Rizin
unix-like reverse engineering framework and cli tools
fuzz.h File Reference
#include <stddef.h>
#include <stdint.h>

Go to the source code of this file.

Macros

#define FUZZ_RNG_SEED_SIZE   4
 

Functions

int LLVMFuzzerTestOneInput (const uint8_t *src, size_t size)
 

Macro Definition Documentation

◆ FUZZ_RNG_SEED_SIZE

#define FUZZ_RNG_SEED_SIZE   4

Fuzz target interface. Fuzz targets have some common parameters passed as macros during compilation. Check the documentation for each individual fuzzer for more parameters.

Parameters
FUZZ_RNG_SEED_SIZEThe number of bytes of the source to look at when constructing a seed for the deterministic RNG. These bytes are discarded before passing the data to lz4 functions. Every fuzzer initializes the RNG exactly once before doing anything else, even if it is unused. Default: 4.
LZ4_DEBUGThis is a parameter for the lz4 library. Defining LZ4_DEBUG=1 enables assert() statements in the lz4 library. Higher levels enable logging, so aren't recommended. Defining LZ4_DEBUG=1 is recommended.
LZ4_FORCE_MEMORY_ACCESSThis flag controls how the zstd library accesses unaligned memory. It can be undefined, or 0 through 2. If it is undefined, it selects the method to use based on the compiler. If testing with UBSAN set MEM_FORCE_MEMORY_ACCESS=0 to use the standard compliant method.
FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTIONThis is the canonical flag to enable deterministic builds for fuzzing. Changes to zstd for fuzzing are gated behind this define. It is recommended to define this when building zstd for fuzzing.

Definition at line 32 of file fuzz.h.

Function Documentation

◆ LLVMFuzzerTestOneInput()

int LLVMFuzzerTestOneInput ( const uint8_t data,
size_t  size 
)

This fuzz target attempts to compress the fuzzed data with the simple compression function with an output buffer that may be too small to ensure that the compressor never crashes.

This fuzz target attempts to decompress the fuzzed data with the simple decompression function to ensure the decompressor never crashes.

This fuzz target performs a lz4 round-trip test (compress & decompress), compares the result with the original, and calls abort() on corruption.

This fuzz target attempts to compress the fuzzed data with the simple compression function with an output buffer that may be too small to ensure that the compressor never crashes.

This fuzz target attempts to decompress the fuzzed data with the simple decompression function to ensure the decompressor never crashes.

This fuzz target performs a lz4 round-trip test (compress & decompress), compares the result with the original, and calls abort() on corruption.

Definition at line 180 of file fuzz_diff.c.

180  {
181  csh handle;
182  cs_insn *insn;
183  cs_err err;
184  const uint8_t **Datap = &Data;
185  size_t * Sizep = &Size;
186  uint64_t address = 0x1000;
187  char LLVMAssemblyText[80];
188  char CapstoneAssemblyText[80];
189 
190  if (Size < 1) {
191  // 1 byte for arch choice
192  return 0;
193  } else if (Size > 0x1000) {
194  //limit input to 4kb
195  Size = 0x1000;
196  }
197  if (outfile == NULL) {
198  // we compute the output
199  outfile = fopen("/dev/null", "w");
200  if (outfile == NULL) {
201  return 0;
202  }
203  LLVMFuzzerInit();
204  }
205 
206  if (Data[0] >= sizeof(platforms)/sizeof(platforms[0])) {
207  return 0;
208  }
209 
210  if (LLVMFuzzerReturnOneInput(Data, Size, LLVMAssemblyText) == 1) {
211  return 0;
212  }
213 
214  err = cs_open(platforms[Data[0]].arch, platforms[Data[0]].mode, &handle);
215  if (err) {
216  return 0;
217  }
218 
219  insn = cs_malloc(handle);
220  Data++;
221  Size--;
222  assert(insn);
223  if (cs_disasm_iter(handle, Datap, Sizep, &address, insn)) {
224  snprintf(CapstoneAssemblyText, 80, "\t%s\t%s", insn->mnemonic, insn->op_str);
225  if (strcmp(CapstoneAssemblyText, LLVMAssemblyText) != 0) {
226  printf("capstone %s != llvm %s", CapstoneAssemblyText, LLVMAssemblyText);
227  abort();
228  }
229  } else {
230  printf("capstone failed with llvm %s", LLVMAssemblyText);
231  abort();
232  }
233  cs_free(insn, 1);
234  cs_close(&handle);
235 
236  return 0;
237 }
static bool err
Definition: armass.c:435
static mcore_handle handle
Definition: asm_mcore.c:8
size_t csh
Definition: capstone.h:71
#define NULL
Definition: cris-opc.c:27
CAPSTONE_EXPORT cs_err CAPSTONE_API cs_open(cs_arch arch, cs_mode mode, csh *handle)
Definition: cs.c:453
CAPSTONE_EXPORT void CAPSTONE_API cs_free(cs_insn *insn, size_t count)
Definition: cs.c:1017
CAPSTONE_EXPORT cs_err CAPSTONE_API cs_close(csh *handle)
Definition: cs.c:501
CAPSTONE_EXPORT cs_insn *CAPSTONE_API cs_malloc(csh ud)
Definition: cs.c:1030
CAPSTONE_EXPORT bool CAPSTONE_API cs_disasm_iter(csh ud, const uint8_t **code, size_t *size, uint64_t *address, cs_insn *insn)
Definition: cs.c:1058
_Use_decl_annotations_ int __cdecl printf(const char *const _Format,...)
Definition: cs_driver.c:93
cs_arch arch
Definition: cstool.c:13
void LLVMFuzzerInit()
Definition: fuzz_llvm.cpp:9
int LLVMFuzzerReturnOneInput(const uint8_t *Data, size_t Size, char *AssemblyText)
Definition: fuzz_llvm.cpp:16
struct platform platforms[]
Definition: fuzz_diff.c:18
FILE * outfile
Definition: fuzz_diff.c:16
const char int mode
Definition: ioapi.h:137
snprintf
Definition: kernel.h:364
assert(limit<=UINT32_MAX/2)
unsigned long uint64_t
Definition: sftypes.h:28
unsigned char uint8_t
Definition: sftypes.h:31

References compressBound(), compressedSize, DEBUGLOG, decompress(), dst, error(), f, free(), FUZZ_ASSERT, FUZZ_ASSERT_MSG, FUZZ_dataProducer_create(), FUZZ_dataProducer_free(), FUZZ_dataProducer_preferences(), FUZZ_dataProducer_range32(), FUZZ_dataProducer_remainingBytes(), FUZZ_dataProducer_retrieve32(), FUZZ_decompressFrame(), FUZZ_getRange_from_uint32(), FUZZ_seed(), i, level, LZ4_compress_default(), LZ4_compress_destSize(), LZ4_compress_HC(), LZ4_compress_HC_destSize(), LZ4_compressBound(), LZ4_decompress_safe(), LZ4_decompress_safe_partial(), LZ4_decompress_safe_usingDict(), LZ4_sizeofStateHC(), LZ4F_compressFrame(), LZ4F_compressFrameBound(), LZ4F_createDecompressionContext(), LZ4F_freeDecompressionContext(), LZ4F_isError(), LZ4F_VERSION, LZ4HC_CLEVEL_MAX, LZ4HC_CLEVEL_MIN, malloc(), MAX, memcpy(), memset(), n, NULL, roundTrips, src, LZ4F_decompressOptions_t::stableDst, state_checkRoundTrip(), state_create(), state_free(), state_reset(), za, zip_close(), zip_error_fini(), zip_error_init(), zip_fclose(), zip_fopen_index(), zip_fread(), zip_get_num_entries(), zip_open_from_source(), zip_source_buffer_create(), and zip_source_free().