mirror of
https://fuchsia.googlesource.com/third_party/pigweed.googlesource.com/pigweed/pigweed
synced 2024-09-20 13:51:05 +00:00
f3c3d2b935
This CL adds fuzzing support, in the form of GN logic, docs, and an example fuzzer. You can run this fuzzer with the following: $ pw_fuzzer/examples/build_and_run_toy_fuzzer.sh This is rather bare-bones at the moment. Additional features, like corpus and dictionary integration, more sanitizers, etc. are follow-on work. Change-Id: I7fb4d5ecbb59d1e9b69f4594db4222728b8da2f9
87 lines
2.5 KiB
C++
87 lines
2.5 KiB
C++
// Copyright 2020 The Pigweed Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
// use this file except in compliance with the License. You may obtain a copy of
|
|
// the License at
|
|
//
|
|
// https://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
// License for the specific language governing permissions and limitations under
|
|
// the License.
|
|
|
|
// This is a simple example of how to write a fuzzer. The target function is
|
|
// crafted to demonstrates how the fuzzer can analyze conditional branches and
|
|
// incrementally cover more and more code until a defect is found.
|
|
//
|
|
// See build_and_run_toy_fuzzer.sh for examples of how you can build and run
|
|
// this example.
|
|
|
|
#include <cstddef>
|
|
#include <cstdint>
|
|
#include <cstring>
|
|
|
|
#include "pw_string/util.h"
|
|
|
|
namespace {
|
|
|
|
// The code to fuzz. This would normally be in separate library.
|
|
void toy_example(const char* word1, const char* word2) {
|
|
bool greeted = false;
|
|
if (word1[0] == 'h') {
|
|
if (word1[1] == 'e') {
|
|
if (word1[2] == 'l') {
|
|
if (word1[3] == 'l') {
|
|
if (word1[4] == 'o') {
|
|
greeted = true;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
if (word2[0] == 'w') {
|
|
if (word2[1] == 'o') {
|
|
if (word2[2] == 'r') {
|
|
if (word2[3] == 'l') {
|
|
if (word2[4] == 'd') {
|
|
if (greeted) {
|
|
// Our "defect", simulating a crash.
|
|
__builtin_trap();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
} // namespace
|
|
|
|
// The fuzz target function
|
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
|
// We want to split our input into two strings.
|
|
const char* word1 = reinterpret_cast<const char*>(data);
|
|
|
|
// If that's not feasible, toss this input. The fuzzer will quickly learn that
|
|
// inputs without null-terminators are uninteresting.
|
|
size_t offset = pw::string::Length(word1, size) + 1;
|
|
if (offset >= size) {
|
|
return 0;
|
|
}
|
|
|
|
// Actually, inputs without TWO null terminators are uninteresting.
|
|
const char* word2 = reinterpret_cast<const char*>(&data[offset]);
|
|
size -= offset;
|
|
if (pw::string::Length(word2, size) == size) {
|
|
return 0;
|
|
}
|
|
|
|
// Call the code we're targeting!
|
|
toy_example(word1, word2);
|
|
|
|
// By convention, the fuzzer always returns zero.
|
|
return 0;
|
|
}
|