Enable integer overflow sanitizer in fuzzer to catch more bugs
Need to avoid signed use of FuzedDataProvider's ConsumeIntegral* APIs
because they often overflow so converted those cases to consume uint8_t.
Test: fmq_fuzzer
Bug: 319384042
Change-Id: I810b8d16e40833cb216c596b2094a790448dc4cb
diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp
index ee7afb9..6d15b52 100644
--- a/fuzzer/Android.bp
+++ b/fuzzer/Android.bp
@@ -51,7 +51,10 @@
libfuzzer_options: [
"max_len=50000",
],
- use_for_presubmit: true
+ use_for_presubmit: true,
+ },
+ sanitize: {
+ integer_overflow: true,
},
host_supported: true,
diff --git a/fuzzer/fmq_fuzzer.cpp b/fuzzer/fmq_fuzzer.cpp
index b5318a3..47dd7fa 100644
--- a/fuzzer/fmq_fuzzer.cpp
+++ b/fuzzer/fmq_fuzzer.cpp
@@ -203,7 +203,7 @@
*readCounter = fdp.ConsumeIntegral<uint64_t>();
}
}
- *firstStart = fdp.ConsumeIntegral<payload_t>();
+ *firstStart = fdp.ConsumeIntegral<uint8_t>();
writeMq.commitWrite(numElements);
}
@@ -218,7 +218,7 @@
size_t count = fdp.ConsumeIntegralInRange<size_t>(0, writeMq.getQuantumCount() + 1);
std::vector<payload_t> data;
for (int i = 0; i < count; i++) {
- data.push_back(fdp.ConsumeIntegral<payload_t>());
+ data.push_back(fdp.ConsumeIntegral<uint8_t>());
}
writeMq.writeBlocking(data.data(), count, kBlockingTimeoutNs);
}
@@ -250,7 +250,7 @@
std::vector<aidl::android::hardware::common::fmq::GrantorDescriptor> grantors;
size_t numGrantors = fdp.ConsumeIntegralInRange<size_t>(0, 4);
for (int i = 0; i < numGrantors; i++) {
- grantors.push_back({fdp.ConsumeIntegralInRange<int32_t>(-2, 2) /* fdIndex */,
+ grantors.push_back({fdp.ConsumeIntegralInRange<int32_t>(0, 2) /* fdIndex */,
fdp.ConsumeIntegralInRange<int32_t>(
0, kMaxCustomGrantorMemoryBytes) /* offset */,
fdp.ConsumeIntegralInRange<int64_t>(