From 28e68a866b1ecb7548c21f437fea9e20ed4f6378 Mon Sep 17 00:00:00 2001 From: Vicky Min Date: Tue, 13 Jun 2023 00:04:07 +0000 Subject: [PATCH] Fix crash in wvoec::LicenseRoundTrip::InjectFuzzedResponseData After the ODK_MAX_NUM_KEYS change, the core response is a pointer to an array instead of an array. This check should ensure the index of the key array can always be accessed. Bug: 286531859 Change-Id: I44604eb977be722ef692de2b61e1f626266a42a7 --- .../oemcrypto/test/oec_session_util.cpp | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/libwvdrmengine/oemcrypto/test/oec_session_util.cpp b/libwvdrmengine/oemcrypto/test/oec_session_util.cpp index efed5985..a6c5b51c 100644 --- a/libwvdrmengine/oemcrypto/test/oec_session_util.cpp +++ b/libwvdrmengine/oemcrypto/test/oec_session_util.cpp @@ -719,13 +719,9 @@ void LicenseRoundTrip::InjectFuzzedResponseData(const uint8_t* data, // Copy core_response from data. fuzzed_data.Fill(&core_response_, sizeof(core_response_)); - // Maximum number of keys could be kMaxNumKeys(30). key_array_length can be - // any random value as it is read from fuzz data. - // Key data array(MessageKeyData keys[kMaxNumKeys]) will be looped over - // key_array_length number of times during LoadLicense. If key_array_length is - // more than kMaxNumKeys, setting it to max value of kMaxNumKeys as we should - // not go out of bounds of this array length. For corpus, this value is - // already hard coded to 4. + // If key_array_length is more than kMaxNumKeys, we set it to kMaxNumKeys to + // prevent it from going out of bounds. For corpus, this value is already hard + // coded to 4. if (core_response_.key_array_length > kMaxNumKeys) { core_response_.key_array_length = kMaxNumKeys; } @@ -733,6 +729,13 @@ void LicenseRoundTrip::InjectFuzzedResponseData(const uint8_t* data, // For corpus data, this value gets set to 4, but we need to test other // scenarios too, hence reading key_array_length value. set_num_keys(core_response_.key_array_length); + + // Copy key_array from data. + key_array_.resize(num_keys_); + core_response_.key_array = key_array_.data(); + fuzzed_data.Fill(core_response_.key_array, + num_keys_ * sizeof(*core_response_.key_array)); + ConvertDataToValidBools(&core_response_); // TODO(b/157520981): Once assertion bug is fixed, for loop can be removed.