File: CompressedTest.cpp

package info (click to toggle)
llvm-toolchain-15 1%3A15.0.6-4
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 1,554,644 kB
  • sloc: cpp: 5,922,452; ansic: 1,012,136; asm: 674,362; python: 191,568; objc: 73,855; f90: 42,327; lisp: 31,913; pascal: 11,973; javascript: 10,144; sh: 9,421; perl: 7,447; ml: 5,527; awk: 3,523; makefile: 2,520; xml: 885; cs: 573; fortran: 567
file content (61 lines) | stat: -rw-r--r-- 2,391 bytes parent folder | download | duplicates (27) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

// A fuzz target that consumes a Zlib-compressed input.
// This test verifies that we can find this bug with a custom mutator.
#include <cstddef>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
#include <zlib.h>

// The fuzz target.
// Uncompress the data, crash on input starting with "FU".
// Good luck finding this w/o a custom mutator. :)
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  uint8_t Uncompressed[100];
  size_t UncompressedLen = sizeof(Uncompressed);
  if (Z_OK != uncompress(Uncompressed, &UncompressedLen, Data, Size))
    return 0;
  if (UncompressedLen < 2) return 0;
  if (Uncompressed[0] == 'F' && Uncompressed[1] == 'U')
    abort();  // Boom
  return 0;
}

#ifdef CUSTOM_MUTATOR

// Forward-declare the libFuzzer's mutator callback.
extern "C" size_t
LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);

// The custom mutator:
//   * deserialize the data (in this case, uncompress).
//     * If the data doesn't deserialize, create a properly serialized dummy.
//   * Mutate the deserialized data (in this case, just call LLVMFuzzerMutate).
//   * Serialize the mutated data (in this case, compress).
extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
                                          size_t MaxSize, unsigned int Seed) {
  uint8_t Uncompressed[100];
  size_t UncompressedLen = sizeof(Uncompressed);
  size_t CompressedLen = MaxSize;
  if (Z_OK != uncompress(Uncompressed, &UncompressedLen, Data, Size)) {
    // The data didn't uncompress.
    // So, it's either a broken input and we want to ignore it,
    // or we've started fuzzing from an empty corpus and we need to supply
    // out first properly compressed input.
    uint8_t Dummy[] = {'H', 'i'};
    if (Z_OK != compress(Data, &CompressedLen, Dummy, sizeof(Dummy)))
      return 0;
    // fprintf(stderr, "Dummy: max %zd res %zd\n", MaxSize, CompressedLen);
    return CompressedLen;
  }
  UncompressedLen =
      LLVMFuzzerMutate(Uncompressed, UncompressedLen, sizeof(Uncompressed));
  if (Z_OK != compress(Data, &CompressedLen, Uncompressed, UncompressedLen))
    return 0;
  return CompressedLen;
}

#endif  // CUSTOM_MUTATOR