• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2020 The Pigweed Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); you may not
4 // use this file except in compliance with the License. You may obtain a copy of
5 // the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 // License for the specific language governing permissions and limitations under
13 // the License.
14 
15 // This is a simple example of how to write a fuzzer. The target function is
16 // crafted to demonstrates how the fuzzer can analyze conditional branches and
17 // incrementally cover more and more code until a defect is found.
18 //
19 // See build_and_run_toy_fuzzer.sh for examples of how you can build and run
20 // this example.
21 
22 #include <cstddef>
23 #include <cstdint>
24 #include <cstring>
25 #include <span>
26 
27 #include "pw_result/result.h"
28 #include "pw_string/util.h"
29 
30 namespace {
31 
32 // The code to fuzz. This would normally be in separate library.
toy_example(const char * word1,const char * word2)33 void toy_example(const char* word1, const char* word2) {
34   bool greeted = false;
35   if (word1[0] == 'h') {
36     if (word1[1] == 'e') {
37       if (word1[2] == 'l') {
38         if (word1[3] == 'l') {
39           if (word1[4] == 'o') {
40             greeted = true;
41           }
42         }
43       }
44     }
45   }
46   if (word2[0] == 'w') {
47     if (word2[1] == 'o') {
48       if (word2[2] == 'r') {
49         if (word2[3] == 'l') {
50           if (word2[4] == 'd') {
51             if (greeted) {
52               // Our "defect", simulating a crash.
53               __builtin_trap();
54             }
55           }
56         }
57       }
58     }
59   }
60 }
61 
62 }  // namespace
63 
64 // The fuzz target function
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)65 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
66   // We want to split our input into two strings.
67   const std::span<const char> input(reinterpret_cast<const char*>(data), size);
68 
69   // If that's not feasible, toss this input. The fuzzer will quickly learn that
70   // inputs without null-terminators are uninteresting.
71   const pw::Result<size_t> possible_word1_size =
72       pw::string::NullTerminatedLength(input);
73   if (!possible_word1_size.ok()) {
74     return 0;
75   }
76   const std::span<const char> word1 =
77       input.first(possible_word1_size.value() + 1);
78 
79   // Actually, inputs without TWO null terminators are uninteresting.
80   std::span<const char> remaining_input = input.subspan(word1.size());
81   if (!pw::string::NullTerminatedLength(remaining_input).ok()) {
82     return 0;
83   }
84 
85   // Call the code we're targeting!
86   toy_example(word1.data(), remaining_input.data());
87 
88   // By convention, the fuzzer always returns zero.
89   return 0;
90 }
91