Fix crash in wvoec::LicenseRoundTrip::InjectFuzzedResponseData

After the ODK_MAX_NUM_KEYS change, the core response is a pointer to an
array instead of an array. This check should ensure the index of the key
array can always be accessed.

Bug: 286531859
Change-Id: I44604eb977be722ef692de2b61e1f626266a42a7

libwvdrmengine/oemcrypto/test/oec_session_util.cpp

@@ -719,13 +719,9 @@ void LicenseRoundTrip::InjectFuzzedResponseData(const uint8_t* data,
   // Copy core_response from data.
   fuzzed_data.Fill(&core_response_, sizeof(core_response_));
 
-  // Maximum number of keys could be kMaxNumKeys(30). key_array_length can be
-  // any random value as it is read from fuzz data.
-  // Key data array(MessageKeyData keys[kMaxNumKeys]) will be looped over
-  // key_array_length number of times during LoadLicense. If key_array_length is
-  // more than kMaxNumKeys, setting it to max value of kMaxNumKeys as we should
-  // not go out of bounds of this array length. For corpus, this value is
-  // already hard coded to 4.
+  // If key_array_length is more than kMaxNumKeys, we set it to kMaxNumKeys to
+  // prevent it from going out of bounds. For corpus, this value is already hard
+  // coded to 4.
   if (core_response_.key_array_length > kMaxNumKeys) {
     core_response_.key_array_length = kMaxNumKeys;
   }
@@ -733,6 +729,13 @@ void LicenseRoundTrip::InjectFuzzedResponseData(const uint8_t* data,
   // For corpus data, this value gets set to 4, but we need to test other
   // scenarios too, hence reading key_array_length value.
   set_num_keys(core_response_.key_array_length);
+
+  // Copy key_array from data.
+  key_array_.resize(num_keys_);
+  core_response_.key_array = key_array_.data();
+  fuzzed_data.Fill(core_response_.key_array,
+                   num_keys_ * sizeof(*core_response_.key_array));
+
   ConvertDataToValidBools(&core_response_);
 
   // TODO(b/157520981): Once assertion bug is fixed, for loop can be removed.