diff options
| author | Jeff Sharkey <jsharkey@android.com> | 2020-10-13 09:40:52 -0600 |
|---|---|---|
| committer | Jeff Sharkey <jsharkey@android.com> | 2020-10-19 16:07:16 -0600 |
| commit | 256da5a361104276b01ad2834f9929bc8ed457f7 (patch) | |
| tree | 46f2d9b200fe5447417209539db5843075c0a5e8 /tests/DynamicCodeLoggerIntegrationTests/src | |
| parent | ae2d88a65c69c27ea01478d5761fe385ac32a7f9 (diff) | |
Add fuzzer for rewritten CursorWindow.
We recently rewrote CursorWindow, so let's get a fuzzer wired up
to see if it has any bugs.
This change creates a separate "libandroidfw_fuzz" library, since we
can't link to libbinder when building Windows host-side binaries;
the fuzzer doesn't need Window support.
And fix our first vulnerability where getFieldSlot() could be
tricked into reading out of bounds data.
The included corpus seed was generated using this example code:
CursorWindow* w = nullptr;
CursorWindow::create(android::String8("test"), 1 << 21, &w);
w->setNumColumns(3);
w->allocRow();
w->putLong(0,0,0xcafe);
w->putLong(0,1,0xcafe);
w->putLong(0,2,0xcafe);
// Row purposefully left empty
w->allocRow();
w->allocRow();
w->putNull(2,0);
w->putNull(2,1);
w->putNull(2,2);
w->allocRow();
w->putString(3,0,"cafe",5);
w->putString(3,1,"cafe",5);
w->putString(3,2,"cafe",5);
w->allocRow();
w->putDouble(4,0,3.14159f);
w->putDouble(4,1,3.14159f);
w->putDouble(4,2,3.14159f);
Parcel p;
w->writeToParcel(&p);
Bug: 169251528
Test: atest libandroidfw_tests:CursorWindowTest
Test: SANITIZE_HOST=address make ${FUZZER_NAME} && ${ANDROID_HOST_OUT}/fuzz/$(get_build_var HOST_ARCH)/${FUZZER_NAME}/${FUZZER_NAME}
Change-Id: I405d377900943de0ad732d3f1a1a0970e17d5140
Diffstat (limited to 'tests/DynamicCodeLoggerIntegrationTests/src')
0 files changed, 0 insertions, 0 deletions