1 /* Copyright 2021 Google LLC
2 Licensed under the Apache License, Version 2.0 (the "License");
3 you may not use this file except in compliance with the License.
4 You may obtain a copy of the License at
5 http://www.apache.org/licenses/LICENSE-2.0
6 Unless required by applicable law or agreed to in writing, software
7 distributed under the License is distributed on an "AS IS" BASIS,
8 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9 See the License for the specific language governing permissions and
10 limitations under the License.
11 */
12 #include "apr.h"
13 #include "apr_file_io.h"
14 #include "apr_poll.h"
15 #include "apr_portable.h"
16 #include "apr_proc_mutex.h"
17 #include "apr_signal.h"
18 #include "apr_strings.h"
19 #include "apr_thread_mutex.h"
20 #include "apr_thread_proc.h"
21
22 #define APR_WANT_STRFUNC
23 #include "apr_file_io.h"
24 #include "apr_fnmatch.h"
25 #include "apr_want.h"
26
27 #include "apr_poll.h"
28 #include "apr_want.h"
29
30 #include "ap_config.h"
31 #include "ap_expr.h"
32 #include "ap_listen.h"
33 #include "ap_provider.h"
34 #include "ap_regex.h"
35
36 #include "ada_fuzz_header.h"
37 #include "apreq_parser.h"
38
hookfunc(apreq_hook_t * hook,apreq_param_t * param,apr_bucket_brigade * bb)39 apr_status_t hookfunc(apreq_hook_t *hook, apreq_param_t *param,
40 apr_bucket_brigade *bb) {
41 return 0;
42 }
43
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)44 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
45 af_gb_init();
46
47 const uint8_t *data2 = data;
48 size_t size2 = size;
49
50 /* get random data for the fuzzer */
51 char *new_str = af_gb_get_null_terminated(&data2, &size2);
52 char *new_str2 = af_gb_get_null_terminated(&data2, &size2);
53
54 if (new_str != NULL && new_str2 != NULL) {
55 apr_pool_initialize();
56 apr_pool_t *v = NULL;
57 apr_pool_create(&v, NULL);
58
59 apr_bucket_alloc_t *bucket = apr_bucket_alloc_create(v);
60 apr_bucket_brigade *brigade = apr_brigade_create(v, bucket);
61 apr_brigade_write(brigade, NULL, NULL, new_str, strlen(new_str));
62
63 apreq_parser_t parser;
64 parser.content_type = new_str2;
65 parser.temp_dir = "/tmp/";
66 parser.brigade_limit = 10;
67 parser.pool = v;
68 parser.ctx = NULL;
69 parser.bucket_alloc = bucket;
70
71 parser.hook = apreq_hook_make(parser.pool, hookfunc, NULL, parser.ctx);
72
73 apr_table_t *table = apr_table_make(parser.pool, 10);
74 if (af_get_short(&data2, &size2) % 2 == 0) {
75 apreq_parse_multipart(&parser, table, brigade);
76 } else {
77 apreq_parse_urlencoded(&parser, table, brigade);
78 }
79
80 apr_pool_terminate();
81 }
82 af_gb_cleanup();
83 return 0;
84 }
85