• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2016 Google Inc.
3  *
4  * Use of this source code is governed by a BSD-style license that can be
5  * found in the LICENSE file.
6  */
7 
8 #ifndef Fuzz_DEFINED
9 #define Fuzz_DEFINED
10 
11 #include "include/core/SkData.h"
12 #include "include/core/SkImageFilter.h"
13 #include "include/core/SkRegion.h"
14 #include "include/core/SkTypes.h"
15 #include "include/private/base/SkMalloc.h"
16 #include "include/private/base/SkTFitsIn.h"
17 #include "tools/Registry.h"
18 
19 #include <limits>
20 #include <cmath>
21 #include <signal.h>
22 #include <limits>
23 
24 class Fuzz {
25 public:
Fuzz(sk_sp<SkData> bytes)26     explicit Fuzz(sk_sp<SkData> bytes) : fBytes(bytes), fNextByte(0) {}
27     Fuzz() = delete;
28 
29     // Make noncopyable
30     Fuzz(Fuzz&) = delete;
31     Fuzz& operator=(Fuzz&) = delete;
32 
33     // Returns the total number of "random" bytes available.
size()34     size_t size() { return fBytes->size(); }
35     // Returns if there are no bytes remaining for fuzzing.
exhausted()36     bool exhausted() {
37         return fBytes->size() == fNextByte;
38     }
39 
remaining()40     size_t remaining() {
41         return fBytes->size() - fNextByte;
42     }
43 
deplete()44     void deplete() {
45         fNextByte = fBytes->size();
46     }
47 
48     // next() loads fuzzed bytes into the variable passed in by pointer.
49     // We use this approach instead of T next() because different compilers
50     // evaluate function parameters in different orders. If fuzz->next()
51     // returned 5 and then 7, foo(fuzz->next(), fuzz->next()) would be
52     // foo(5, 7) when compiled on GCC and foo(7, 5) when compiled on Clang.
53     // By requiring params to be passed in, we avoid the temptation to call
54     // next() in a way that does not consume fuzzed bytes in a single
55     // platform-independent order.
56     template <typename T>
next(T * t)57     void next(T* t) { this->nextBytes(t, sizeof(T)); }
58 
59     // This is a convenient way to initialize more than one argument at a time.
60     template <typename Arg, typename... Args>
61     void next(Arg* first, Args... rest);
62 
63     // nextRange returns values only in [min, max].
64     template <typename T, typename Min, typename Max>
65     void nextRange(T*, Min, Max);
66 
67     // nextEnum is a wrapper around nextRange for enums.
68     template <typename T>
69     void nextEnum(T* ptr, T max);
70 
71     // nextN loads n * sizeof(T) bytes into ptr
72     template <typename T>
73     void nextN(T* ptr, int n);
74 
signalBug()75     void signalBug(){
76         // Tell the fuzzer that these inputs found a bug.
77         SkDebugf("Signal bug\n");
78         raise(SIGSEGV);
79     }
80 
81     // Specialized versions for when true random doesn't quite make sense
82     void next(bool* b);
83     void next(SkRegion* region);
84 
nextBool()85     bool nextBool() {
86         bool b;
87         this->next(&b);
88         return b;
89     }
90 
91     void nextRange(float* f, float min, float max);
92 
93 private:
94     template <typename T>
95     T nextT();
96 
97     sk_sp<SkData> fBytes;
98     size_t fNextByte;
99     friend void fuzz__MakeEncoderCorpus(Fuzz*);
100 
101     void nextBytes(void* ptr, size_t size);
102 };
103 
104 template <typename Arg, typename... Args>
next(Arg * first,Args...rest)105 inline void Fuzz::next(Arg* first, Args... rest) {
106    this->next(first);
107    this->next(rest...);
108 }
109 
110 template <typename T, typename Min, typename Max>
nextRange(T * value,Min min,Max max)111 inline void Fuzz::nextRange(T* value, Min min, Max max) {
112     // UBSAN worries if we make an enum with out of range values, even temporarily.
113     using Raw = typename sk_strip_enum<T>::type;
114     Raw raw;
115     this->next(&raw);
116 
117     if (raw < (Raw)min) { raw = (Raw)min; }
118     if (raw > (Raw)max) { raw = (Raw)max; }
119     *value = (T)raw;
120 }
121 
122 template <typename T>
nextEnum(T * value,T max)123 inline void Fuzz::nextEnum(T* value, T max) {
124     // This works around the fact that UBSAN will assert if we put an invalid
125     // value into an enum. We might see issues with enums being represented
126     // on Windows differently than Linux, but that's not a thing we can fix here.
127     using U = typename std::underlying_type<T>::type;
128     U v;
129     this->next(&v);
130     if (v < (U)0) { *value = (T)0; return;}
131     if (v > (U)max) { *value = (T)max; return;}
132     *value = (T)v;
133 }
134 
135 template <typename T>
nextN(T * ptr,int n)136 inline void Fuzz::nextN(T* ptr, int n) {
137    for (int i = 0; i < n; i++) {
138        this->next(ptr+i);
139    }
140 }
141 
142 struct Fuzzable {
143     const char* name;
144     void (*fn)(Fuzz*);
145 };
146 
147 // Not static so that we can link these into oss-fuzz harnesses if we like.
148 #define DEF_FUZZ(name, f)                                               \
149     void fuzz_##name(Fuzz*);                                            \
150     sk_tools::Registry<Fuzzable> register_##name({#name, fuzz_##name}); \
151     void fuzz_##name(Fuzz* f)
152 
153 #endif//Fuzz_DEFINED
154