1 files changed, 46 insertions, 3 deletions

diff --git a/libs/binder/tests/parcel_fuzzer/random_binder.cpp b/libs/binder/tests/parcel_fuzzer/random_binder.cpp
index 8eab454203..8a1fecb212 100644
--- a/libs/binder/tests/parcel_fuzzer/random_binder.cpp
+++ b/libs/binder/tests/parcel_fuzzer/random_binder.cpp
@@ -15,18 +15,54 @@
  */
 #include <fuzzbinder/random_binder.h>
 
+#include <fuzzbinder/random_parcel.h>
+
+#include <android-base/logging.h>
 #include <binder/IInterface.h>
 #include <binder/IServiceManager.h>
 
 namespace android {
 
-class NamedBinder : public BBinder {
+class RandomBinder : public BBinder {
 public:
-    NamedBinder(const String16& descriptor) : mDescriptor(descriptor) {}
+    RandomBinder(const String16& descriptor, std::vector<uint8_t>&& bytes)
+          : mDescriptor(descriptor),
+            mBytes(std::move(bytes)),
+            mProvider(mBytes.data(), mBytes.size()) {}
     const String16& getInterfaceDescriptor() const override { return mDescriptor; }
 
+    status_t onTransact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) override {
+        (void)code;
+        (void)data;
+        (void)reply;
+        (void)flags; // note - for maximum coverage even ignore if oneway
+
+        if (mProvider.ConsumeBool()) {
+            return mProvider.ConsumeIntegral<status_t>();
+        }
+
+        if (reply == nullptr) return OK;
+
+        // TODO: things we could do to increase state space
+        // - also pull FDs and binders from 'data'
+        //     (optionally combine these into random parcel 'options')
+        // - also pull FDs and binders from random parcel 'options'
+        RandomParcelOptions options;
+
+        // random output
+        std::vector<uint8_t> subData = mProvider.ConsumeBytes<uint8_t>(
+                mProvider.ConsumeIntegralInRange<size_t>(0, mProvider.remaining_bytes()));
+        fillRandomParcel(reply, FuzzedDataProvider(subData.data(), subData.size()), &options);
+
+        return OK;
+    }
+
 private:
     String16 mDescriptor;
+
+    // note may not all be used
+    std::vector<uint8_t> mBytes;
+    FuzzedDataProvider mProvider;
 };
 
 sp<IBinder> getRandomBinder(FuzzedDataProvider* provider) {
@@ -35,7 +71,14 @@ sp<IBinder> getRandomBinder(FuzzedDataProvider* provider) {
                 // descriptor is the length of a class name, e.g.
                 // "some.package.Foo"
                 std::string str = provider->ConsumeRandomLengthString(100 /*max length*/);
-                return new NamedBinder(String16(str.c_str()));
+
+                // arbitrarily consume remaining data to create a binder that can return
+                // random results - coverage guided fuzzer should ensure all of the remaining
+                // data isn't always used
+                std::vector<uint8_t> bytes = provider->ConsumeBytes<uint8_t>(
+                        provider->ConsumeIntegralInRange<size_t>(0, provider->remaining_bytes()));
+
+                return new RandomBinder(String16(str.c_str()), std::move(bytes));
             },
             []() {
                 // this is the easiest remote binder to get ahold of, and it