1 /*
2  * Copyright (C) 2024 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <memory>
18 #include <cstdint>
19 #include <cstddef>
20 #include <fuzzer/FuzzedDataProvider.h>
21 #include "androidfw/ResourceTypes.h"
22 
populateDynamicRefTableWithFuzzedData(android::DynamicRefTable & table,FuzzedDataProvider & fuzzedDataProvider)23 static void populateDynamicRefTableWithFuzzedData(
24     android::DynamicRefTable& table,
25     FuzzedDataProvider& fuzzedDataProvider) {
26 
27     const size_t numMappings = fuzzedDataProvider.ConsumeIntegralInRange<size_t>(1, 5);
28     for (size_t i = 0; i < numMappings; ++i) {
29         const uint8_t packageId = fuzzedDataProvider.ConsumeIntegralInRange<uint8_t>(0x02, 0x7F);
30 
31         // Generate a package name
32         std::string packageName;
33         size_t packageNameLength = fuzzedDataProvider.ConsumeIntegralInRange<size_t>(1, 128);
34         for (size_t j = 0; j < packageNameLength; ++j) {
35             // Consume characters only in the ASCII range (0x20 to 0x7E) to ensure valid UTF-8
36             char ch = fuzzedDataProvider.ConsumeIntegralInRange<char>(0x20, 0x7E);
37             packageName.push_back(ch);
38         }
39 
40         // Convert std::string to String16 for compatibility
41         android::String16 androidPackageName(packageName.c_str(), packageName.length());
42 
43         // Add the mapping to the table
44         table.addMapping(androidPackageName, packageId);
45     }
46 }
47 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)48 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
49     FuzzedDataProvider fuzzedDataProvider(data, size);
50 
51     auto dynamic_ref_table = std::make_shared<android::DynamicRefTable>();
52 
53     // Populate the DynamicRefTable with fuzzed data
54     populateDynamicRefTableWithFuzzedData(*dynamic_ref_table, fuzzedDataProvider);
55     std::vector<uint8_t> xmlData = fuzzedDataProvider.ConsumeRemainingBytes<uint8_t>();
56 
57     // Make sure the object here outlives the vector it's set to, otherwise it will try
58     // accessing an already freed buffer and crash.
59     auto tree = android::ResXMLTree(std::move(dynamic_ref_table));
60     if (tree.setTo(xmlData.data(), xmlData.size()) != android::NO_ERROR) {
61         return 0; // Exit early if unable to parse XML data
62     }
63 
64     tree.restart();
65 
66     size_t len = 0;
67     auto code = tree.next();
68     if (code == android::ResXMLParser::START_TAG) {
69         // Access element name
70         auto name = tree.getElementName(&len);
71 
72         // Access attributes of the current element
73         for (size_t i = 0; i < tree.getAttributeCount(); i++) {
74             // Access attribute name
75             auto attrName = tree.getAttributeName(i, &len);
76         }
77     } else if (code == android::ResXMLParser::TEXT) {
78         const auto text = tree.getText(&len);
79     }
80     return 0; // Non-zero return values are reserved for future use.
81 }
82