inputflinger_input_reader_fuzzer: Bug Fix
Resolved OOB read getting triggered due to FuzzedDataProvider's
shared_ptr which is used among different classes. Implemented
ThreadSafe instance of FuzzedDataProvider as bug-fix.
Test: ./inputflinger_input_reader_fuzzer clusterfuzz-testcase
-minimized-inputflinger_input_reader_fuzzer-6227827124207616
Test: ./inputflinger_input_reader_fuzzer clusterfuzz-testcase
-minimized-inputflinger_input_reader_fuzzer-5394273856782336
Bug: 253728999
Bug: 254590389
Change-Id: I42d53d1d7da18c8085d381c939bedf14fe18dc87
(cherry picked from commit 08aa517eee8e7cdf65bf0bd303239e25ed1d50e8)
diff --git a/services/inputflinger/tests/fuzzers/KeyboardInputFuzzer.cpp b/services/inputflinger/tests/fuzzers/KeyboardInputFuzzer.cpp
index e880f55..8e2d677 100644
--- a/services/inputflinger/tests/fuzzers/KeyboardInputFuzzer.cpp
+++ b/services/inputflinger/tests/fuzzers/KeyboardInputFuzzer.cpp
@@ -16,13 +16,12 @@
#include <FuzzContainer.h>
#include <KeyboardInputMapper.h>
-#include <fuzzer/FuzzedDataProvider.h>
namespace android {
const int32_t kMaxKeycodes = 100;
-static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<FuzzedDataProvider> fdp) {
+static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) {
// Pick a random property to set for the mapper to have set.
fdp->PickValueInArray<std::function<void()>>(
{[&]() -> void { fuzzer.addProperty("keyboard.orientationAware", "1"); },
@@ -41,7 +40,8 @@
}
extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) {
- std::shared_ptr<FuzzedDataProvider> fdp = std::make_shared<FuzzedDataProvider>(data, size);
+ std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp =
+ std::make_shared<ThreadSafeFuzzedDataProvider>(data, size);
FuzzContainer fuzzer(fdp);
KeyboardInputMapper& mapper =