commit afa80e1ec152b2f05a9cb5cddb29b265e4924cba
author Devendra Singhi <devendra.singhi@ittiam.com> Thu Jan 18 19:09:41 2024 +0530
committer Devendra Singhi <devendra.singhi@ittiam.com> Thu Jan 18 19:10:17 2024 +0530
tree 37cd0902f3ed8b2ac24e3d2f62893c5f30cd0532
parent 99a096a9925aeb3d6bbc63c28a4f85e7f40057ff

mtp_fuzzer: Bug fix

Updated MtpMockHandle to prevent OOB read. The buffer size check in read() is updated to consider remaining number of bytes instead of total number of bytes.

Bug: b/319146213
Test: ./mtp_fuzzer clusterfuzz-testcase-minimized-mtp_fuzzer-6063056382656512

Change-Id: Ic3850f71b63fbf57139f4a26f1676ebb5f0048ac

media/mtp/tests/MtpFuzzer/MtpMockHandle.h

diff --git a/media/mtp/tests/MtpFuzzer/MtpMockHandle.h b/media/mtp/tests/MtpFuzzer/MtpMockHandle.h
index 111485c..aa632a4 100644
--- a/media/mtp/tests/MtpFuzzer/MtpMockHandle.h
+++ b/media/mtp/tests/MtpFuzzer/MtpMockHandle.h
@@ -45,18 +45,18 @@
                   pkt.size());
 
             // packet is bigger than what the caller can handle,
-            if (pkt.size() > len) {
+            if (pkt.size() - mPacketOffset > len) {
                 memcpy(data, pkt.data() + mPacketOffset, len);
 
                 mPacketOffset += len;
                 readAmt = len;
                 // packet is equal or smaller than the caller buffer
             } else {
-                memcpy(data, pkt.data() + mPacketOffset, pkt.size());
+                memcpy(data, pkt.data() + mPacketOffset, pkt.size() - mPacketOffset);
 
                 mPacketNumber++;
                 mPacketOffset = 0;
-                readAmt = pkt.size();
+                readAmt = pkt.size() - mPacketOffset;
             }
 
             return readAmt;