Merge of OEMCrypto fuzz test CLs

---------------------------------------------------------------------- Fix oemcrypto_generic_verify_fuzz mutator signature offset [ Merge of http://go/wvgerrit/165899 ] Merged from https://widevine-internal-review.googlesource.com/165598 Change-Id: I85574fcd62622d2954c306688e04ecfda333c0cb ---------------------------------------------------------------------- Fix regressions in oemcrypto_decrypt_cenc_fuzz [ Merge of http://go/wvgerrit/162151 ] Fix null-dereference of subsamples vector and potential memory leak due to parsing errors. Bug: 260005865 Bug: 260013015 Merged from https://widevine-internal-review.googlesource.com/162081 Change-Id: I91bf1baa726803b2a0073ff3db94e69719d377bb ---------------------------------------------------------------------- Add custom mutator to oemcrypto_generic_verify_fuzz [ Merge of http://go/wvgerrit/161578 ] Enable fuzzing mutations beyond changing the signature length. Merged from https://widevine-internal-review.googlesource.com/159917 Change-Id: I022d752107b788bd45aafb8325e3186ef90336de ---------------------------------------------------------------------- Refactor oemcrypto_decrypt_cenc_fuzz [ Merge of http://go/wvgerrit/161546 ] Refactor to minimize the required corpus length, fuzz the sample input data, and avoid undefined behavior related to filling OEMCrypto_DestBufferDesc::buffer with fuzzed data. Merged from https://widevine-internal-review.googlesource.com/159618 Change-Id: Id9af8b1704d4619ba88ab8de3adb35d5f8bb69f6 ---------------------------------------------------------------------- Refactor oemcrypto_copy_buffer_fuzz [ Merge of http://go/wvgerrit/161307 ] Refactor to minimize the required corpus length, fuzz the output buffer length, and avoid undefined behavior related to filling OEMCrypto_DestBufferDesc::buffer with fuzzed data. Merged from https://widevine-internal-review.googlesource.com/159617 Change-Id: Ieddc6260e5eca641f8409a9b361ca4e5a40d6f52 ---------------------------------------------------------------------- Improve AddressSanitizer coverage for LoadEntitledContentKeys fuzzing [ Merge of http://go/wvgerrit/161397 ] Split fuzzed message into separate buffer so AddressSanitizer can detect out-of-bounds accesses. Merged from https://widevine-internal-review.googlesource.com/161277 ---------------------------------------------------------------------- Avoid copying fuzzed data when separator splitting [ Merge of http://go/wvgerrit/161120 ] Merged from https://widevine-internal-review.googlesource.com/159497 Change-Id: I2b13ff34eee74c8aea9a8176aa711e3e2bc57add ---------------------------------------------------------------------- Fix oemcrypto_opk_dispatcher_fuzz [ Merge of http://go/wvgerrit/161119 ] Set ODK_Message size and add timestamp field to initialization requests. Merged from https://widevine-internal-review.googlesource.com/159897 Change-Id: Ide51d1cb4119a396212d1802411cfa19f5792e9d ---------------------------------------------------------------------- Cover empty buffers in fuzz tests [ Merge of http://go/wvgerrit/161018 ] Update tests that avoid passing empty buffers to OEMCrypto API methods. Merged from https://widevine-internal-review.googlesource.com/159317 Change-Id: If0d8007e3294820654b081fe813a09485e757f1c ---------------------------------------------------------------------- Fix cherry pick of "Improve buffer size distribution in fuzz tests" [ Merge of http://go/wvgerrit/161022 ] Change-Id: I8b0440fe13b513396b5779c25e6a46ac40eaa183 ---------------------------------------------------------------------- Improve buffer size distribution in fuzz tests [ Merge of http://go/wvgerrit/160957 ] When a buffer size is fuzzed, use the modulo operation, instead of std::min, to create an even distribution. Merged from https://widevine-internal-review.googlesource.com/159157 Change-Id: I3c1168c7a7d739793005927a97af18de5df2e4c6 ---------------------------------------------------------------------- Improve AddressSanitizer coverage in fuzz tests [ Merge of http://go/wvgerrit/160464 ] Split fuzzed data into separate buffers so AddressSanitizer can detect all out-of-bounds accesses. Merged from https://widevine-internal-review.googlesource.com/158977 Change-Id: I7ca67409b7c6f96548e21ab41f6caf99f738605d
2023-02-27 16:20:51 -08:00
parent 469c6408da
commit e4cde22826
17 changed files with 505 additions and 433 deletions
--- a/libwvdrmengine/oemcrypto/test/oec_decrypt_fallback_chain.cpp
+++ b/libwvdrmengine/oemcrypto/test/oec_decrypt_fallback_chain.cpp
@@ -198,26 +198,64 @@ OEMCryptoResult DecryptFallbackChain::DecryptSubsampleHalf(

 // Used for OEMCrypto Fuzzing: Corpus format is as below, let | be separator.
 // cipher_mode + pattern + sample_data for all samples |
-// subsample_data for all samples
+// input_data for all samples | subsample_data for all samples
 void WriteDecryptCencCorpus(
    OEMCryptoCipherMode cipher_mode,
    const OEMCrypto_SampleDescription* samples_description,
    const OEMCrypto_CENCEncryptPatternDesc* pattern, size_t samples_length) {
  const std::string file_name =
      GetFileName("oemcrypto_decrypt_cenc_fuzz_seed_corpus");
+
+  // Cipher mode and Pattern.
  OEMCrypto_Decrypt_Cenc_Fuzz decrypt_cenc_fuzz_struct;
  decrypt_cenc_fuzz_struct.cipher_mode = cipher_mode;
  decrypt_cenc_fuzz_struct.pattern = *pattern;
-  // Cipher mode and Pattern.
  AppendToFile(file_name,
               reinterpret_cast<const char*>(&decrypt_cenc_fuzz_struct),
               sizeof(OEMCrypto_Decrypt_Cenc_Fuzz));

  // Sample data for all samples.
  for (size_t i = 0; i < samples_length; i++) {
+    OEMCrypto_SampleDescription_Fuzz sample_description_data;
+    sample_description_data.buffers.input_data_length =
+        samples_description[i].buffers.input_data_length;
+    sample_description_data.buffers.output_descriptor.type =
+        samples_description[i].buffers.output_descriptor.type;
+    switch (sample_description_data.buffers.output_descriptor.type) {
+      case OEMCrypto_BufferType_Clear:
+        sample_description_data.buffers.output_descriptor.buffer_config =
+            samples_description[i]
+                .buffers.output_descriptor.buffer.clear.clear_buffer_length;
+        break;
+
+      case OEMCrypto_BufferType_Secure:
+        sample_description_data.buffers.output_descriptor.buffer_config =
+            samples_description[i]
+                .buffers.output_descriptor.buffer.secure.secure_buffer_length;
+        break;
+
+      case OEMCrypto_BufferType_Direct:
+        sample_description_data.buffers.output_descriptor.buffer_config =
+            samples_description[i]
+                .buffers.output_descriptor.buffer.direct.is_video;
+        break;
+    }
+    memcpy(sample_description_data.iv, samples_description[i].iv,
+           sizeof(sample_description_data.iv));
+    sample_description_data.subsamples_length =
+        samples_description[i].subsamples_length;
    AppendToFile(file_name,
-                 reinterpret_cast<const char*>(&samples_description[i]),
-                 sizeof(OEMCrypto_SampleDescription));
+                 reinterpret_cast<const char*>(&sample_description_data),
+                 sizeof(OEMCrypto_SampleDescription_Fuzz));
+  }
+  AppendSeparator(file_name);
+
+  // Input data for all samples.
+  for (size_t i = 0; i < samples_length; i++) {
+    AppendToFile(file_name,
+                 reinterpret_cast<const char*>(
+                     samples_description[i].buffers.input_data),
+                 samples_description[i].buffers.input_data_length);
  }
  AppendSeparator(file_name);