Skip to content
Snippets Groups Projects
Commit 973e9d64 authored by Treehugger Robot's avatar Treehugger Robot Committed by Android (Google) Code Review
Browse files

Merge "[res] Fix the fuzzer's use after free" into main

parents 71988a01 9ea1230e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
libs/androidfw/fuzz/resxmlparser_fuzzer/resxmlparser_fuzzer.cpp
+ 3
2
View file @ 973e9d64
...@@ -52,10 +52,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ...@@ -52,10 +52,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
// Populate the DynamicRefTable with fuzzed data // Populate the DynamicRefTable with fuzzed data
populateDynamicRefTableWithFuzzedData(*dynamic_ref_table, fuzzedDataProvider); populateDynamicRefTableWithFuzzedData(*dynamic_ref_table, fuzzedDataProvider);
std::vector<uint8_t> xmlData = fuzzedDataProvider.ConsumeRemainingBytes<uint8_t>();
// Make sure the object here outlives the vector it's set to, otherwise it will try
// accessing an already freed buffer and crash.
auto tree = android::ResXMLTree(std::move(dynamic_ref_table)); auto tree = android::ResXMLTree(std::move(dynamic_ref_table));
std::vector<uint8_t> xmlData = fuzzedDataProvider.ConsumeRemainingBytes<uint8_t>();
if (tree.setTo(xmlData.data(), xmlData.size()) != android::NO_ERROR) { if (tree.setTo(xmlData.data(), xmlData.size()) != android::NO_ERROR) {
return 0; // Exit early if unable to parse XML data return 0; // Exit early if unable to parse XML data
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment