Add checking for sparse file format

Sparse file can come from an untrusted source.
Need more checking to ensure that it is not a malformed
file and would not cause any OOB read access.

Update fuzz test for decoding also.

Ignore-AOSP-First: Awaiting security triage
Test: adb reboot fastboot
      fuzzy_fastboot --gtest_filter=Fuzz.Sparse*
      fuzzy_fastboot --gtest_filter=Conformance.Sparse*
      sparse_fuzzer
Bug: 212705418
Change-Id: I7622df307bb00e59faaba8bb2c67cb474cffed8e

1 files changed, 19 insertions, 8 deletions

diff --git a/libsparse/sparse_fuzzer.cpp b/libsparse/sparse_fuzzer.cpp
index 42f331fc3b..235d15dce4 100644
--- a/libsparse/sparse_fuzzer.cpp
+++ b/libsparse/sparse_fuzzer.cpp
@@ -1,16 +1,27 @@
 #include "include/sparse/sparse.h"
 
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  if (size < 2 * sizeof(wchar_t)) return 0;
+static volatile int count;
 
-  int64_t blocksize = 4096;
-  struct sparse_file* file = sparse_file_new(size, blocksize);
-  if (!file) {
+int WriteCallback(void* priv  __attribute__((__unused__)), const void* data, size_t len) {
+  if (!data) {
+    return 0;
+  }
+  if (len == 0) {
     return 0;
   }
 
-  unsigned int block = 1;
-  sparse_file_add_data(file, &data, size, block);
-  sparse_file_destroy(file);
+  const char* p = (const char*)data;
+  // Just to make sure the data is accessible
+  // We only check the head and tail to save time
+  count += *p;
+  count += *(p+len-1);
   return 0;
 }
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  struct sparse_file* file = sparse_file_import_buf((char*)data, size, true, false);
+  if (!file) {
+      return 0;
+  }
+  return sparse_file_callback(file, false, false, WriteCallback, nullptr);
+}