binder: Fuzz Parcel::appendFrom
Test: TH
Change-Id: Id23b3b6be3a23a9cee153a516925cabe987123c3
diff --git a/libs/binder/tests/parcel_fuzzer/binder_ndk.h b/libs/binder/tests/parcel_fuzzer/binder_ndk.h
index cf24ab9..81e79b5 100644
--- a/libs/binder/tests/parcel_fuzzer/binder_ndk.h
+++ b/libs/binder/tests/parcel_fuzzer/binder_ndk.h
@@ -43,6 +43,10 @@
return aParcel()->get()->setData(buffer, len);
}
+ android::status_t appendFrom(const NdkParcelAdapter* parcel, int32_t start, int32_t len) {
+ return AParcel_appendFrom(parcel->aParcel(), aParcel(), start, len);
+ }
+
private:
ndk::ScopedAParcel mParcel;
};
diff --git a/libs/binder/tests/parcel_fuzzer/main.cpp b/libs/binder/tests/parcel_fuzzer/main.cpp
index f435dae..79a0924 100644
--- a/libs/binder/tests/parcel_fuzzer/main.cpp
+++ b/libs/binder/tests/parcel_fuzzer/main.cpp
@@ -99,6 +99,25 @@
}
}
+// Append two random parcels.
+template <typename P>
+void doAppendFuzz(const char* backend, FuzzedDataProvider&& provider) {
+ int32_t start = provider.ConsumeIntegral<int32_t>();
+ int32_t len = provider.ConsumeIntegral<int32_t>();
+
+ std::vector<uint8_t> bytes = provider.ConsumeBytes<uint8_t>(
+ provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes()));
+
+ P p0, p1;
+ fillRandomParcel(&p0, FuzzedDataProvider(bytes.data(), bytes.size()));
+ fillRandomParcel(&p1, std::move(provider));
+
+ FUZZ_LOG() << "backend: " << backend;
+ FUZZ_LOG() << "start: " << start << " len: " << len;
+
+ p0.appendFrom(&p1, start, len);
+}
+
void* NothingClass_onCreate(void* args) {
return args;
}
@@ -148,6 +167,12 @@
doReadFuzz<NdkParcelAdapter>("binder_ndk", BINDER_NDK_PARCEL_READ_FUNCTIONS,
std::move(provider));
},
+ [](FuzzedDataProvider&& provider) {
+ doAppendFuzz<::android::Parcel>("binder", std::move(provider));
+ },
+ [](FuzzedDataProvider&& provider) {
+ doAppendFuzz<NdkParcelAdapter>("binder_ndk", std::move(provider));
+ },
};
provider.PickValueInArray(fuzzBackend)(std::move(provider));