mirror of
https://fuchsia.googlesource.com/third_party/pigweed.googlesource.com/pigweed/pigweed
synced 2024-09-20 05:41:06 +00:00
f89f1379d4
Moves and renames the existing pw::string::Length to pw::string::internal::ClampedLength. Instead two new helpers are added: 1) pw::string::NullTerminatedLength(...) which returns the length IFF the string is null terminated. 2) pw::string::ClampedCString(...) which returns a string_view of the clamped string. This is considered safer compared to strnlen_s and the existing internal::ClampedLength implementation, since sting_view does not require null termination. Change-Id: Ie6486df13b205332633f3970109ca97f578e6993 Requires: pigweed-internal:12460 Reviewed-on: https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/43463 Reviewed-by: Ewout van Bekkum <ewout@google.com> Reviewed-by: Wyatt Hepler <hepler@google.com> Reviewed-by: Keir Mierle <keir@google.com> Pigweed-Auto-Submit: Ewout van Bekkum <ewout@google.com> Commit-Queue: Auto-Submit <auto-submit@pigweed.google.com.iam.gserviceaccount.com>
91 lines
2.7 KiB
C++
91 lines
2.7 KiB
C++
// Copyright 2020 The Pigweed Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
// use this file except in compliance with the License. You may obtain a copy of
|
|
// the License at
|
|
//
|
|
// https://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
// License for the specific language governing permissions and limitations under
|
|
// the License.
|
|
|
|
// This is a simple example of how to write a fuzzer. The target function is
|
|
// crafted to demonstrates how the fuzzer can analyze conditional branches and
|
|
// incrementally cover more and more code until a defect is found.
|
|
//
|
|
// See build_and_run_toy_fuzzer.sh for examples of how you can build and run
|
|
// this example.
|
|
|
|
#include <cstddef>
|
|
#include <cstdint>
|
|
#include <cstring>
|
|
#include <span>
|
|
|
|
#include "pw_result/result.h"
|
|
#include "pw_string/util.h"
|
|
|
|
namespace {
|
|
|
|
// The code to fuzz. This would normally be in separate library.
|
|
void toy_example(const char* word1, const char* word2) {
|
|
bool greeted = false;
|
|
if (word1[0] == 'h') {
|
|
if (word1[1] == 'e') {
|
|
if (word1[2] == 'l') {
|
|
if (word1[3] == 'l') {
|
|
if (word1[4] == 'o') {
|
|
greeted = true;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
if (word2[0] == 'w') {
|
|
if (word2[1] == 'o') {
|
|
if (word2[2] == 'r') {
|
|
if (word2[3] == 'l') {
|
|
if (word2[4] == 'd') {
|
|
if (greeted) {
|
|
// Our "defect", simulating a crash.
|
|
__builtin_trap();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
} // namespace
|
|
|
|
// The fuzz target function
|
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
|
// We want to split our input into two strings.
|
|
const std::span<const char> input(reinterpret_cast<const char*>(data), size);
|
|
|
|
// If that's not feasible, toss this input. The fuzzer will quickly learn that
|
|
// inputs without null-terminators are uninteresting.
|
|
const pw::Result<size_t> possible_word1_size =
|
|
pw::string::NullTerminatedLength(input);
|
|
if (!possible_word1_size.ok()) {
|
|
return 0;
|
|
}
|
|
const std::span<const char> word1 =
|
|
input.first(possible_word1_size.value() + 1);
|
|
|
|
// Actually, inputs without TWO null terminators are uninteresting.
|
|
std::span<const char> remaining_input = input.subspan(word1.size());
|
|
if (!pw::string::NullTerminatedLength(remaining_input).ok()) {
|
|
return 0;
|
|
}
|
|
|
|
// Call the code we're targeting!
|
|
toy_example(word1.data(), remaining_input.data());
|
|
|
|
// By convention, the fuzzer always returns zero.
|
|
return 0;
|
|
}
|