1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <fuzzer/FuzzedDataProvider.h>
18 #include "osi/include/buffer.h"
19 
20 #define MAX_BUFFER_SIZE 4096
21 #define MAX_NUM_SLICES 100
22 
LLVMFuzzerTestOneInput(const uint8_t * Data,size_t Size)23 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
24   // Init our wrapper
25   FuzzedDataProvider dataProvider(Data, Size);
26 
27   // Create our buffer
28   size_t buf_size =
29       dataProvider.ConsumeIntegralInRange<size_t>(1, MAX_BUFFER_SIZE);
30   buffer_t* buf = buffer_new(buf_size);
31 
32   // These functions require a non-null buffer, according to the header
33   // The size also needs to be over 1 to make slices
34   if (buf != nullptr && buf_size > 1) {
35     std::vector<buffer_t*> slices;
36 
37     // Make a bunch of refs to various slices of the buffer
38     size_t num_slices =
39         dataProvider.ConsumeIntegralInRange<size_t>(0, MAX_NUM_SLICES);
40     for (size_t i = 0; i < num_slices; i++) {
41       // If slice_size is zero or GT buf_size, lib throws an exception
42       size_t slice_size =
43           dataProvider.ConsumeIntegralInRange<size_t>(1, buf_size - 1);
44       if (slice_size > 0) {
45         buffer_t* new_slice = nullptr;
46         if (slice_size == buf_size) {
47           new_slice = buffer_new_ref(buf);
48         } else {
49           new_slice = buffer_new_slice(buf, slice_size);
50         }
51 
52         // Add the slice to our vector so we can free it later
53         slices.push_back(new_slice);
54       }
55     }
56 
57     // Retrieve the buffer ptr
58     buffer_ptr(buf);
59 
60     // Free the slices
61     for (const auto& slice : slices) {
62       buffer_free(slice);
63     }
64   }
65 
66   // Free the root buffer
67   buffer_free(buf);
68 
69   return 0;
70 }
71