1 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
2 // See https://llvm.org/LICENSE.txt for license information.
3 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
4 
5 // A fuzz target that consumes a Zlib-compressed input.
6 // This test verifies that we can find this bug with a custom mutator.
7 #include <cstddef>
8 #include <cstdint>
9 #include <cstdio>
10 #include <cstdlib>
11 #include <zlib.h>
12 
13 // The fuzz target.
14 // Uncompress the data, crash on input starting with "FU".
15 // Good luck finding this w/o a custom mutator. :)
LLVMFuzzerTestOneInput(const uint8_t * Data,size_t Size)16 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
17   uint8_t Uncompressed[100];
18   size_t UncompressedLen = sizeof(Uncompressed);
19   if (Z_OK != uncompress(Uncompressed, &UncompressedLen, Data, Size))
20     return 0;
21   if (UncompressedLen < 2) return 0;
22   if (Uncompressed[0] == 'F' && Uncompressed[1] == 'U')
23     abort();  // Boom
24   return 0;
25 }
26 
27 #ifdef CUSTOM_MUTATOR
28 
29 // Forward-declare the libFuzzer's mutator callback.
30 extern "C" size_t
31 LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
32 
33 // The custom mutator:
34 //   * deserialize the data (in this case, uncompress).
35 //     * If the data doesn't deserialize, create a properly serialized dummy.
36 //   * Mutate the deserialized data (in this case, just call LLVMFuzzerMutate).
37 //   * Serialize the mutated data (in this case, compress).
LLVMFuzzerCustomMutator(uint8_t * Data,size_t Size,size_t MaxSize,unsigned int Seed)38 extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
39                                           size_t MaxSize, unsigned int Seed) {
40   uint8_t Uncompressed[100];
41   size_t UncompressedLen = sizeof(Uncompressed);
42   size_t CompressedLen = MaxSize;
43   if (Z_OK != uncompress(Uncompressed, &UncompressedLen, Data, Size)) {
44     // The data didn't uncompress.
45     // So, it's either a broken input and we want to ignore it,
46     // or we've started fuzzing from an empty corpus and we need to supply
47     // out first properly compressed input.
48     uint8_t Dummy[] = {'H', 'i'};
49     if (Z_OK != compress(Data, &CompressedLen, Dummy, sizeof(Dummy)))
50       return 0;
51     // fprintf(stderr, "Dummy: max %zd res %zd\n", MaxSize, CompressedLen);
52     return CompressedLen;
53   }
54   UncompressedLen =
55       LLVMFuzzerMutate(Uncompressed, UncompressedLen, sizeof(Uncompressed));
56   if (Z_OK != compress(Data, &CompressedLen, Uncompressed, UncompressedLen))
57     return 0;
58   return CompressedLen;
59 }
60 
61 #endif  // CUSTOM_MUTATOR
62