upstream/mercurial-mirror Files · contrib/fuzz/mpatch.cc

fuzz: new fuzzer for cext/manifest.c...

fuzz: new fuzzer for cext/manifest.c This is a bit messy, because lazymanifest is tightly coupled to the cpython API for performance reasons. As a result, we have to build a whole Python without pymalloc (so ASAN can help us out) and link against that. Then we have to use an embedded Python interpreter. We could manually drive the lazymanifest in C from that point, but experimentally just using PyEval_EvalCode isn't really any slower so we may as well do that and write the innermost guts of the fuzzer in Python. Leak detection is currently disabled for this fuzzer because there are a few global-lifetime things in our extensions that we more or less intentionally leak and I didn't want to take the detour to work around that for now. This should not be pushed to our repo until https://github.com/google/oss-fuzz/pull/1853 is merged, as this depends on having the Python tarball around. Differential Revision: https://phab.mercurial-scm.org/D4879

Augie Fackler - - Load All Authors

File last commit:

r38264:46dcb9f1 default


                r40089:8c692a6b

default

Download file

             mpatch.cc
        
                    122 lines
            
             | 3.3 KiB
            
                | text/x-c
            
             |
                CppLexer
            
             / contrib / fuzz / mpatch.cc
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        Augie Fackler
    
fuzz: new fuzzer for the mpatch code...

              r38264
            
      /*

       * mpatch.cc - fuzzer harness for mpatch.c

       *

       * Copyright 2018, Google Inc.

       *

       * This software may be used and distributed according to the terms of

       * the GNU General Public License, incorporated herein by reference.

       */

      #include <iostream>

      #include <memory>

      #include <stdint.h>

      #include <stdlib.h>

      #include <vector>

      #include "fuzzutil.h"

      // To avoid having too many OOMs from the fuzzer infrastructure, we'll

      // skip patch application if the resulting fulltext would be bigger

      // than 10MiB.

      #define MAX_OUTPUT_SIZE 10485760

      extern "C" {

      #include "bitmanipulation.h"

      #include "mpatch.h"

      struct mpatchbin {

      	std::unique_ptr<char[]> data;

      	size_t len;

      };

      static mpatch_flist *getitem(void *vbins, ssize_t pos)

      {

      	std::vector<mpatchbin> *bins = (std::vector<mpatchbin> *)vbins;

      	const mpatchbin &bin = bins->at(pos + 1);

      	struct mpatch_flist *res;

      	LOG(2) << "mpatch_decode " << bin.len << std::endl;

      	if (mpatch_decode(bin.data.get(), bin.len, &res) < 0)

      		return NULL;

      	return res;

      }

      // input format:

      // u8 number of inputs

      // one u16 for each input, its length

      // the inputs

      int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)

      {

      	if (!Size) {

      		return 0;

      	}

      	// First byte of data is how many texts we expect, first text

      	// being the base the rest being the deltas.

      	ssize_t numtexts = Data[0];

      	if (numtexts < 2) {

      		// No point if we don't have at least a base text and a delta...

      		return 0;

      	}

      	// Each text will be described by a byte for how long it

      	// should be, so give up if we don't have enough.

      	if ((Size - 1) < (numtexts * 2)) {

      		return 0;

      	}

      	size_t consumed = 1 + (numtexts * 2);

      	LOG(2) << "input contains " << Size << std::endl;

      	LOG(2) << numtexts << " texts, consuming " << consumed << std::endl;

      	std::vector<mpatchbin> bins;

      	bins.reserve(numtexts);

      	for (int i = 0; i < numtexts; ++i) {

      		mpatchbin bin;

      		size_t nthsize = getbeuint16((char *)Data + 1 + (2 * i));

      		LOG(2) << "text " << i << " is " << nthsize << std::endl;

      		char *start = (char *)Data + consumed;

      		consumed += nthsize;

      		if (consumed > Size) {

      			LOG(2) << "ran out of data, consumed " << consumed

      			       << " of " << Size << std::endl;

      			return 0;

      		}

      		bin.len = nthsize;

      		bin.data.reset(new char[nthsize]);

      		memcpy(bin.data.get(), start, nthsize);

      		bins.push_back(std::move(bin));

      	}

      	LOG(2) << "mpatch_flist" << std::endl;

      	struct mpatch_flist *patch =

      	    mpatch_fold(&bins, getitem, 0, numtexts - 1);

      	if (!patch) {

      		return 0;

      	}

      	LOG(2) << "mpatch_calcsize" << std::endl;

      	ssize_t outlen = mpatch_calcsize(bins[0].len, patch);

      	LOG(2) << "outlen " << outlen << std::endl;

      	if (outlen < 0 || outlen > MAX_OUTPUT_SIZE) {

      		goto cleanup;

      	}

      	{

      		char *dest = (char *)malloc(outlen);

      		LOG(2) << "expecting " << outlen << " total bytes at "

      		       << (void *)dest << std::endl;

      		mpatch_apply(dest, bins[0].data.get(), bins[0].len, patch);

      		free(dest);

      		LOG(1) << "applied a complete patch" << std::endl;

      	}

      cleanup:

      	mpatch_lfree(patch);

      	return 0;

      }

      #ifdef HG_FUZZER_INCLUDE_MAIN

      int main(int argc, char **argv)

      {

      	// One text, one patch.

      	const char data[] = "\x02\x00\0x1\x00\x0d"

      	                    // base text

      	                    "a"

      	                    // binary delta that will append a single b

      	                    "\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01b";

      	return LLVMFuzzerTestOneInput((const uint8_t *)data, 19);

      }

      #endif

      } // extern "C"

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

Augie Fackler fuzz: new fuzzer for the mpatch code...	r38264	/*
		* mpatch.cc - fuzzer harness for mpatch.c
		*
		* Copyright 2018, Google Inc.
		*
		* This software may be used and distributed according to the terms of
		* the GNU General Public License, incorporated herein by reference.
		*/
		#include <iostream>
		#include <memory>
		#include <stdint.h>
		#include <stdlib.h>
		#include <vector>

		#include "fuzzutil.h"

		// To avoid having too many OOMs from the fuzzer infrastructure, we'll
		// skip patch application if the resulting fulltext would be bigger
		// than 10MiB.
		#define MAX_OUTPUT_SIZE 10485760

		extern "C" {
		#include "bitmanipulation.h"
		#include "mpatch.h"

		struct mpatchbin {
		std::unique_ptr<char[]> data;
		size_t len;
		};

		static mpatch_flist getitem(void vbins, ssize_t pos)
		{
		std::vector<mpatchbin> bins = (std::vector<mpatchbin> )vbins;
		const mpatchbin &bin = bins->at(pos + 1);
		struct mpatch_flist *res;
		LOG(2) << "mpatch_decode " << bin.len << std::endl;
		if (mpatch_decode(bin.data.get(), bin.len, &res) < 0)
		return NULL;
		return res;
		}

		// input format:
		// u8 number of inputs
		// one u16 for each input, its length
		// the inputs
		int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
		{
		if (!Size) {
		return 0;
		}
		// First byte of data is how many texts we expect, first text
		// being the base the rest being the deltas.
		ssize_t numtexts = Data[0];
		if (numtexts < 2) {
		// No point if we don't have at least a base text and a delta...
		return 0;
		}
		// Each text will be described by a byte for how long it
		// should be, so give up if we don't have enough.
		if ((Size - 1) < (numtexts * 2)) {
		return 0;
		}
		size_t consumed = 1 + (numtexts * 2);
		LOG(2) << "input contains " << Size << std::endl;
		LOG(2) << numtexts << " texts, consuming " << consumed << std::endl;
		std::vector<mpatchbin> bins;
		bins.reserve(numtexts);
		for (int i = 0; i < numtexts; ++i) {
		mpatchbin bin;
		size_t nthsize = getbeuint16((char )Data + 1 + (2 i));
		LOG(2) << "text " << i << " is " << nthsize << std::endl;
		char start = (char )Data + consumed;
		consumed += nthsize;
		if (consumed > Size) {
		LOG(2) << "ran out of data, consumed " << consumed
		<< " of " << Size << std::endl;
		return 0;
		}
		bin.len = nthsize;
		bin.data.reset(new char[nthsize]);
		memcpy(bin.data.get(), start, nthsize);
		bins.push_back(std::move(bin));
		}
		LOG(2) << "mpatch_flist" << std::endl;
		struct mpatch_flist *patch =
		mpatch_fold(&bins, getitem, 0, numtexts - 1);
		if (!patch) {
		return 0;
		}
		LOG(2) << "mpatch_calcsize" << std::endl;
		ssize_t outlen = mpatch_calcsize(bins[0].len, patch);
		LOG(2) << "outlen " << outlen << std::endl;
		if (outlen < 0 \|\| outlen > MAX_OUTPUT_SIZE) {
		goto cleanup;
		}
		{
		char dest = (char )malloc(outlen);
		LOG(2) << "expecting " << outlen << " total bytes at "
		<< (void *)dest << std::endl;
		mpatch_apply(dest, bins[0].data.get(), bins[0].len, patch);
		free(dest);
		LOG(1) << "applied a complete patch" << std::endl;
		}
		cleanup:
		mpatch_lfree(patch);
		return 0;
		}

		#ifdef HG_FUZZER_INCLUDE_MAIN
		int main(int argc, char **argv)
		{
		// One text, one patch.
		const char data[] = "\x02\x00\0x1\x00\x0d"
		// base text
		"a"
		// binary delta that will append a single b
		"\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01b";
		return LLVMFuzzerTestOneInput((const uint8_t *)data, 19);
		}
		#endif

		} // extern "C"