aboutsummaryrefslogtreecommitdiff
path: root/system/osi/test/fuzzers/buffer/fuzz_buffer.cc
diff options
context:
space:
mode:
Diffstat (limited to 'system/osi/test/fuzzers/buffer/fuzz_buffer.cc')
-rw-r--r--system/osi/test/fuzzers/buffer/fuzz_buffer.cc70
1 files changed, 70 insertions, 0 deletions
diff --git a/system/osi/test/fuzzers/buffer/fuzz_buffer.cc b/system/osi/test/fuzzers/buffer/fuzz_buffer.cc
new file mode 100644
index 0000000000..b781a3171c
--- /dev/null
+++ b/system/osi/test/fuzzers/buffer/fuzz_buffer.cc
@@ -0,0 +1,70 @@
+/*
+ * Copyright 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <fuzzer/FuzzedDataProvider.h>
+#include "osi/include/buffer.h"
+
+#define MAX_BUFFER_SIZE 4096
+#define MAX_NUM_SLICES 100
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
+ // Init our wrapper
+ FuzzedDataProvider dataProvider(Data, Size);
+
+ // Create our buffer
+ size_t buf_size =
+ dataProvider.ConsumeIntegralInRange<size_t>(1, MAX_BUFFER_SIZE);
+ buffer_t* buf = buffer_new(buf_size);
+
+ // These functions require a non-null buffer, according to the header
+ // The size also needs to be over 1 to make slices
+ if (buf != nullptr && buf_size > 1) {
+ std::vector<buffer_t*> slices;
+
+ // Make a bunch of refs to various slices of the buffer
+ size_t num_slices =
+ dataProvider.ConsumeIntegralInRange<size_t>(0, MAX_NUM_SLICES);
+ for (size_t i = 0; i < num_slices; i++) {
+ // If slice_size is zero or GT buf_size, lib throws an exception
+ size_t slice_size =
+ dataProvider.ConsumeIntegralInRange<size_t>(1, buf_size - 1);
+ if (slice_size > 0) {
+ buffer_t* new_slice = nullptr;
+ if (slice_size == buf_size) {
+ new_slice = buffer_new_ref(buf);
+ } else {
+ new_slice = buffer_new_slice(buf, slice_size);
+ }
+
+ // Add the slice to our vector so we can free it later
+ slices.push_back(new_slice);
+ }
+ }
+
+ // Retrieve the buffer ptr
+ buffer_ptr(buf);
+
+ // Free the slices
+ for (const auto& slice : slices) {
+ buffer_free(slice);
+ }
+ }
+
+ // Free the root buffer
+ buffer_free(buf);
+
+ return 0;
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-23 16:17:32 +0000