests/rpc_fuzzer/main.cpp
@@ -87,8 +87,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
             size_t idx = provider.ConsumeIntegralInRange<size_t>(0, connections.size() - 1);
 
             if (provider.ConsumeBool()) {
-                std::vector<uint8_t> writeData = provider.ConsumeBytes<uint8_t>(
-                        provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes()));
+                std::string writeData = provider.ConsumeRandomLengthString();
                 ssize_t size = TEMP_FAILURE_RETRY(send(connections.at(idx).get(), writeData.data(),
                                                        writeData.size(), MSG_NOSIGNAL));
                 CHECK(errno == EPIPE || size == writeData.size())