Source release 17.1.0

oemcrypto/test/fuzz_tests/oemcrypto_decrypt_cenc_fuzz.cc

@@ -1,5 +1,5 @@
 // Copyright 2020 Google LLC. All Rights Reserved. This file and proprietary
-// source code may only be used and distributed under the Widevine Master
+// source code may only be used and distributed under the Widevine
 // License Agreement.
 
 #include "FuzzedDataProvider.h"
@@ -7,6 +7,7 @@
 #include "log.h"
 #include "oemcrypto_fuzz_helper.h"
 #include "oemcrypto_fuzz_structs.h"
+#include "oemcrypto_overflow.h"
 
 namespace wvoec {
 const size_t MAX_FUZZ_SAMPLE_SIZE = 5 * MB;
@@ -19,7 +20,7 @@ void FreeOutputBuffers(OEMCrypto_SESSION session_id,
         sample_description[i].buffers.output_descriptor;
     switch (fuzzed_output_descriptor.type) {
       case OEMCrypto_BufferType_Clear: {
-        delete[] fuzzed_output_descriptor.buffer.clear.address;
+        delete[] fuzzed_output_descriptor.buffer.clear.clear_buffer;
         break;
       }
       case OEMCrypto_BufferType_Secure: {
@@ -43,9 +44,10 @@ bool InitializeOutputBuffers(OEMCrypto_SESSION session_id,
                              vector<int>& secure_fd_array) {
   switch (output_descriptor.type) {
     case OEMCrypto_BufferType_Clear: {
-      output_descriptor.buffer.clear
-          .address = new OEMCrypto_SharedMemory[std::min(
-          MAX_FUZZ_SAMPLE_SIZE, output_descriptor.buffer.clear.address_length)];
+      output_descriptor.buffer.clear.clear_buffer =
+          new OEMCrypto_SharedMemory[std::min(
+              MAX_FUZZ_SAMPLE_SIZE,
+              output_descriptor.buffer.clear.clear_buffer_length)];
       return true;
     }
     case OEMCrypto_BufferType_Secure: {
@@ -53,7 +55,7 @@ bool InitializeOutputBuffers(OEMCrypto_SESSION session_id,
       OEMCryptoResult sts = OEMCrypto_AllocateSecureBuffer(
           session_id,
           std::min(MAX_FUZZ_SAMPLE_SIZE,
-                   output_descriptor.buffer.secure.handle_length),
+                   output_descriptor.buffer.secure.secure_buffer_length),
           &output_descriptor, secure_fd);
       if (sts == OEMCrypto_SUCCESS) secure_fd_array[sample_index] = *secure_fd;
       return sts == OEMCrypto_SUCCESS;
@@ -94,7 +96,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
   // Read subsamples from fuzzed data.
   vector<OEMCrypto_SubSampleDescription> subsamples;
-  while (fuzzed_subsample_data.remaining_bytes() >
+  while (fuzzed_subsample_data.remaining_bytes() >=
          sizeof(OEMCrypto_SubSampleDescription)) {
     OEMCrypto_SubSampleDescription subsample;
     fuzzed_subsample_data.ConsumeData(&subsample,
@@ -137,13 +139,16 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
     // Copy sub sample data.
     sample_descriptions[i].subsamples = &subsamples[input_subsample_index];
-    input_subsample_index += sample_descriptions[i].subsamples_length;
+    if (OPK_AddOverflowUX(input_subsample_index,
+                          sample_descriptions[i].subsamples_length,
+                          &input_subsample_index)) {
+      return 0;
+    }
     if (input_subsample_index > subsamples.size()) return 0;
   }  // Sample loop.
 
   // Allocate input/output buffers for each sample description.
   vector<OEMCrypto_SharedMemory> input_buffer(total_input_data_length);
-  RAND_bytes(input_buffer.data(), total_input_data_length);
   size_t input_buffer_index = 0;
   for (size_t i = 0; i < samples_length; i++) {
     sample_descriptions[i].buffers.input_data =