From 5a9b8a9c81fce29e42a46391d0920195d421a02c Mon Sep 17 00:00:00 2001
From: Ian Benz <ianbenz@google.com>
Date: Tue, 8 Nov 2022 13:56:44 -0800
Subject: [PATCH] Fuzz OEMCrypto_CopyBuffer subsample_flags parameter

Merge from Widevine repo of http://go/wvgerrit/159341

Test: tested with http://go/ag/20420224

Change-Id: Ia5f15e9053c7e7be6ea3687c123ad5e36796573e
---
 .../test/fuzz_tests/oemcrypto_copy_buffer_fuzz.cc      | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_copy_buffer_fuzz.cc b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_copy_buffer_fuzz.cc
index 26f48cdf..a9e6bfb7 100644
--- a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_copy_buffer_fuzz.cc
+++ b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_copy_buffer_fuzz.cc
@@ -51,17 +51,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // Redirect printf and log statements from oemcrypto functions to a file to
   // reduce noise
   RedirectStdoutToFile();
-  uint8_t subsample_flags;
 
   // OEMCrypto_DestBufferDesc and a buffer from which data needs to be copied
   // are expected as inputs to copy buffer API.
   // Input fuzzed data is interpreted as
   // (OEMCrypto_DestBufferDesc | subsample_flags | input_buffer)
-  if (size <= sizeof(OEMCrypto_Copy_Buffer_Fuzz)) {
+  OEMCrypto_Copy_Buffer_Fuzz fuzzed_structure;
+  if (size <= sizeof(fuzzed_structure)) {
     return 0;
   }
-  OEMCrypto_Copy_Buffer_Fuzz fuzzed_structure;
-  // Fuzz dest_buffer_desc.
   memcpy(&fuzzed_structure, data, sizeof(fuzzed_structure));
   ConvertDataToValidEnum(OEMCrypto_BufferType_MaxValue,
                          &fuzzed_structure.dest_buffer_desc.type);
@@ -86,9 +84,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   }
   OEMCrypto_CopyBuffer(session->session_id(), data + sizeof(fuzzed_structure),
                        input_buffer_size, &fuzzed_structure.dest_buffer_desc,
-                       subsample_flags);
+                       fuzzed_structure.subsample_flags);
   FreeOutputBuffers(session->session_id(), fuzzed_structure.dest_buffer_desc,
                     &secure_fd);
   return 0;
 }
-}  // namespace wvoec
\ No newline at end of file
+}  // namespace wvoec