From f451278f0e57a7355783d644f7083b28b41e4b4e Mon Sep 17 00:00:00 2001
From: Jean-Michel Trivi <jmtrivi@google.com>
Date: Mon, 5 Oct 2020 16:27:56 -0700
Subject: Fix fuzzer's use of aacDecoder_DecodeFrame

The aacDecoder_DecodeFrame function takes a size in numbers of
samples (INT_PCM), not a number of bytes. Using a number of
bytes caused the FDK to believe the array was larger than it
really was. Therefore on invalid frames, it would try to
clear a size larger than was really available, causing an OOB
crash.

Bug: 161014225
Test: check clusterfuzz results for case 6217304556437504
Change-Id: I9278898a17c1c961c568e841c6037d0c14bcc8b4
---
 fuzzer/aac_dec_fuzzer.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'fuzzer')

diff --git a/fuzzer/aac_dec_fuzzer.cpp b/fuzzer/aac_dec_fuzzer.cpp
index b5545fc..c970197 100644
--- a/fuzzer/aac_dec_fuzzer.cpp
+++ b/fuzzer/aac_dec_fuzzer.cpp
@@ -118,7 +118,8 @@ void Codec::decodeFrames(UCHAR *data, UINT size) {
       INT_PCM outputBuf[kMaxOutBufferSize];
       do {
         mErrorCode =
-            aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf, sizeof(outputBuf), 0);
+            aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf,
+                    kMaxOutBufferSize /*size in number of INT_PCM, not bytes*/, 0);
       } while (mErrorCode == AAC_DEC_OK);
       UINT offset = inputSize - valid;
       data += offset;
-- 
cgit v1.2.3


From e575d5741da82f85ae18ce4231afe56a2d7b5071 Mon Sep 17 00:00:00 2001
From: Ayushi Khopkar <ayushi.khopkar@ittiam.com>
Date: Thu, 2 Mar 2023 15:21:15 +0530
Subject: Updated fuzz_config in Android.bp file

Added new fields in fuzz_config like - hotlists,
description, vector, service_privilege, users, fuzzed_code_usage, etc.

Bug: 271384401
Test: Build aac_dec_fuzzer and aac_enc_fuzzer

Change-Id: I2637accffa42e37fc90e19b531ca5aef299b811e
---
 fuzzer/Android.bp | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'fuzzer')

diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp
index 6739798..3ea7559 100644
--- a/fuzzer/Android.bp
+++ b/fuzzer/Android.bp
@@ -46,6 +46,14 @@ cc_defaults {
             "android-media-fuzzing-reports@google.com",
         ],
         componentid: 155276,
+        hotlists: [
+            "4593311",
+        ],
+        description: "The fuzzer targets the APIs of libFraunhoferAAC",
+        vector: "remote",
+        service_privilege: "privileged",
+        users: "multi_user",
+        fuzzed_code_usage: "shipped",
     },
 }
 
-- 
cgit v1.2.3