diff --git a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_fuzz_helper.h b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_fuzz_helper.h index 2aa1f46c..8c12316c 100644 --- a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_fuzz_helper.h +++ b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_fuzz_helper.h @@ -20,9 +20,10 @@ extern "C" size_t LLVMFuzzerMutate(uint8_t* Data, size_t Size, size_t MaxSize) __attribute__((weak)); const size_t KB = 1024; -// Maximum signature length. If fuzzed signature length is greater that this, -// this value will be used for signature length. -const size_t MAX_FUZZ_SIGNATURE_LENGTH = 5 * KB; + +// Default maximum length of fuzzing output parameters. +const size_t MAX_FUZZ_OUTPUT_LENGTH = 5 * KB; + // Initial setup to create a valid OEMCrypto state such as initializing crypto // firmware/hardware, installing golden key box etc. in order to fuzz // OEMCrypto APIs. diff --git a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generate_rsa_signature_fuzz.cc b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generate_rsa_signature_fuzz.cc index 872b302c..44ca1d0a 100644 --- a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generate_rsa_signature_fuzz.cc +++ b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generate_rsa_signature_fuzz.cc @@ -23,7 +23,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { // We cannot allocate buffers of random huge lengths in memory. // This also slows down the fuzzer. size_t signature_length = - std::min(MAX_FUZZ_SIGNATURE_LENGTH, fuzzed_structure.signature_length); + std::min(MAX_FUZZ_OUTPUT_LENGTH, fuzzed_structure.signature_length); vector signature(signature_length); OEMCrypto_GenerateRSASignature( license_api_fuzz.session()->session_id(), data + sizeof(fuzzed_structure), diff --git a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc index 759286d3..db858f55 100644 --- a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc +++ b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc @@ -57,7 +57,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { session->license().keys[0].key_id_length, fuzzed_structure.cipher_mode); signature_length = - std::min(MAX_FUZZ_SIGNATURE_LENGTH, fuzzed_structure.signature_length); + std::min(MAX_FUZZ_OUTPUT_LENGTH, fuzzed_structure.signature_length); signature.resize(signature_length); OEMCrypto_Generic_Verify(session->session_id(), in_buffer.data(), in_buffer.size(), fuzzed_structure.algorithm, diff --git a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_shrink_usage_table_header_fuzz.cc b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_shrink_usage_table_header_fuzz.cc index 5f9ba4a2..625b0f01 100644 --- a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_shrink_usage_table_header_fuzz.cc +++ b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_shrink_usage_table_header_fuzz.cc @@ -2,6 +2,7 @@ // source code may only be used and distributed under the Widevine // License Agreement. +#include "FuzzedDataProvider.h" #include "OEMCryptoCENC.h" #include "oemcrypto_fuzz_helper.h" @@ -11,15 +12,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { // reduce noise RedirectStdoutToFile(); - if (size < sizeof(uint32_t)) { + if (size < sizeof(uint32_t) + sizeof(size_t)) { return 0; } LicenseWithUsageEntryFuzz entry; - uint32_t new_entry_count = 0; - memcpy(&new_entry_count, data, sizeof(uint32_t)); - std::vector header_buffer(size - sizeof(uint32_t)); - size_t header_buffer_length = header_buffer.size(); + entry.CreateUsageTableHeader(); + FuzzedDataProvider fuzzed_data(data, size); + const uint32_t new_entry_count = fuzzed_data.ConsumeIntegral(); + size_t header_buffer_length = + fuzzed_data.ConsumeIntegralInRange(0, MAX_FUZZ_OUTPUT_LENGTH); + std::vector header_buffer(header_buffer_length); OEMCrypto_ShrinkUsageTableHeader(new_entry_count, header_buffer.data(), &header_buffer_length);