mirror of
https://github.com/fmtlib/fmt.git
synced 2024-09-15 15:13:22 +00:00
Cleanup fuzzing
This commit is contained in:
Victor Zverovich
parent
63e40c9614
commit
82c4e2236a
@ -6,9 +6,9 @@
|
||||
|
||||
#include "fuzzer-common.h"
|
||||
|
||||
template <typename Item, typename Ratio>
|
||||
void invoke_inner(fmt::string_view format_str, Item item) {
|
||||
auto value = std::chrono::duration<Item, Ratio>(item);
|
||||
template <typename Period, typename Rep>
|
||||
void invoke_inner(fmt::string_view format_str, Rep rep) {
|
||||
auto value = std::chrono::duration<Rep, Period>(rep);
|
||||
try {
|
||||
#if FMT_FUZZ_FORMAT_TO_STRING
|
||||
std::string message = fmt::format(format_str, value);
|
||||
@ -20,71 +20,67 @@ void invoke_inner(fmt::string_view format_str, Item item) {
|
||||
}
|
||||
}
|
||||
|
||||
// Item is the underlying type for duration (int, long, etc.)
|
||||
template <typename Item>
|
||||
void invoke_outer(const uint8_t* data, size_t size, int scaling) {
|
||||
// Rep is a duration's representation type.
|
||||
template <typename Rep>
|
||||
void invoke_outer(const uint8_t* data, size_t size, int period) {
|
||||
// Always use a fixed location of the data.
|
||||
using fmt_fuzzer::nfixed;
|
||||
static_assert(sizeof(Rep) <= fixed_size, "fixed size is too small");
|
||||
if (size <= fixed_size + 1) return;
|
||||
|
||||
static_assert(sizeof(Item) <= nfixed, "fixed size is too small");
|
||||
if (size <= nfixed + 1) return;
|
||||
|
||||
const Item item = fmt_fuzzer::assignFromBuf<Item>(data);
|
||||
|
||||
// Fast forward.
|
||||
data += nfixed;
|
||||
size -= nfixed;
|
||||
const Rep rep = assign_from_buf<Rep>(data);
|
||||
data += fixed_size;
|
||||
size -= fixed_size;
|
||||
|
||||
// data is already allocated separately in libFuzzer so reading past the end
|
||||
// will most likely be detected anyway.
|
||||
const auto format_str = fmt::string_view(fmt_fuzzer::as_chars(data), size);
|
||||
const auto format_str = fmt::string_view(as_chars(data), size);
|
||||
|
||||
// yocto, zepto, zetta and yotta are not handled.
|
||||
switch (scaling) {
|
||||
switch (period) {
|
||||
case 1:
|
||||
invoke_inner<Item, std::atto>(format_str, item);
|
||||
invoke_inner<std::atto>(format_str, rep);
|
||||
break;
|
||||
case 2:
|
||||
invoke_inner<Item, std::femto>(format_str, item);
|
||||
invoke_inner<std::femto>(format_str, rep);
|
||||
break;
|
||||
case 3:
|
||||
invoke_inner<Item, std::pico>(format_str, item);
|
||||
invoke_inner<std::pico>(format_str, rep);
|
||||
break;
|
||||
case 4:
|
||||
invoke_inner<Item, std::nano>(format_str, item);
|
||||
invoke_inner<std::nano>(format_str, rep);
|
||||
break;
|
||||
case 5:
|
||||
invoke_inner<Item, std::micro>(format_str, item);
|
||||
invoke_inner<std::micro>(format_str, rep);
|
||||
break;
|
||||
case 6:
|
||||
invoke_inner<Item, std::milli>(format_str, item);
|
||||
invoke_inner<std::milli>(format_str, rep);
|
||||
break;
|
||||
case 7:
|
||||
invoke_inner<Item, std::centi>(format_str, item);
|
||||
invoke_inner<std::centi>(format_str, rep);
|
||||
break;
|
||||
case 8:
|
||||
invoke_inner<Item, std::deci>(format_str, item);
|
||||
invoke_inner<std::deci>(format_str, rep);
|
||||
break;
|
||||
case 9:
|
||||
invoke_inner<Item, std::deca>(format_str, item);
|
||||
invoke_inner<std::deca>(format_str, rep);
|
||||
break;
|
||||
case 10:
|
||||
invoke_inner<Item, std::kilo>(format_str, item);
|
||||
invoke_inner<std::kilo>(format_str, rep);
|
||||
break;
|
||||
case 11:
|
||||
invoke_inner<Item, std::mega>(format_str, item);
|
||||
invoke_inner<std::mega>(format_str, rep);
|
||||
break;
|
||||
case 12:
|
||||
invoke_inner<Item, std::giga>(format_str, item);
|
||||
invoke_inner<std::giga>(format_str, rep);
|
||||
break;
|
||||
case 13:
|
||||
invoke_inner<Item, std::tera>(format_str, item);
|
||||
invoke_inner<std::tera>(format_str, rep);
|
||||
break;
|
||||
case 14:
|
||||
invoke_inner<Item, std::peta>(format_str, item);
|
||||
invoke_inner<std::peta>(format_str, rep);
|
||||
break;
|
||||
case 15:
|
||||
invoke_inner<Item, std::exa>(format_str, item);
|
||||
invoke_inner<std::exa>(format_str, rep);
|
||||
}
|
||||
}
|
||||
|
||||
@ -92,46 +88,46 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
||||
if (size <= 4) return 0;
|
||||
|
||||
const auto representation = data[0];
|
||||
const auto scaling = data[1];
|
||||
const auto period = data[1];
|
||||
data += 2;
|
||||
size -= 2;
|
||||
|
||||
switch (representation) {
|
||||
case 1:
|
||||
invoke_outer<char>(data, size, scaling);
|
||||
invoke_outer<char>(data, size, period);
|
||||
break;
|
||||
case 2:
|
||||
invoke_outer<signed char>(data, size, scaling);
|
||||
invoke_outer<signed char>(data, size, period);
|
||||
break;
|
||||
case 3:
|
||||
invoke_outer<unsigned char>(data, size, scaling);
|
||||
invoke_outer<unsigned char>(data, size, period);
|
||||
break;
|
||||
case 4:
|
||||
invoke_outer<short>(data, size, scaling);
|
||||
invoke_outer<short>(data, size, period);
|
||||
break;
|
||||
case 5:
|
||||
invoke_outer<unsigned short>(data, size, scaling);
|
||||
invoke_outer<unsigned short>(data, size, period);
|
||||
break;
|
||||
case 6:
|
||||
invoke_outer<int>(data, size, scaling);
|
||||
invoke_outer<int>(data, size, period);
|
||||
break;
|
||||
case 7:
|
||||
invoke_outer<unsigned int>(data, size, scaling);
|
||||
invoke_outer<unsigned int>(data, size, period);
|
||||
break;
|
||||
case 8:
|
||||
invoke_outer<long>(data, size, scaling);
|
||||
invoke_outer<long>(data, size, period);
|
||||
break;
|
||||
case 9:
|
||||
invoke_outer<unsigned long>(data, size, scaling);
|
||||
invoke_outer<unsigned long>(data, size, period);
|
||||
break;
|
||||
case 10:
|
||||
invoke_outer<float>(data, size, scaling);
|
||||
invoke_outer<float>(data, size, period);
|
||||
break;
|
||||
case 11:
|
||||
invoke_outer<double>(data, size, scaling);
|
||||
invoke_outer<double>(data, size, period);
|
||||
break;
|
||||
case 12:
|
||||
invoke_outer<long double>(data, size, scaling);
|
||||
invoke_outer<long double>(data, size, period);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
|
||||
@ -6,6 +6,9 @@
|
||||
|
||||
#include <cstdint> // std::uint8_t
|
||||
#include <cstring> // memcpy
|
||||
#include <vector>
|
||||
|
||||
#include <fmt/core.h>
|
||||
|
||||
// One can format to either a string, or a buffer. The latter is faster, but
|
||||
// one may be interested in formatting to a string instead to verify it works
|
||||
@ -18,13 +21,11 @@
|
||||
// the fuzzing.
|
||||
#define FMT_FUZZ_SEPARATE_ALLOCATION 1
|
||||
|
||||
namespace fmt_fuzzer {
|
||||
|
||||
// The size of the largest possible type in use.
|
||||
// To let the the fuzzer mutation be efficient at cross pollinating between
|
||||
// different types, use a fixed size format. The same bit pattern, interpreted
|
||||
// as another type, is likely interesting.
|
||||
constexpr auto nfixed = 16;
|
||||
constexpr auto fixed_size = 16;
|
||||
|
||||
// Casts data to a char pointer.
|
||||
template <typename T> inline const char* as_chars(const T* data) {
|
||||
@ -38,17 +39,37 @@ template <typename T> inline const std::uint8_t* as_bytes(const T* data) {
|
||||
|
||||
// Blits bytes from data to form an (assumed trivially constructible) object
|
||||
// of type Item.
|
||||
template <class Item> inline Item assignFromBuf(const std::uint8_t* data) {
|
||||
template <class Item> inline Item assign_from_buf(const std::uint8_t* data) {
|
||||
auto item = Item();
|
||||
std::memcpy(&item, data, sizeof(Item));
|
||||
return item;
|
||||
}
|
||||
|
||||
// Reads a boolean value by looking at the first byte from data.
|
||||
template <> inline bool assignFromBuf<bool>(const std::uint8_t* data) {
|
||||
template <> inline bool assign_from_buf<bool>(const std::uint8_t* data) {
|
||||
return *data != 0;
|
||||
}
|
||||
|
||||
} // namespace fmt_fuzzer
|
||||
struct data_to_string {
|
||||
#if FMT_FUZZ_SEPARATE_ALLOCATION
|
||||
std::vector<char> buffer;
|
||||
|
||||
data_to_string(const uint8_t* data, size_t size, bool add_terminator = false)
|
||||
: buffer(size + (add_terminator ? 1 : 0)) {
|
||||
std::memcpy(buffer.data(), data, size);
|
||||
}
|
||||
|
||||
fmt::string_view get() const { return {buffer.data(), buffer.size()}; }
|
||||
#else
|
||||
fmt::string_view sv;
|
||||
|
||||
data_to_string(const uint8_t* data, size_t size, bool = false)
|
||||
: str(as_chars(data), size) {}
|
||||
|
||||
fmt::string_view get() const { return sv; }
|
||||
#endif
|
||||
|
||||
const char* data() const { return get().data(); }
|
||||
};
|
||||
|
||||
#endif // FUZZER_COMMON_H
|
||||
|
||||
@ -17,6 +17,6 @@ int main(int argc, char** argv) {
|
||||
std::vector<char> buf(static_cast<size_t>(size));
|
||||
in.read(buf.data(), size);
|
||||
assert(in.gcount() == size);
|
||||
LLVMFuzzerTestOneInput(fmt_fuzzer::as_bytes(buf.data()), buf.size());
|
||||
LLVMFuzzerTestOneInput(as_bytes(buf.data()), buf.size());
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,54 +1,40 @@
|
||||
// Copyright (c) 2019, Paul Dreik
|
||||
// For the license information refer to format.h.
|
||||
|
||||
#include <fmt/chrono.h>
|
||||
|
||||
#include <cstdint>
|
||||
#include <type_traits>
|
||||
#include <vector>
|
||||
#include <fmt/chrono.h>
|
||||
|
||||
#include "fuzzer-common.h"
|
||||
|
||||
template <typename Item1>
|
||||
void invoke_fmt(const uint8_t* data, size_t size, unsigned int argsize) {
|
||||
static_assert(sizeof(Item1) <= fmt_fuzzer::nfixed, "nfixed too small");
|
||||
if (size <= fmt_fuzzer::nfixed) return;
|
||||
const Item1 item1 = fmt_fuzzer::assignFromBuf<Item1>(data);
|
||||
template <typename T>
|
||||
void invoke_fmt(const uint8_t* data, size_t size, unsigned arg_name_size) {
|
||||
static_assert(sizeof(T) <= fixed_size, "fixed_size too small");
|
||||
if (size <= fixed_size) return;
|
||||
const T value = assign_from_buf<T>(data);
|
||||
data += fixed_size;
|
||||
size -= fixed_size;
|
||||
|
||||
data += fmt_fuzzer::nfixed;
|
||||
size -= fmt_fuzzer::nfixed;
|
||||
|
||||
// How many chars should be used for the argument name?
|
||||
if (argsize <= 0 || argsize >= size) return;
|
||||
|
||||
#if FMT_FUZZ_SEPARATE_ALLOCATION
|
||||
std::vector<char> argnamebuffer(argsize + 1);
|
||||
std::memcpy(argnamebuffer.data(), data, argsize);
|
||||
auto argname = argnamebuffer.data();
|
||||
#else
|
||||
auto argname = fmt_fuzzer::as_chars(data);
|
||||
#endif
|
||||
data += argsize;
|
||||
size -= argsize;
|
||||
|
||||
#if FMT_FUZZ_SEPARATE_ALLOCATION
|
||||
std::vector<char> fmtstringbuffer(size);
|
||||
std::memcpy(fmtstringbuffer.data(), data, size);
|
||||
auto format_str = fmt::string_view(fmtstringbuffer.data(), size);
|
||||
#else
|
||||
auto format_str = fmt::string_view(fmt_fuzzer::as_chars(data), size);
|
||||
#endif
|
||||
if (arg_name_size <= 0 || arg_name_size >= size) return;
|
||||
data_to_string arg_name(data, arg_name_size, true);
|
||||
data += arg_name_size;
|
||||
size -= arg_name_size;
|
||||
|
||||
data_to_string format_str(data, size);
|
||||
#if FMT_FUZZ_FORMAT_TO_STRING
|
||||
std::string message = fmt::format(format_str, fmt::arg(argname, item1));
|
||||
std::string message =
|
||||
fmt::format(format_str.get(), fmt::arg(arg_name.data(), value));
|
||||
#else
|
||||
fmt::memory_buffer out;
|
||||
fmt::format_to(out, format_str, fmt::arg(argname, item1));
|
||||
fmt::format_to(out, format_str.get(), fmt::arg(arg_name.data(), value));
|
||||
#endif
|
||||
}
|
||||
|
||||
// For dynamic dispatching to an explicit instantiation.
|
||||
template <typename Callback> void invoke(int index, Callback callback) {
|
||||
switch (index) {
|
||||
template <typename Callback> void invoke(int type, Callback callback) {
|
||||
switch (type) {
|
||||
case 0:
|
||||
callback(bool());
|
||||
break;
|
||||
@ -100,14 +86,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
||||
if (size <= 3) return 0;
|
||||
|
||||
// Switch types depending on the first byte of the input.
|
||||
const auto first = data[0] & 0x0F;
|
||||
const unsigned second = (data[0] & 0xF0) >> 4;
|
||||
const auto type = data[0] & 0x0F;
|
||||
const unsigned arg_name_size = (data[0] & 0xF0) >> 4;
|
||||
data++;
|
||||
size--;
|
||||
|
||||
try {
|
||||
invoke(first, [=](auto param1) {
|
||||
invoke_fmt<decltype(param1)>(data, size, second);
|
||||
invoke(type, [=](auto arg) {
|
||||
invoke_fmt<decltype(arg)>(data, size, arg_name_size);
|
||||
});
|
||||
} catch (std::exception&) {
|
||||
}
|
||||
|
||||
@ -2,63 +2,35 @@
|
||||
// For the license information refer to format.h.
|
||||
|
||||
#include <cstdint>
|
||||
#include <stdexcept>
|
||||
#include <type_traits>
|
||||
#include <vector>
|
||||
#include <exception>
|
||||
#include <fmt/chrono.h>
|
||||
|
||||
#include "fuzzer-common.h"
|
||||
|
||||
using fmt_fuzzer::nfixed;
|
||||
template <typename T, typename Repr>
|
||||
const T* from_repr(const Repr& r) { return &r; }
|
||||
|
||||
template <typename Item>
|
||||
void invoke_fmt(const uint8_t* data, size_t size) {
|
||||
constexpr auto N = sizeof(Item);
|
||||
static_assert(N <= nfixed, "Nfixed is too small");
|
||||
if (size <= nfixed) return;
|
||||
const Item item = fmt_fuzzer::assignFromBuf<Item>(data);
|
||||
data += nfixed;
|
||||
size -= nfixed;
|
||||
|
||||
#if FMT_FUZZ_SEPARATE_ALLOCATION
|
||||
std::vector<char> fmtstringbuffer(size);
|
||||
std::memcpy(fmtstringbuffer.data(), data, size);
|
||||
auto format_str = fmt::string_view(fmtstringbuffer.data(), size);
|
||||
#else
|
||||
auto format_str = fmt::string_view(fmt_fuzzer::as_chars(data), size);
|
||||
#endif
|
||||
|
||||
#if FMT_FUZZ_FORMAT_TO_STRING
|
||||
std::string message = fmt::format(format_str, item);
|
||||
#else
|
||||
fmt::memory_buffer message;
|
||||
fmt::format_to(message, format_str, item);
|
||||
#endif
|
||||
template <>
|
||||
const std::tm* from_repr<std::tm>(const std::time_t& t) {
|
||||
return std::localtime(&t);
|
||||
}
|
||||
|
||||
void invoke_fmt_time(const uint8_t* data, size_t size) {
|
||||
using Item = std::time_t;
|
||||
static_assert(sizeof(Item) <= nfixed, "Nfixed too small");
|
||||
if (size <= nfixed) return;
|
||||
const Item item = fmt_fuzzer::assignFromBuf<Item>(data);
|
||||
data += nfixed;
|
||||
size -= nfixed;
|
||||
#if FMT_FUZZ_SEPARATE_ALLOCATION
|
||||
std::vector<char> fmtstringbuffer(size);
|
||||
std::memcpy(fmtstringbuffer.data(), data, size);
|
||||
auto format_str = fmt::string_view(fmtstringbuffer.data(), size);
|
||||
#else
|
||||
auto format_str = fmt::string_view(fmt_fuzzer::as_chars(data), size);
|
||||
#endif
|
||||
auto* b = std::localtime(&item);
|
||||
if (b) {
|
||||
template <typename T, typename Repr = T>
|
||||
void invoke_fmt(const uint8_t* data, size_t size) {
|
||||
static_assert(sizeof(Repr) <= fixed_size, "Nfixed is too small");
|
||||
if (size <= fixed_size) return;
|
||||
auto repr = assign_from_buf<Repr>(data);
|
||||
const T* value = from_repr<T>(repr);
|
||||
if (!value) return;
|
||||
data += fixed_size;
|
||||
size -= fixed_size;
|
||||
data_to_string format_str(data, size);
|
||||
#if FMT_FUZZ_FORMAT_TO_STRING
|
||||
std::string message = fmt::format(format_str, *b);
|
||||
std::string message = fmt::format(format_str.get(), *value);
|
||||
#else
|
||||
fmt::memory_buffer message;
|
||||
fmt::format_to(message, format_str, *b);
|
||||
fmt::memory_buffer message;
|
||||
fmt::format_to(message, format_str.get(), *value);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
||||
@ -110,7 +82,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
||||
invoke_fmt<long double>(data, size);
|
||||
break;
|
||||
case 13:
|
||||
invoke_fmt_time(data, size);
|
||||
invoke_fmt<std::tm, std::time_t>(data, size);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
|
||||
@ -10,21 +10,19 @@
|
||||
|
||||
template <typename Item1, typename Item2>
|
||||
void invoke_fmt(const uint8_t* data, size_t size) {
|
||||
using fmt_fuzzer::nfixed;
|
||||
static_assert(sizeof(Item1) <= nfixed, "size1 exceeded");
|
||||
static_assert(sizeof(Item2) <= nfixed, "size2 exceeded");
|
||||
if (size <= nfixed + nfixed) return;
|
||||
static_assert(sizeof(Item1) <= fixed_size, "size1 exceeded");
|
||||
static_assert(sizeof(Item2) <= fixed_size, "size2 exceeded");
|
||||
if (size <= fixed_size + fixed_size) return;
|
||||
|
||||
const Item1 item1 = fmt_fuzzer::assignFromBuf<Item1>(data);
|
||||
data += nfixed;
|
||||
size -= nfixed;
|
||||
const Item1 item1 = assign_from_buf<Item1>(data);
|
||||
data += fixed_size;
|
||||
size -= fixed_size;
|
||||
|
||||
const Item2 item2 = fmt_fuzzer::assignFromBuf<Item2>(data);
|
||||
data += nfixed;
|
||||
size -= nfixed;
|
||||
|
||||
auto format_str = fmt::string_view(fmt_fuzzer::as_chars(data), size);
|
||||
const Item2 item2 = assign_from_buf<Item2>(data);
|
||||
data += fixed_size;
|
||||
size -= fixed_size;
|
||||
|
||||
auto format_str = fmt::string_view(as_chars(data), size);
|
||||
#if FMT_FUZZ_FORMAT_TO_STRING
|
||||
std::string message = fmt::format(format_str, item1, item2);
|
||||
#else
|
||||
@ -91,13 +89,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
||||
if (size <= 3) return 0;
|
||||
|
||||
// Switch types depending on the first byte of the input.
|
||||
const auto first = data[0] & 0x0F;
|
||||
const auto second = (data[0] & 0xF0) >> 4;
|
||||
const auto type1 = data[0] & 0x0F;
|
||||
const auto type2 = (data[0] & 0xF0) >> 4;
|
||||
data++;
|
||||
size--;
|
||||
try {
|
||||
invoke(first, [=](auto param1) {
|
||||
invoke(second, [=](auto param2) {
|
||||
invoke(type1, [=](auto param1) {
|
||||
invoke(type2, [=](auto param2) {
|
||||
invoke_fmt<decltype(param1), decltype(param2)>(data, size);
|
||||
});
|
||||
});
|
||||
|
||||
Loading…
Reference in New Issue
Block a user