1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
/*
* Copyright 2016 Google Inc.
*
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#ifndef Fuzz_DEFINED
#define Fuzz_DEFINED
#include "SkData.h"
#include "../tools/Registry.h"
#include "SkMalloc.h"
#include "SkTypes.h"
#include <cmath>
class Fuzz : SkNoncopyable {
public:
explicit Fuzz(sk_sp<SkData>);
// Returns the total number of "random" bytes available.
size_t size();
// Returns if there are no bytes remaining for fuzzing.
bool exhausted();
// next() loads fuzzed bytes into the variable passed in by pointer.
// We use this approach instead of T next() because different compilers
// evaluate function parameters in different orders. If fuzz->next()
// returned 5 and then 7, foo(fuzz->next(), fuzz->next()) would be
// foo(5, 7) when compiled on GCC and foo(7, 5) when compiled on Clang.
// By requiring params to be passed in, we avoid the temptation to call
// next() in a way that does not consume fuzzed bytes in a single
// uplatform-independent order.
template <typename T>
void next(T* t);
// This is a convenient way to initialize more than one argument at a time.
template <typename Arg, typename... Args>
void next(Arg* first, Args... rest);
// nextRange returns values only in [min, max].
template <typename T, typename Min, typename Max>
void nextRange(T*, Min, Max);
// nextN loads n * sizeof(T) bytes into ptr
template <typename T>
void nextN(T* ptr, int n);
void signalBug(); // Tell afl-fuzz these inputs found a bug.
private:
template <typename T>
T nextT();
sk_sp<SkData> fBytes;
size_t fNextByte;
};
// UBSAN reminds us that bool can only legally hold 0 or 1.
template <>
inline void Fuzz::next(bool* b) {
uint8_t n;
this->next(&n);
*b = (n & 1) == 1;
}
template <typename T>
inline void Fuzz::next(T* n) {
if ((fNextByte + sizeof(T)) > fBytes->size()) {
sk_bzero(n, sizeof(T));
memcpy(n, fBytes->bytes() + fNextByte, fBytes->size() - fNextByte);
fNextByte = fBytes->size();
return;
}
memcpy(n, fBytes->bytes() + fNextByte, sizeof(T));
fNextByte += sizeof(T);
}
template <typename Arg, typename... Args>
inline void Fuzz::next(Arg* first, Args... rest) {
this->next(first);
this->next(rest...);
}
template <>
inline void Fuzz::nextRange(float* f, float min, float max) {
this->next(f);
if (!std::isnormal(*f) && *f != 0.0f) {
// Don't deal with infinity or other strange floats.
*f = max;
}
*f = min + std::fmod(std::abs(*f), (max - min + 1));
}
template <typename T, typename Min, typename Max>
inline void Fuzz::nextRange(T* n, Min min, Max max) {
this->next<T>(n);
if (min == max) {
*n = min;
return;
}
if (min > max) {
// Avoid misuse of nextRange
this->signalBug();
}
if (*n < 0) { // Handle negatives
if (*n != std::numeric_limits<T>::lowest()) {
*n *= -1;
}
else {
*n = std::numeric_limits<T>::max();
}
}
*n = min + (*n % ((size_t)max - min + 1));
}
template <typename T>
inline void Fuzz::nextN(T* ptr, int n) {
for (int i = 0; i < n; i++) {
this->next(ptr+i);
}
}
struct Fuzzable {
const char* name;
void (*fn)(Fuzz*);
};
#define DEF_FUZZ(name, f) \
static void fuzz_##name(Fuzz*); \
sk_tools::Registry<Fuzzable> register_##name({#name, fuzz_##name}); \
static void fuzz_##name(Fuzz* f)
#endif//Fuzz_DEFINED
|