From 071bbfc75185e9be649922092fc3a3926851d1a9 Mon Sep 17 00:00:00 2001
From: lijincheng <lijincheng13@huawei.com>
Date: Sun, 31 Dec 2023 15:39:27 +0800
Subject: [PATCH] Fix parcel bugs found in Fuzz test

1.Fix align error in writeBoolVector and writeInt16Vector

2.Fix wrong random type size in parcel fuzzer

Issue:https://gitee.com/openharmony/commonlibrary_c_utils/issues/I8SM0A
Signed-off-by: lijincheng <lijincheng13@huawei.com>
---
 base/include/parcel.h                         |  2 ++
 base/src/parcel.cpp                           | 27 +++++++++++++++++--
 .../fuzztest/parcel_fuzzer/parcel_fuzzer.cpp  |  9 ++++---
 3 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/base/include/parcel.h b/base/include/parcel.h
index 08453bb..64c73f3 100644
--- a/base/include/parcel.h
+++ b/base/include/parcel.h
@@ -715,6 +715,8 @@ public:
      */
     template <typename T1, typename T2>
     bool WriteVector(const std::vector<T1> &val, bool (Parcel::*Write)(T2));
+    template <typename Type, typename T1, typename T2>
+    bool WriteFixedAlignVector(const std::vector<T1> &originVal, bool (Parcel::*SpecialWrite)(T2));
     bool WriteBoolVector(const std::vector<bool> &val);
     bool WriteInt8Vector(const std::vector<int8_t> &val);
     bool WriteInt16Vector(const std::vector<int16_t> &val);
diff --git a/base/src/parcel.cpp b/base/src/parcel.cpp
index 86f0215..4c7f3ac 100644
--- a/base/src/parcel.cpp
+++ b/base/src/parcel.cpp
@@ -1280,9 +1280,32 @@ bool Parcel::WriteVector(const std::vector<T1> &val, bool (Parcel::*Write)(T2))
     return true;
 }
 
+template <typename Type, typename T1, typename T2>
+bool Parcel::WriteFixedAlignVector(const std::vector<T1> &originVal, bool (Parcel::*SpecialWrite)(T2))
+{
+    if (originVal.size() > INT_MAX) {
+        return false;
+    }
+
+    if (!this->WriteInt32(static_cast<int32_t>(originVal.size()))) {
+        return false;
+    }
+    // Use the specified interface to write a single element.
+    for (const auto &v : originVal) {
+        if (!(this->*SpecialWrite)(v)) {
+            return false;
+        }
+    }
+    // The write length of these interfaces is different from the original type.
+    // They need to use the specified write length and calculate the padSize based on this.
+    size_t padSize = this->GetPadSize(originVal.size() * sizeof(Type));
+    this->WritePadBytes(padSize);
+    return true;
+}
+
 bool Parcel::WriteBoolVector(const std::vector<bool> &val)
 {
-    return WriteVector(val, &Parcel::WriteBool);
+    return WriteFixedAlignVector<int32_t>(val, &Parcel::WriteBool);
 }
 
 bool Parcel::WriteInt8Vector(const std::vector<int8_t> &val)
@@ -1292,7 +1315,7 @@ bool Parcel::WriteInt8Vector(const std::vector<int8_t> &val)
 
 bool Parcel::WriteInt16Vector(const std::vector<int16_t> &val)
 {
-    return WriteVector(val, &Parcel::WriteInt16);
+    return WriteFixedAlignVector<int32_t>(val, &Parcel::WriteInt16);
 }
 
 bool Parcel::WriteInt32Vector(const std::vector<int32_t> &val)
diff --git a/base/test/fuzztest/parcel_fuzzer/parcel_fuzzer.cpp b/base/test/fuzztest/parcel_fuzzer/parcel_fuzzer.cpp
index 4a369ed..6ebcb7c 100644
--- a/base/test/fuzztest/parcel_fuzzer/parcel_fuzzer.cpp
+++ b/base/test/fuzztest/parcel_fuzzer/parcel_fuzzer.cpp
@@ -204,11 +204,12 @@ const std::vector<std::function<void(FuzzedDataProvider*, Parcel&)>> operations
         size_t bufferSize = dataProvider->ConsumeIntegralInRange<size_t>(1, MAX_BUFFER_SIZE);
         void* buffer = malloc(bufferSize);
         size_t writtenBytes = dataProvider->ConsumeData(buffer, bufferSize);
+        const size_t maxTypeSize = 4; // max type size is 4 bytes.
         if (writtenBytes == 0) {
             free(buffer);
             return;
         }
-        size_t typeSize = dataProvider->ConsumeIntegralInRange<size_t>(0, writtenBytes);
+        size_t typeSize = dataProvider->ConsumeIntegralInRange<size_t>(0, maxTypeSize);
         parcel.WriteBufferAddTerminator(buffer, writtenBytes, typeSize);
         free(buffer);
     },
@@ -486,19 +487,19 @@ const std::vector<std::function<void(FuzzedDataProvider*, Parcel&)>> other_opera
 
     // cannot call randomly with other operations.
     [](FuzzedDataProvider* dataProvider, Parcel& parcel) {
-        FUZZ_LOGI("RewindWrite");
+        FUZZ_LOGI("SetDataCapacity");
         size_t capacity = dataProvider->ConsumeIntegralInRange<size_t>(1, MAX_BUFFER_SIZE);
         parcel.SetDataCapacity(capacity);
     },
 
     [](FuzzedDataProvider* dataProvider, Parcel& parcel) {
-        FUZZ_LOGI("RewindWrite");
+        FUZZ_LOGI("SetDataSize");
         size_t dataSize = dataProvider->ConsumeIntegralInRange<size_t>(1, MAX_BUFFER_SIZE);
         parcel.SetDataSize(dataSize);
     },
 
     [](FuzzedDataProvider* dataProvider, Parcel& parcel) {
-        FUZZ_LOGI("RewindWrite");
+        FUZZ_LOGI("SetMaxCapacity");
         size_t maxCapacity = dataProvider->ConsumeIntegralInRange<size_t>(1, MAX_BUFFER_SIZE);
         parcel.SetMaxCapacity(maxCapacity);
     },
-- 
Gitee