Show More
@@ -1,42 +1,47 b'' | |||
|
1 | 1 | /* |
|
2 | 2 | * bdiff.cc - fuzzer harness for bdiff.c |
|
3 | 3 | * |
|
4 | 4 | * Copyright 2018, Google Inc. |
|
5 | 5 | * |
|
6 | 6 | * This software may be used and distributed according to the terms of |
|
7 | 7 | * the GNU General Public License, incorporated herein by reference. |
|
8 | 8 | */ |
|
9 | 9 | #include <memory> |
|
10 | 10 | #include <stdlib.h> |
|
11 | 11 | |
|
12 | 12 | #include <fuzzer/FuzzedDataProvider.h> |
|
13 | 13 | |
|
14 | 14 | extern "C" { |
|
15 | 15 | #include "bdiff.h" |
|
16 | 16 | |
|
17 | extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) | |
|
18 | { | |
|
19 | return 0; | |
|
20 | } | |
|
21 | ||
|
17 | 22 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) |
|
18 | 23 | { |
|
19 | 24 | FuzzedDataProvider provider(Data, Size); |
|
20 | 25 | std::string left = provider.ConsumeRandomLengthString(Size); |
|
21 | 26 | std::string right = provider.ConsumeRemainingBytesAsString(); |
|
22 | 27 | |
|
23 | 28 | struct bdiff_line *a, *b; |
|
24 | 29 | int an = bdiff_splitlines(left.c_str(), left.size(), &a); |
|
25 | 30 | int bn = bdiff_splitlines(right.c_str(), right.size(), &b); |
|
26 | 31 | struct bdiff_hunk l; |
|
27 | 32 | bdiff_diff(a, an, b, bn, &l); |
|
28 | 33 | free(a); |
|
29 | 34 | free(b); |
|
30 | 35 | bdiff_freehunks(l.next); |
|
31 | 36 | return 0; // Non-zero return values are reserved for future use. |
|
32 | 37 | } |
|
33 | 38 | |
|
34 | 39 | #ifdef HG_FUZZER_INCLUDE_MAIN |
|
35 | 40 | int main(int argc, char **argv) |
|
36 | 41 | { |
|
37 | 42 | const char data[] = "asdf"; |
|
38 | 43 | return LLVMFuzzerTestOneInput((const uint8_t *)data, 4); |
|
39 | 44 | } |
|
40 | 45 | #endif |
|
41 | 46 | |
|
42 | 47 | } // extern "C" |
@@ -1,122 +1,127 b'' | |||
|
1 | 1 | /* |
|
2 | 2 | * mpatch.cc - fuzzer harness for mpatch.c |
|
3 | 3 | * |
|
4 | 4 | * Copyright 2018, Google Inc. |
|
5 | 5 | * |
|
6 | 6 | * This software may be used and distributed according to the terms of |
|
7 | 7 | * the GNU General Public License, incorporated herein by reference. |
|
8 | 8 | */ |
|
9 | 9 | #include <iostream> |
|
10 | 10 | #include <memory> |
|
11 | 11 | #include <stdint.h> |
|
12 | 12 | #include <stdlib.h> |
|
13 | 13 | #include <vector> |
|
14 | 14 | |
|
15 | 15 | #include "fuzzutil.h" |
|
16 | 16 | |
|
17 | extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) | |
|
18 | { | |
|
19 | return 0; | |
|
20 | } | |
|
21 | ||
|
17 | 22 | // To avoid having too many OOMs from the fuzzer infrastructure, we'll |
|
18 | 23 | // skip patch application if the resulting fulltext would be bigger |
|
19 | 24 | // than 10MiB. |
|
20 | 25 | #define MAX_OUTPUT_SIZE 10485760 |
|
21 | 26 | |
|
22 | 27 | extern "C" { |
|
23 | 28 | #include "bitmanipulation.h" |
|
24 | 29 | #include "mpatch.h" |
|
25 | 30 | |
|
26 | 31 | struct mpatchbin { |
|
27 | 32 | std::unique_ptr<char[]> data; |
|
28 | 33 | size_t len; |
|
29 | 34 | }; |
|
30 | 35 | |
|
31 | 36 | static mpatch_flist *getitem(void *vbins, ssize_t pos) |
|
32 | 37 | { |
|
33 | 38 | std::vector<mpatchbin> *bins = (std::vector<mpatchbin> *)vbins; |
|
34 | 39 | const mpatchbin &bin = bins->at(pos + 1); |
|
35 | 40 | struct mpatch_flist *res; |
|
36 | 41 | LOG(2) << "mpatch_decode " << bin.len << std::endl; |
|
37 | 42 | if (mpatch_decode(bin.data.get(), bin.len, &res) < 0) |
|
38 | 43 | return NULL; |
|
39 | 44 | return res; |
|
40 | 45 | } |
|
41 | 46 | |
|
42 | 47 | // input format: |
|
43 | 48 | // u8 number of inputs |
|
44 | 49 | // one u16 for each input, its length |
|
45 | 50 | // the inputs |
|
46 | 51 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) |
|
47 | 52 | { |
|
48 | 53 | if (!Size) { |
|
49 | 54 | return 0; |
|
50 | 55 | } |
|
51 | 56 | // First byte of data is how many texts we expect, first text |
|
52 | 57 | // being the base the rest being the deltas. |
|
53 | 58 | ssize_t numtexts = Data[0]; |
|
54 | 59 | if (numtexts < 2) { |
|
55 | 60 | // No point if we don't have at least a base text and a delta... |
|
56 | 61 | return 0; |
|
57 | 62 | } |
|
58 | 63 | // Each text will be described by a byte for how long it |
|
59 | 64 | // should be, so give up if we don't have enough. |
|
60 | 65 | if ((Size - 1) < (numtexts * 2)) { |
|
61 | 66 | return 0; |
|
62 | 67 | } |
|
63 | 68 | size_t consumed = 1 + (numtexts * 2); |
|
64 | 69 | LOG(2) << "input contains " << Size << std::endl; |
|
65 | 70 | LOG(2) << numtexts << " texts, consuming " << consumed << std::endl; |
|
66 | 71 | std::vector<mpatchbin> bins; |
|
67 | 72 | bins.reserve(numtexts); |
|
68 | 73 | for (int i = 0; i < numtexts; ++i) { |
|
69 | 74 | mpatchbin bin; |
|
70 | 75 | size_t nthsize = getbeuint16((char *)Data + 1 + (2 * i)); |
|
71 | 76 | LOG(2) << "text " << i << " is " << nthsize << std::endl; |
|
72 | 77 | char *start = (char *)Data + consumed; |
|
73 | 78 | consumed += nthsize; |
|
74 | 79 | if (consumed > Size) { |
|
75 | 80 | LOG(2) << "ran out of data, consumed " << consumed |
|
76 | 81 | << " of " << Size << std::endl; |
|
77 | 82 | return 0; |
|
78 | 83 | } |
|
79 | 84 | bin.len = nthsize; |
|
80 | 85 | bin.data.reset(new char[nthsize]); |
|
81 | 86 | memcpy(bin.data.get(), start, nthsize); |
|
82 | 87 | bins.push_back(std::move(bin)); |
|
83 | 88 | } |
|
84 | 89 | LOG(2) << "mpatch_flist" << std::endl; |
|
85 | 90 | struct mpatch_flist *patch = |
|
86 | 91 | mpatch_fold(&bins, getitem, 0, numtexts - 1); |
|
87 | 92 | if (!patch) { |
|
88 | 93 | return 0; |
|
89 | 94 | } |
|
90 | 95 | LOG(2) << "mpatch_calcsize" << std::endl; |
|
91 | 96 | ssize_t outlen = mpatch_calcsize(bins[0].len, patch); |
|
92 | 97 | LOG(2) << "outlen " << outlen << std::endl; |
|
93 | 98 | if (outlen < 0 || outlen > MAX_OUTPUT_SIZE) { |
|
94 | 99 | goto cleanup; |
|
95 | 100 | } |
|
96 | 101 | { |
|
97 | 102 | char *dest = (char *)malloc(outlen); |
|
98 | 103 | LOG(2) << "expecting " << outlen << " total bytes at " |
|
99 | 104 | << (void *)dest << std::endl; |
|
100 | 105 | mpatch_apply(dest, bins[0].data.get(), bins[0].len, patch); |
|
101 | 106 | free(dest); |
|
102 | 107 | LOG(1) << "applied a complete patch" << std::endl; |
|
103 | 108 | } |
|
104 | 109 | cleanup: |
|
105 | 110 | mpatch_lfree(patch); |
|
106 | 111 | return 0; |
|
107 | 112 | } |
|
108 | 113 | |
|
109 | 114 | #ifdef HG_FUZZER_INCLUDE_MAIN |
|
110 | 115 | int main(int argc, char **argv) |
|
111 | 116 | { |
|
112 | 117 | // One text, one patch. |
|
113 | 118 | const char data[] = "\x02\x00\0x1\x00\x0d" |
|
114 | 119 | // base text |
|
115 | 120 | "a" |
|
116 | 121 | // binary delta that will append a single b |
|
117 | 122 | "\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01b"; |
|
118 | 123 | return LLVMFuzzerTestOneInput((const uint8_t *)data, 19); |
|
119 | 124 | } |
|
120 | 125 | #endif |
|
121 | 126 | |
|
122 | 127 | } // extern "C" |
@@ -1,61 +1,66 b'' | |||
|
1 | 1 | /* |
|
2 | 2 | * xdiff.cc - fuzzer harness for thirdparty/xdiff |
|
3 | 3 | * |
|
4 | 4 | * Copyright 2018, Google Inc. |
|
5 | 5 | * |
|
6 | 6 | * This software may be used and distributed according to the terms of |
|
7 | 7 | * the GNU General Public License, incorporated herein by reference. |
|
8 | 8 | */ |
|
9 | 9 | #include "thirdparty/xdiff/xdiff.h" |
|
10 | 10 | #include <inttypes.h> |
|
11 | 11 | #include <stdlib.h> |
|
12 | 12 | |
|
13 | 13 | #include <fuzzer/FuzzedDataProvider.h> |
|
14 | 14 | |
|
15 | 15 | extern "C" { |
|
16 | 16 | |
|
17 | int LLVMFuzzerInitialize(int *argc, char ***argv) | |
|
18 | { | |
|
19 | return 0; | |
|
20 | } | |
|
21 | ||
|
17 | 22 | int hunk_consumer(long a1, long a2, long b1, long b2, void *priv) |
|
18 | 23 | { |
|
19 | 24 | // TODO: probably also test returning -1 from this when things break? |
|
20 | 25 | return 0; |
|
21 | 26 | } |
|
22 | 27 | |
|
23 | 28 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) |
|
24 | 29 | { |
|
25 | 30 | // Don't allow fuzzer inputs larger than 100k, since we'll just bog |
|
26 | 31 | // down and not accomplish much. |
|
27 | 32 | if (Size > 100000) { |
|
28 | 33 | return 0; |
|
29 | 34 | } |
|
30 | 35 | FuzzedDataProvider provider(Data, Size); |
|
31 | 36 | std::string left = provider.ConsumeRandomLengthString(Size); |
|
32 | 37 | std::string right = provider.ConsumeRemainingBytesAsString(); |
|
33 | 38 | mmfile_t a, b; |
|
34 | 39 | |
|
35 | 40 | a.ptr = (char *)left.c_str(); |
|
36 | 41 | a.size = left.size(); |
|
37 | 42 | b.ptr = (char *)right.c_str(); |
|
38 | 43 | b.size = right.size(); |
|
39 | 44 | xpparam_t xpp = { |
|
40 | 45 | XDF_INDENT_HEURISTIC, /* flags */ |
|
41 | 46 | }; |
|
42 | 47 | xdemitconf_t xecfg = { |
|
43 | 48 | XDL_EMIT_BDIFFHUNK, /* flags */ |
|
44 | 49 | hunk_consumer, /* hunk_consume_func */ |
|
45 | 50 | }; |
|
46 | 51 | xdemitcb_t ecb = { |
|
47 | 52 | NULL, /* priv */ |
|
48 | 53 | }; |
|
49 | 54 | xdl_diff(&a, &b, &xpp, &xecfg, &ecb); |
|
50 | 55 | return 0; // Non-zero return values are reserved for future use. |
|
51 | 56 | } |
|
52 | 57 | |
|
53 | 58 | #ifdef HG_FUZZER_INCLUDE_MAIN |
|
54 | 59 | int main(int argc, char **argv) |
|
55 | 60 | { |
|
56 | 61 | const char data[] = "asdf"; |
|
57 | 62 | return LLVMFuzzerTestOneInput((const uint8_t *)data, 4); |
|
58 | 63 | } |
|
59 | 64 | #endif |
|
60 | 65 | |
|
61 | 66 | } // extern "C" |
General Comments 0
You need to be logged in to leave comments.
Login now