Merge of OEMCrypto fuzz test CLs

---------------------------------------------------------------------- Fix oemcrypto_generic_verify_fuzz mutator signature offset [ Merge of http://go/wvgerrit/165899 ] Merged from https://widevine-internal-review.googlesource.com/165598 Change-Id: I85574fcd62622d2954c306688e04ecfda333c0cb ---------------------------------------------------------------------- Fix regressions in oemcrypto_decrypt_cenc_fuzz [ Merge of http://go/wvgerrit/162151 ] Fix null-dereference of subsamples vector and potential memory leak due to parsing errors. Bug: 260005865 Bug: 260013015 Merged from https://widevine-internal-review.googlesource.com/162081 Change-Id: I91bf1baa726803b2a0073ff3db94e69719d377bb ---------------------------------------------------------------------- Add custom mutator to oemcrypto_generic_verify_fuzz [ Merge of http://go/wvgerrit/161578 ] Enable fuzzing mutations beyond changing the signature length. Merged from https://widevine-internal-review.googlesource.com/159917 Change-Id: I022d752107b788bd45aafb8325e3186ef90336de ---------------------------------------------------------------------- Refactor oemcrypto_decrypt_cenc_fuzz [ Merge of http://go/wvgerrit/161546 ] Refactor to minimize the required corpus length, fuzz the sample input data, and avoid undefined behavior related to filling OEMCrypto_DestBufferDesc::buffer with fuzzed data. Merged from https://widevine-internal-review.googlesource.com/159618 Change-Id: Id9af8b1704d4619ba88ab8de3adb35d5f8bb69f6 ---------------------------------------------------------------------- Refactor oemcrypto_copy_buffer_fuzz [ Merge of http://go/wvgerrit/161307 ] Refactor to minimize the required corpus length, fuzz the output buffer length, and avoid undefined behavior related to filling OEMCrypto_DestBufferDesc::buffer with fuzzed data. Merged from https://widevine-internal-review.googlesource.com/159617 Change-Id: Ieddc6260e5eca641f8409a9b361ca4e5a40d6f52 ---------------------------------------------------------------------- Improve AddressSanitizer coverage for LoadEntitledContentKeys fuzzing [ Merge of http://go/wvgerrit/161397 ] Split fuzzed message into separate buffer so AddressSanitizer can detect out-of-bounds accesses. Merged from https://widevine-internal-review.googlesource.com/161277 ---------------------------------------------------------------------- Avoid copying fuzzed data when separator splitting [ Merge of http://go/wvgerrit/161120 ] Merged from https://widevine-internal-review.googlesource.com/159497 Change-Id: I2b13ff34eee74c8aea9a8176aa711e3e2bc57add ---------------------------------------------------------------------- Fix oemcrypto_opk_dispatcher_fuzz [ Merge of http://go/wvgerrit/161119 ] Set ODK_Message size and add timestamp field to initialization requests. Merged from https://widevine-internal-review.googlesource.com/159897 Change-Id: Ide51d1cb4119a396212d1802411cfa19f5792e9d ---------------------------------------------------------------------- Cover empty buffers in fuzz tests [ Merge of http://go/wvgerrit/161018 ] Update tests that avoid passing empty buffers to OEMCrypto API methods. Merged from https://widevine-internal-review.googlesource.com/159317 Change-Id: If0d8007e3294820654b081fe813a09485e757f1c ---------------------------------------------------------------------- Fix cherry pick of "Improve buffer size distribution in fuzz tests" [ Merge of http://go/wvgerrit/161022 ] Change-Id: I8b0440fe13b513396b5779c25e6a46ac40eaa183 ---------------------------------------------------------------------- Improve buffer size distribution in fuzz tests [ Merge of http://go/wvgerrit/160957 ] When a buffer size is fuzzed, use the modulo operation, instead of std::min, to create an even distribution. Merged from https://widevine-internal-review.googlesource.com/159157 Change-Id: I3c1168c7a7d739793005927a97af18de5df2e4c6 ---------------------------------------------------------------------- Improve AddressSanitizer coverage in fuzz tests [ Merge of http://go/wvgerrit/160464 ] Split fuzzed data into separate buffers so AddressSanitizer can detect all out-of-bounds accesses. Merged from https://widevine-internal-review.googlesource.com/158977 Change-Id: I7ca67409b7c6f96548e21ab41f6caf99f738605d
2023-02-27 16:20:51 -08:00
parent 469c6408da
commit e4cde22826
17 changed files with 505 additions and 433 deletions
--- a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_decrypt_fuzz.cc
+++ b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_decrypt_fuzz.cc
@@ -16,34 +16,29 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  RedirectStdoutToFile();

  // Split data using separator.
-  auto inputs = SplitInput(data, size);
+  const std::vector<FuzzedData> inputs = SplitFuzzedData(data, size);
  if (inputs.size() < 2) {
    return 0;
  }

  OEMCrypto_Generic_Api_Fuzz fuzzed_structure;
-  if (inputs[0].size() < sizeof(fuzzed_structure)) {
+  if (inputs[0].size < sizeof(fuzzed_structure)) {
    return 0;
  }
  // Copy OEMCrypto_Generic_Api_Fuzz from input data.
-  memcpy(&fuzzed_structure, data, sizeof(fuzzed_structure));
+  FuzzedDataProvider fuzzed_data(inputs[0].data, inputs[0].size);
+  fuzzed_data.ConsumeData(&fuzzed_structure, sizeof(fuzzed_structure));
  ConvertDataToValidEnum(OEMCrypto_CipherMode_MaxValue,
                         &fuzzed_structure.cipher_mode);
  ConvertDataToValidEnum(OEMCrypto_Algorithm_MaxValue,
                         &fuzzed_structure.algorithm);
-
  // Copy iv from input data.
-  size_t iv_size = inputs[0].size() - sizeof(fuzzed_structure);
-  if (iv_size == 0) {
-    return 0;
-  }
-  vector<uint8_t> iv(iv_size);
-  memcpy(iv.data(), data + sizeof(fuzzed_structure), iv_size);
+  const std::vector<uint8_t> iv = fuzzed_data.ConsumeRemainingBytes<uint8_t>();

-  // Copy clear buffer from input data.
-  vector<uint8_t> encrypted_buffer(inputs[1].size());
-  vector<uint8_t> clear_buffer(inputs[1].size());
-  memcpy(encrypted_buffer.data(), inputs[1].data(), inputs[1].size());
+  // Initialize encrypted and clear buffers.
+  const std::vector<uint8_t> encrypted_buffer(inputs[1].data,
+                                              inputs[1].data + inputs[1].size);
+  std::vector<uint8_t> clear_buffer(encrypted_buffer.size());

  OEMCryptoLicenseAPIFuzz license_api_fuzz;
  Session* session = license_api_fuzz.session();