RPCS3/llvm-mirror
1
0
Fork 0
mirror of https://github.com/RPCS3/llvm-mirror.git synced 2024-10-20 11:33:24 +02:00
Code Issues Projects Releases Wiki Activity

[fuzzer] Don't crash if LLVMFuzzerMutate was called by CustomCrossOver

Browse Source 
Reviewers: kcc

Subscribers: llvm-commits, mgorny

Differential Revision: https://reviews.llvm.org/D30682

llvm-svn: 297202
This commit is contained in:
Vitaly Buka 2017-03-07 20:37:38 +00:00
parent bd9c78a9e8
commit 81f371398b
5 changed files with 40 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/Fuzzer/FuzzerMutate.cpp
View File

@ -81,8 +81,8 @@ size_t MutationDispatcher::Mutate_CustomCrossOver(uint8_t *Data, size_t Size,
const Unit &Other = (*Corpus)[Idx]; const Unit &Other = (*Corpus)[Idx];
if (Other.empty()) if (Other.empty())
return 0; return 0;
MutateInPlaceHere.resize(MaxSize); CustomCrossOverInPlaceHere.resize(MaxSize);
auto &U = MutateInPlaceHere; auto &U = CustomCrossOverInPlaceHere;
size_t NewSize = EF->LLVMFuzzerCustomCrossOver( size_t NewSize = EF->LLVMFuzzerCustomCrossOver(
Data, Size, Other.data(), Other.size(), U.data(), U.size(), Rand.Rand()); Data, Size, Other.data(), Other.size(), U.data(), U.size(), Rand.Rand());
if (!NewSize) if (!NewSize)

3
lib/Fuzzer/FuzzerMutate.h
View File

@ -143,6 +143,9 @@ private:
const InputCorpus *Corpus = nullptr; const InputCorpus *Corpus = nullptr;
std::vector<uint8_t> MutateInPlaceHere; std::vector<uint8_t> MutateInPlaceHere;
// CustomCrossOver needs its own buffer as a custom implementation may call
// LLVMFuzzerMutate, which in turn may resize MutateInPlaceHere.
std::vector<uint8_t> CustomCrossOverInPlaceHere;
std::vector<Mutator> Mutators; std::vector<Mutator> Mutators;
std::vector<Mutator> DefaultMutators; std::vector<Mutator> DefaultMutators;

1
lib/Fuzzer/test/CMakeLists.txt
View File

@ -80,6 +80,7 @@ set(Tests
BufferOverflowOnInput BufferOverflowOnInput
CallerCalleeTest CallerCalleeTest
CounterTest CounterTest
CustomCrossOverAndMutateTest
CustomCrossOverTest CustomCrossOverTest
CustomMutatorTest CustomMutatorTest
CxxStringEqTest CxxStringEqTest

33
lib/Fuzzer/test/CustomCrossOverAndMutateTest.cpp Normal file
View File

@ -0,0 +1,33 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Test that libFuzzer does not crash when LLVMFuzzerMutate called from
// LLVMFuzzerCustomCrossOver.
#include <cstddef>
#include <cstdint>
#include <cstdlib>
#include <string>
#include <string.h>
#include <vector>
#include "FuzzerInterface.h"
static volatile int sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
std::string Str(reinterpret_cast<const char *>(Data), Size);
if (Size && Data[0] == '0')
sink++;
return 0;
}
extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1,
const uint8_t *Data2, size_t Size2,
uint8_t *Out, size_t MaxOutSize,
unsigned int Seed) {
std::vector<uint8_t> Buffer(MaxOutSize * 10);
LLVMFuzzerMutate(Buffer.data(), Buffer.size(), Buffer.size());
size_t Size = std::min<size_t>(Size1, MaxOutSize);
memcpy(Out, Data1, Size);
return Size;
}

1
lib/Fuzzer/test/fuzzer-customcrossoverandmutate.test Normal file
View File

@ -0,0 +1 @@
RUN: LLVMFuzzer-CustomCrossOverAndMutateTest -seed=1 -use_memcmp=0 -runs=100000