From af070601b0f89aed104138b9510bd7e8cf9313fc Mon Sep 17 00:00:00 2001
From: Ian Benz <ianbenz@google.com>
Date: Mon, 27 Mar 2023 16:13:29 +0000
Subject: [PATCH] Add OEMCrypto_SetDecryptHash/GetHashErrorCode fuzzer

Merged from https://widevine-internal-review.googlesource.com/169021
Merged from https://widevine-internal-review.googlesource.com/170030

Change-Id: I209d280b0478620197fc514966af3c93fc2272aa
---
 .../fuzz_tests/oemcrypto_decrypt_hash_fuzz.cc | 74 +++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_decrypt_hash_fuzz.cc

diff --git a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_decrypt_hash_fuzz.cc b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_decrypt_hash_fuzz.cc
new file mode 100644
index 00000000..e1593e3b
--- /dev/null
+++ b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_decrypt_hash_fuzz.cc
@@ -0,0 +1,74 @@
+// Copyright 2023 Google LLC. All Rights Reserved. This file and proprietary
+// source code may only be used and distributed under the Widevine
+// License Agreement.
+
+#include <array>
+#include <vector>
+
+#include "FuzzedDataProvider.h"
+#include "OEMCryptoCENC.h"
+#include "oemcrypto_fuzz_helper.h"
+
+using namespace wvoec;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // Redirect printf and log statements from oemcrypto functions to a file to
+  // reduce noise
+  RedirectStdoutToFile();
+
+  OEMCryptoLicenseAPIFuzz license_api_fuzz;
+  FuzzedDataProvider fuzzed_data(data, size);
+
+  if (fuzzed_data.ConsumeBool()) {
+    license_api_fuzz.license_messages().set_control(
+        license_api_fuzz.license_messages().control() |
+        kControlAllowHashVerification);
+  }
+
+  const uint32_t session_id = license_api_fuzz.session()->session_id();
+  const std::array<uint8_t, 16> content_key_id{};
+  const uint32_t frame_number = fuzzed_data.ConsumeIntegral<uint32_t>();
+  std::array<OEMCrypto_SharedMemory, 1> sample_buffer{};
+
+  OEMCrypto_SubSampleDescription subsample;
+  subsample.num_bytes_clear = 0;
+  subsample.num_bytes_encrypted = sample_buffer.size();
+  subsample.subsample_flags =
+      OEMCrypto_FirstSubsample | OEMCrypto_LastSubsample;
+  subsample.block_offset = 0;
+
+  OEMCrypto_SampleDescription sample;
+  sample.buffers.input_data = sample_buffer.data();
+  sample.buffers.input_data_length = sample_buffer.size();
+  sample.buffers.output_descriptor.type = OEMCrypto_BufferType_Clear;
+  sample.buffers.output_descriptor.buffer.clear.clear_buffer =
+      sample_buffer.data();
+  sample.buffers.output_descriptor.buffer.clear.clear_buffer_length =
+      sample_buffer.size();
+  memset(sample.iv, 0, sizeof(sample.iv));
+  sample.subsamples = &subsample;
+  sample.subsamples_length = 1;
+
+  OEMCrypto_CENCEncryptPatternDesc pattern;
+  pattern.encrypt = 0;
+  pattern.skip = 0;
+
+  uint32_t failed_frame_number_data;
+  uint32_t* const failed_frame_number =
+      fuzzed_data.ConsumeBool() ? &failed_frame_number_data : nullptr;
+
+  const std::vector<uint8_t> hash =
+      fuzzed_data.ConsumeRemainingBytes<uint8_t>();
+
+  license_api_fuzz.LoadLicense();
+  std::vector<uint8_t> key_handle;
+  GetKeyHandleIntoVector(session_id, content_key_id.data(),
+                         content_key_id.size(), OEMCrypto_CipherMode_CENC,
+                         key_handle);
+  OEMCrypto_SetDecryptHash(session_id, frame_number, hash.data(), hash.size());
+  OEMCrypto_DecryptCENC(key_handle.data(), key_handle.size(), &sample, 1,
+                        &pattern);
+  OEMCrypto_GetHashErrorCode(session_id, failed_frame_number);
+
+  return 0;
+}