1 // Copyright 2024 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include <stddef.h> 6 #include <stdint.h> 7 8 #include <memory> 9 10 #include "base/compiler_specific.h" 11 #include "base/containers/span.h" 12 13 // Tries to use a dangling pointer, triggers a UaF crash under ASAN. TriggerUAF()14NOINLINE int TriggerUAF() { 15 auto ptr = std::make_unique<int>(0); 16 int* dangling = ptr.get(); 17 ptr = nullptr; 18 return *dangling; 19 } 20 LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)21extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 22 // SAFETY: libFuzzer and compatible fuzzing engines pass valid data. 23 auto bytes = UNSAFE_BUFFERS(base::span(data, size)); 24 auto str = base::as_string_view(bytes); 25 26 if (str == "uaf") { 27 return TriggerUAF(); 28 } 29 return 0; 30 } 31