diff --git a/.travis.yml b/.travis.yml index 37599a5a..27a83c19 100644 --- a/.travis.yml +++ b/.travis.yml @@ -65,8 +65,8 @@ matrix: - env: BUILD=Release STANDARD=14 compiler: clang os: osx - # clang 6.0 on Linux with C++14 - - env: COMPILER=clang++-6.0 BUILD=Debug STANDARD=14 + # clang 6.0 on Linux with C++14 (builds the fuzzers as well) + - env: COMPILER=clang++-6.0 BUILD=Debug STANDARD=14 ENABLE_FUZZING=1 compiler: clang addons: apt: diff --git a/CMakeLists.txt b/CMakeLists.txt index 6214d5a2..3bc16177 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -41,6 +41,7 @@ option(FMT_WERROR "Halt the compilation with an error on compiler warnings." option(FMT_DOC "Generate the doc target." ${MASTER_PROJECT}) option(FMT_INSTALL "Generate the install target." ${MASTER_PROJECT}) option(FMT_TEST "Generate the test target." ${MASTER_PROJECT}) +option(FMT_FUZZ "Generate the fuzz target." OFF) project(FMT CXX) @@ -151,7 +152,7 @@ endfunction() # Define the fmt library, its includes and the needed defines. add_headers(FMT_HEADERS chrono.h color.h core.h format.h format-inl.h locale.h - ostream.h prepare.h printf.h ranges.h) + ostream.h prepare.h printf.h ranges.h safe-duration-cast.h) set(FMT_SOURCES src/format.cc) if (HAVE_OPEN) add_headers(FMT_HEADERS posix.h) @@ -190,6 +191,9 @@ if (BUILD_SHARED_LIBS) endif () target_compile_definitions(fmt PRIVATE FMT_EXPORT INTERFACE FMT_SHARED) endif () +if (FMT_SAFE_DURATION_CAST) + target_compile_definitions(fmt PUBLIC FMT_SAFE_DURATION_CAST) +endif() add_library(fmt-header-only INTERFACE) add_library(fmt::fmt-header-only ALIAS fmt-header-only) @@ -271,6 +275,11 @@ if (FMT_TEST) add_subdirectory(test) endif () +# control fuzzing independent of the unit tests +if (FMT_FUZZ) + add_subdirectory(test/fuzzing) +endif () + set(gitignore ${PROJECT_SOURCE_DIR}/.gitignore) if (MASTER_PROJECT AND EXISTS ${gitignore}) # Get the list of ignored files from .gitignore. diff --git a/include/fmt/chrono.h b/include/fmt/chrono.h index aebf858e..cfbcb23d 100644 --- a/include/fmt/chrono.h +++ b/include/fmt/chrono.h @@ -16,6 +16,15 @@ #include #include +// enable safe chrono durations, unless explicitly disabled +#ifndef FMT_SAFE_DURATION_CAST +# define FMT_SAFE_DURATION_CAST 1 +#endif + +#if FMT_SAFE_DURATION_CAST +# include "safe-duration-cast.h" +#endif + FMT_BEGIN_NAMESPACE // Prevents expansion of a preceding token as a function-style macro. @@ -385,6 +394,15 @@ inline bool isnan(T value) { return std::isnan(value); } +template ::value)> +inline bool isfinite(T) { + return true; +} +template ::value)> +inline bool isfinite(T value) { + return std::isfinite(value); +} + // Convers value to int and checks that it's in the range [0, upper). template ::value)> inline int to_nonnegative_int(T value, int upper) { @@ -421,12 +439,40 @@ template struct make_unsigned_or_unchanged { using type = typename std::make_unsigned::type; }; +#if FMT_SAFE_DURATION_CAST +// throwing version of safe_duration_cast +template +To fmt_safe_duration_cast(std::chrono::duration from) { + int ec; + To to= safe_duration_cast::safe_duration_cast(from,ec); + if (ec) { + FMT_THROW(format_error("cannot format duration")); + } + return to; +} +#endif + template ::value)> inline std::chrono::duration get_milliseconds( std::chrono::duration d) { + // this may overflow and/or the result may not fit in the + // target type. +#if FMT_SAFE_DURATION_CAST + using CommonSecondsType = + typename std::common_type::type; + const auto d_as_common = fmt_safe_duration_cast(d); + const auto d_as_whole_seconds = + fmt_safe_duration_cast(d_as_common); + // this conversion should be nonproblematic + const auto diff = d_as_common - d_as_whole_seconds; + const auto ms = + fmt_safe_duration_cast>(diff); + return ms; +#else auto s = std::chrono::duration_cast(d); return std::chrono::duration_cast(d - s); +#endif } template (val); + s = fmt_safe_duration_cast(tmpval); +#else s = std::chrono::duration_cast( std::chrono::duration(val)); +#endif + } + + // returns true if nan or inf, writes to out. + bool handle_nan_inf() { + if (isfinite(val)) { + return false; + } + if (isnan(val)) { + write_nan(); + return true; + } + // must be +-inf + if (val > 0) { + write_pinf(); + } else { + write_ninf(); + } + return true; } Rep hour() const { return static_cast(mod((s.count() / 3600), 24)); } @@ -517,6 +590,8 @@ struct chrono_formatter { } void write_nan() { std::copy_n("nan", 3, out); } + void write_pinf() { std::copy_n("inf", 3, out); } + void write_ninf() { std::copy_n("-inf", 4, out); } void format_localized(const tm& time, const char* format) { if (isnan(val)) return write_nan(); @@ -549,6 +624,10 @@ struct chrono_formatter { void on_tz_name() {} void on_24_hour(numeric_system ns) { + if (handle_nan_inf()) { + return; + } + if (ns == numeric_system::standard) return write(hour(), 2); auto time = tm(); time.tm_hour = to_nonnegative_int(hour(), 24); @@ -556,6 +635,10 @@ struct chrono_formatter { } void on_12_hour(numeric_system ns) { + if (handle_nan_inf()) { + return; + } + if (ns == numeric_system::standard) return write(hour12(), 2); auto time = tm(); time.tm_hour = to_nonnegative_int(hour12(), 12); @@ -563,6 +646,10 @@ struct chrono_formatter { } void on_minute(numeric_system ns) { + if (handle_nan_inf()) { + return; + } + if (ns == numeric_system::standard) return write(minute(), 2); auto time = tm(); time.tm_min = to_nonnegative_int(minute(), 60); @@ -570,9 +657,21 @@ struct chrono_formatter { } void on_second(numeric_system ns) { + if (handle_nan_inf()) { + return; + } + if (ns == numeric_system::standard) { write(second(), 2); - auto ms = get_milliseconds(std::chrono::duration(val)); +#if FMT_SAFE_DURATION_CAST + // convert rep->Rep + using duration_rep = std::chrono::duration; + using duration_Rep = std::chrono::duration; + auto tmpval = fmt_safe_duration_cast(duration_rep{val}); +#else + auto tmpval = std::chrono::duration(val); +#endif + auto ms = get_milliseconds(tmpval); if (ms != std::chrono::milliseconds(0)) { *out++ = '.'; write(ms.count(), 3); @@ -584,9 +683,21 @@ struct chrono_formatter { format_localized(time, "%OS"); } - void on_12_hour_time() { format_localized(time(), "%r"); } + void on_12_hour_time() { + if (handle_nan_inf()) { + return; + } + + format_localized(time(), "%r"); + } void on_24_hour_time() { + if (handle_nan_inf()) { + *out++ = ':'; + handle_nan_inf(); + return; + } + write(hour(), 2); *out++ = ':'; write(minute(), 2); @@ -595,12 +706,24 @@ struct chrono_formatter { void on_iso_time() { on_24_hour_time(); *out++ = ':'; + if (handle_nan_inf()) { + return; + } write(second(), 2); } - void on_am_pm() { format_localized(time(), "%p"); } + void on_am_pm() { + if (handle_nan_inf()) { + return; + } + + format_localized(time(), "%p"); + } void on_duration_value() { + if (handle_nan_inf()) { + return; + } write_sign(); out = format_chrono_duration_value(out, val, precision); } diff --git a/include/fmt/format-inl.h b/include/fmt/format-inl.h index cce1a34a..0ce96b28 100644 --- a/include/fmt/format-inl.h +++ b/include/fmt/format-inl.h @@ -244,6 +244,11 @@ template <> FMT_FUNC int count_digits<4>(internal::fallback_uintptr n) { template int format_float(char* buf, std::size_t size, const char* format, int precision, T value) { +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + if (precision > 100000) { + throw std::runtime_error("fuzz mode - avoid large allocation inside snprintf"); + } +#endif // Suppress the warning about nonliteral format string. auto snprintf_ptr = FMT_SNPRINTF; return precision < 0 ? snprintf_ptr(buf, size, format, value) diff --git a/include/fmt/format.h b/include/fmt/format.h index a931bdcd..55033807 100644 --- a/include/fmt/format.h +++ b/include/fmt/format.h @@ -398,6 +398,11 @@ class basic_memory_buffer : private Allocator, public internal::buffer { template void basic_memory_buffer::grow(std::size_t size) { +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + if (size > 1000) { + throw std::runtime_error("fuzz mode - won't grow that much"); + } +#endif std::size_t old_capacity = this->capacity(); std::size_t new_capacity = old_capacity + old_capacity / 2; if (size > new_capacity) new_capacity = size; @@ -1065,6 +1070,11 @@ It grisu_prettify(const char* digits, int size, int exp, It it, int num_zeros = (std::max)(params.num_digits - full_exp, 1); if (params.trailing_zeros) { *it++ = static_cast('.'); +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + if (num_zeros > 1000) { + throw std::runtime_error("fuzz mode - avoiding excessive cpu use"); + } +#endif it = std::fill_n(it, num_zeros, static_cast('0')); } } else if (full_exp > 0) { diff --git a/include/fmt/safe-duration-cast.h b/include/fmt/safe-duration-cast.h new file mode 100644 index 00000000..e69450f4 --- /dev/null +++ b/include/fmt/safe-duration-cast.h @@ -0,0 +1,279 @@ +/* + * For conversion between std::chrono::durations without undefined + * behaviour or erroneous results. + * This is a stripped down version of duration_cast, for inclusion in fmt. + * See https://github.com/pauldreik/safe_duration_cast + * + * Copyright Paul Dreik 2019 + * + * This file is licensed under the fmt license, see format.h + */ + +#include +#include +#include +#include + +#include "format.h" + +FMT_BEGIN_NAMESPACE + +namespace safe_duration_cast { + +/** + * converts From to To, without loss. If the dynamic value of from + * can't be converted to To without loss, ec is set. + */ +template ::value)> +FMT_CONSTEXPR To lossless_integral_conversion(const From from, int& ec) { + ec = 0; + using F = std::numeric_limits; + using T = std::numeric_limits; + static_assert(F::is_integer, "From must be integral"); + static_assert(T::is_integer, "To must be integral"); + + if (F::is_signed == T::is_signed) { + // A and B are both signed, or both unsigned. + if (F::digits <= T::digits) { + // From fits in To without any problem + } else { + // From does not always fit in To, resort to a dynamic check. + if (from < T::min() || from > T::max()) { + // outside range. + ec = 1; + return {}; + } + } + } + + if (F::is_signed && !T::is_signed) { + // From may be negative, not allowed! + if (from < 0) { + ec = 1; + return {}; + } + + // From is positive. Can it always fit in To? + if (F::digits <= T::digits) { + // yes, From always fits in To. + } else { + // from may not fit in To, we have to do a dynamic check + if (from > T::max()) { + ec = 1; + return {}; + } + } + } + + if (!F::is_signed && T::is_signed) { + // can from be held in To? + if (F::digits < T::digits) { + // yes, From always fits in To. + } else { + // from may not fit in To, we have to do a dynamic check + if (from > T::max()) { + // outside range. + ec = 1; + return {}; + } + } + } + + // reaching here means all is ok for lossless conversion. + return static_cast(from); + +} // function + +template ::value)> +FMT_CONSTEXPR To lossless_integral_conversion(const From from, int& ec) { + ec = 0; + return from; +} // function + +// clang-format off +/** + * converts From to To if possible, otherwise ec is set. + * + * input | output + * ---------------------------------|--------------- + * NaN | NaN + * Inf | Inf + * normal, fits in output | converted (possibly lossy) + * normal, does not fit in output | ec is set + * subnormal | best effort + * -Inf | -Inf + */ +// clang-format on +template ::value)> +FMT_CONSTEXPR To safe_float_conversion(const From from, int& ec) { + ec = 0; + using T = std::numeric_limits; + static_assert(std::is_floating_point::value, "From must be floating"); + static_assert(std::is_floating_point::value, "To must be floating"); + + // catch the only happy case + if (std::isfinite(from)) { + if (from >= T::lowest() && from <= T::max()) { + return static_cast(from); + } + // not within range. + ec = 1; + return {}; + } + + // nan and inf will be preserved + return static_cast(from); +} // function + +template ::value)> +FMT_CONSTEXPR To safe_float_conversion(const From from, int& ec) { + ec = 0; + static_assert(std::is_floating_point::value, "From must be floating"); + return from; +} + +/** + * safe duration cast between integral durations + */ +template ::value), + FMT_ENABLE_IF(std::is_integral::value)> +To safe_duration_cast(std::chrono::duration from, + int& ec) { + using From = std::chrono::duration; + ec = 0; + // the basic idea is that we need to convert from count() in the from type + // to count() in the To type, by multiplying it with this: + using Factor = std::ratio_divide; + + static_assert(Factor::num > 0, "num must be positive"); + static_assert(Factor::den > 0, "den must be positive"); + + // the conversion is like this: multiply from.count() with Factor::num + // /Factor::den and convert it to To::rep, all this without + // overflow/underflow. let's start by finding a suitable type that can hold + // both To, From and Factor::num + using IntermediateRep = + typename std::common_type::type; + + // safe conversion to IntermediateRep + IntermediateRep count = + lossless_integral_conversion(from.count(), ec); + if (ec) { + return {}; + } + // multiply with Factor::num without overflow or underflow + if (Factor::num != 1) { + constexpr auto max1 = + std::numeric_limits::max() / Factor::num; + if (count > max1) { + ec = 1; + return {}; + } + constexpr auto min1 = + std::numeric_limits::min() / Factor::num; + if (count < min1) { + ec = 1; + return {}; + } + count *= Factor::num; + } + + // this can't go wrong, right? den>0 is checked earlier. + if (Factor::den != 1) { + count /= Factor::den; + } + // convert to the to type, safely + using ToRep = typename To::rep; + const ToRep tocount = lossless_integral_conversion(count, ec); + if (ec) { + return {}; + } + return To{tocount}; +} + +/** + * safe duration_cast between floating point durations + */ +template ::value), + FMT_ENABLE_IF(std::is_floating_point::value)> +To safe_duration_cast(std::chrono::duration from, + int& ec) { + using From = std::chrono::duration; + ec = 0; + if (std::isnan(from.count())) { + // nan in, gives nan out. easy. + return To{std::numeric_limits::quiet_NaN()}; + } + // maybe we should also check if from is denormal, and decide what to do about + // it. + + // +-inf should be preserved. + if (std::isinf(from.count())) { + return To{from.count()}; + } + + // the basic idea is that we need to convert from count() in the from type + // to count() in the To type, by multiplying it with this: + using Factor = std::ratio_divide; + + static_assert(Factor::num > 0, "num must be positive"); + static_assert(Factor::den > 0, "den must be positive"); + + // the conversion is like this: multiply from.count() with Factor::num + // /Factor::den and convert it to To::rep, all this without + // overflow/underflow. let's start by finding a suitable type that can hold + // both To, From and Factor::num + using IntermediateRep = + typename std::common_type::type; + + // force conversion of From::rep -> IntermediateRep to be safe, + // even if it will never happen be narrowing in this context. + IntermediateRep count = + safe_float_conversion(from.count(), ec); + if (ec) { + return {}; + } + + // multiply with Factor::num without overflow or underflow + if (Factor::num != 1) { + constexpr auto max1 = + std::numeric_limits::max() / Factor::num; + if (count > max1) { + ec = 1; + return {}; + } + constexpr auto min1 = + std::numeric_limits::lowest() / Factor::num; + if (count < min1) { + ec = 1; + return {}; + } + count *= Factor::num; + } + + // this can't go wrong, right? den>0 is checked earlier. + if (Factor::den != 1) { + count /= Factor::den; + } + + // convert to the to type, safely + using ToRep = typename To::rep; + + const ToRep tocount = safe_float_conversion(count, ec); + if (ec) { + return {}; + } + return To{tocount}; +} + +} // namespace safe_duration_cast + +FMT_END_NAMESPACE diff --git a/support/travis-build.py b/support/travis-build.py index d71a7ae6..669bb71d 100755 --- a/support/travis-build.py +++ b/support/travis-build.py @@ -83,19 +83,24 @@ install_dir = os.path.join(fmt_dir, "_install") build_dir = os.path.join(fmt_dir, "_build") test_build_dir = os.path.join(fmt_dir, "_build_test") -# Configure library. +# Configure the library. makedirs_if_not_exist(build_dir) cmake_flags = [ '-DCMAKE_INSTALL_PREFIX=' + install_dir, '-DCMAKE_BUILD_TYPE=' + build, '-DCMAKE_CXX_STANDARD=' + standard ] + +# make sure the fuzzers still compile +if 'ENABLE_FUZZING' in os.environ: + cmake_flags += ['-DFMT_FUZZ=ON', '-DFMT_FUZZ_LINKMAIN=On'] + check_call(['cmake', '-DFMT_DOC=OFF', '-DFMT_PEDANTIC=ON', '-DFMT_WERROR=ON', fmt_dir] + cmake_flags, cwd=build_dir) -# Build library. -check_call(['make', '-j4'], cwd=build_dir) +# Build the library. +check_call(['cmake', '--build','.'], cwd=build_dir) -# Test library. +# Test the library. env = os.environ.copy() env['CTEST_OUTPUT_ON_FAILURE'] = '1' if call(['make', 'test'], env=env, cwd=build_dir): @@ -103,7 +108,7 @@ if call(['make', 'test'], env=env, cwd=build_dir): print(f.read()) sys.exit(-1) -# Install library. +# Install the library. check_call(['make', 'install'], cwd=build_dir) # Test installation. diff --git a/test/chrono-test.cc b/test/chrono-test.cc index a9412c90..04b5f2fa 100644 --- a/test/chrono-test.cc +++ b/test/chrono-test.cc @@ -327,7 +327,7 @@ TEST(ChronoTest, SpecialDurations) { fmt::format("{:%S}", std::chrono::duration(1e20)).substr(0, 3)); auto nan = std::numeric_limits::quiet_NaN(); EXPECT_EQ( - "nan nan nan nan.nan nan:nan nan", + "nan nan nan nan nan:nan nan", fmt::format("{:%I %H %M %S %R %r}", std::chrono::duration(nan))); fmt::format("{:%S}", std::chrono::duration(1.79400457e+31f)); diff --git a/test/fuzzing/.gitignore b/test/fuzzing/.gitignore new file mode 100644 index 00000000..ea410402 --- /dev/null +++ b/test/fuzzing/.gitignore @@ -0,0 +1,3 @@ +# ignore artifacts from the build.sh script +build-*/ + diff --git a/test/fuzzing/CMakeLists.txt b/test/fuzzing/CMakeLists.txt new file mode 100644 index 00000000..3f386828 --- /dev/null +++ b/test/fuzzing/CMakeLists.txt @@ -0,0 +1,38 @@ +# Copyright (c) 2019, Paul Dreik +# License: see LICENSE.rst in the fmt root directory + +# settings this links in a main. useful for reproducing, +# kcov, gdb, afl, valgrind. +# (note that libFuzzer can also reproduce, just pass it the files) +option(FMT_FUZZ_LINKMAIN "enables the reproduce mode, instead of libFuzzer" On) + +#for oss-fuzz - insert $LIB_FUZZING_ENGINE into the link flags, but only for +#the fuzz targets, otherwise the cmake configuration step fails. +set(FMT_FUZZ_LDFLAGS "" CACHE STRING "LDFLAGS for the fuzz targets") + +#find all fuzzers. +set(SOURCES +chrono_duration.cpp +named_arg.cpp +one_arg.cpp +sprintf.cpp +two_args.cpp +) + +macro(implement_fuzzer sourcefile) + get_filename_component(basename ${sourcefile} NAME_WE) + set(name fuzzer_${basename}) + add_executable(${name} ${sourcefile} fuzzer_common.h) + if(FMT_FUZZ_LINKMAIN) + target_sources(${name} PRIVATE main.cpp) + endif() + target_link_libraries(${name} PRIVATE fmt) +if(FMT_FUZZ_LDFLAGS) + target_link_libraries(${name} PRIVATE ${FMT_FUZZ_LDFLAGS}) +endif() + target_compile_features(${name} PRIVATE cxx_generic_lambdas) +endmacro() + +foreach(X IN ITEMS ${SOURCES}) + implement_fuzzer(${X}) +endforeach() diff --git a/test/fuzzing/README.md b/test/fuzzing/README.md new file mode 100644 index 00000000..d3ea270b --- /dev/null +++ b/test/fuzzing/README.md @@ -0,0 +1,34 @@ +# FMT Fuzzer +Fuzzing has revealed [several bugs](https://github.com/fmtlib/fmt/issues?&q=is%3Aissue+fuzz) in fmt. It is a part of the continous fuzzing at [oss-fuzz](https://github.com/google/oss-fuzz) + +The source code is modified to make the fuzzing possible without locking up on resource exhaustion: +```cpp +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +if(spec.precision>100000) { + throw std::runtime_error("fuzz mode - avoiding large precision"); +} +#endif +``` +This macro is the defacto standard for making fuzzing practically possible, see [the libFuzzer documentation](https://llvm.org/docs/LibFuzzer.html#fuzzer-friendly-build-mode). + +## Running the fuzzers locally +There is a [helper script](build.sh) to build the fuzzers, which has only been tested on Debian and Ubuntu linux so far. There should be no problems fuzzing on Windows (using clang>=8) or on Mac, but the script will probably not work out of the box. + +Something along +```sh +mkdir build +cd build +export CXX=clang++ +export CXXFLAGS="-fsanitize=fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION= -g" +cmake .. -DFMT_SAFE_DURATION_CAST=On -DFMT_FUZZ=On -DFMT_FUZZ_LINKMAIN=Off -DFMT_FUZZ_LDFLAGS="-fsanitize=fuzzer" +cmake --build . +``` +should work to build the fuzzers for all platforms which clang supports. + +Execute a fuzzer with for instance +```sh +cd build +export UBSAN_OPTIONS=halt_on_error=1 +mkdir out_chrono +bin/fuzzer_chrono_duration out_chrono +``` diff --git a/test/fuzzing/build.sh b/test/fuzzing/build.sh new file mode 100755 index 00000000..141a50d9 --- /dev/null +++ b/test/fuzzing/build.sh @@ -0,0 +1,110 @@ +#!/bin/sh +# +# Creates fuzzer builds of various kinds +# - reproduce mode (no fuzzing, just enables replaying data through the fuzzers) +# - oss-fuzz emulated mode (makes sure a simulated invocation by oss-fuzz works) +# - libFuzzer build (you will need clang) +# - afl build (you will need afl) +# +# +# Copyright (c) 2019 Paul Dreik +# +# License: see LICENSE.rst in the fmt root directory + +set -e +me=$(basename $0) +root=$(readlink -f "$(dirname "$0")/../..") + + +echo $me: root=$root + +here=$(pwd) + +CXXFLAGSALL="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION= -g" +CMAKEFLAGSALL="$root -GNinja -DCMAKE_BUILD_TYPE=Debug -DFMT_DOC=Off -DFMT_TEST=Off -DFMT_FUZZ=On -DCMAKE_CXX_STANDARD=17" + +#builds the fuzzers as one would do if using afl or just making +#binaries for reproducing. +builddir=$here/build-fuzzers-reproduce +mkdir -p $builddir +cd $builddir +CXX="ccache g++" CXXFLAGS="$CXXFLAGSALL" cmake \ +$CMAKEFLAGSALL +cmake --build $builddir + +#for performance analysis of the fuzzers +builddir=$here/build-fuzzers-perfanalysis +mkdir -p $builddir +cd $builddir +CXX="ccache g++" CXXFLAGS="$CXXFLAGSALL -g" cmake \ +$CMAKEFLAGSALL \ +-DFMT_FUZZ_LINKMAIN=On \ +-DCMAKE_BUILD_TYPE=Release + +cmake --build $builddir + +#builds the fuzzers as oss-fuzz does +builddir=$here/build-fuzzers-ossfuzz +mkdir -p $builddir +cd $builddir +CXX="clang++" \ +CXXFLAGS="$CXXFLAGSALL -fsanitize=fuzzer-no-link" cmake \ +cmake $CMAKEFLAGSALL \ +-DFMT_FUZZ_LINKMAIN=Off \ +-DFMT_FUZZ_LDFLAGS="-fsanitize=fuzzer" + +cmake --build $builddir + + +#builds fuzzers for local fuzzing with libfuzzer with asan+usan +builddir=$here/build-fuzzers-libfuzzer +mkdir -p $builddir +cd $builddir +CXX="clang++" \ +CXXFLAGS="$CXXFLAGSALL -fsanitize=fuzzer-no-link,address,undefined" cmake \ +cmake $CMAKEFLAGSALL \ +-DFMT_FUZZ_LINKMAIN=Off \ +-DFMT_FUZZ_LDFLAGS="-fsanitize=fuzzer" + +cmake --build $builddir + +#builds fuzzers for local fuzzing with libfuzzer with asan only +builddir=$here/build-fuzzers-libfuzzer-addr +mkdir -p $builddir +cd $builddir +CXX="clang++" \ +CXXFLAGS="$CXXFLAGSALL -fsanitize=fuzzer-no-link,undefined" cmake \ +cmake $CMAKEFLAGSALL \ +-DFMT_FUZZ_LINKMAIN=Off \ +-DFMT_FUZZ_LDFLAGS="-fsanitize=fuzzer" + +cmake --build $builddir + +#builds a fast fuzzer for making coverage fast +builddir=$here/build-fuzzers-fast +mkdir -p $builddir +cd $builddir +CXX="clang++" \ +CXXFLAGS="$CXXFLAGSALL -fsanitize=fuzzer-no-link -O3" cmake \ +cmake $CMAKEFLAGSALL \ +-DFMT_FUZZ_LINKMAIN=Off \ +-DFMT_FUZZ_LDFLAGS="-fsanitize=fuzzer" \ + -DCMAKE_BUILD_TYPE=Release + +cmake --build $builddir + + +#builds fuzzers for local fuzzing with afl +builddir=$here/build-fuzzers-afl +mkdir -p $builddir +cd $builddir +CXX="afl-g++" \ +CXXFLAGS="$CXXFLAGSALL -fsanitize=address,undefined" \ +cmake $CMAKEFLAGSALL \ +-DFMT_FUZZ_LINKMAIN=On + +cmake --build $builddir + + +echo $me: all good + diff --git a/test/fuzzing/chrono_duration.cpp b/test/fuzzing/chrono_duration.cpp new file mode 100644 index 00000000..d1de9ae6 --- /dev/null +++ b/test/fuzzing/chrono_duration.cpp @@ -0,0 +1,152 @@ +// Copyright (c) 2019, Paul Dreik +// License: see LICENSE.rst in the fmt root directory + +#include +#include +#include +#include +#include +#include +#include "fuzzer_common.h" + +template +void invoke_inner(fmt::string_view formatstring, const Item item) { + const std::chrono::duration value(item); + try { +#if FMT_FUZZ_FORMAT_TO_STRING + std::string message = fmt::format(formatstring, value); +#else + fmt::memory_buffer buf; + fmt::format_to(buf, formatstring, value); +#endif + } catch (std::exception& /*e*/) { + } +} + +// Item is the underlying type for duration (int, long etc) +template +void invoke_outer(const uint8_t* Data, std::size_t Size, const int scaling) { + // always use a fixed location of the data + using fmt_fuzzer::Nfixed; + + constexpr auto N = sizeof(Item); + static_assert(N <= Nfixed, "fixed size is too small"); + if (Size <= Nfixed + 1) { + return; + } + + const Item item = fmt_fuzzer::assignFromBuf(Data); + + // fast forward + Data += Nfixed; + Size -= Nfixed; + + // Data is already allocated separately in libFuzzer so reading past + // the end will most likely be detected anyway + const auto formatstring = fmt::string_view(fmt_fuzzer::as_chars(Data), Size); + + // doit_impl(buf.data(),item); + // doit_impl(buf.data(),item); + switch (scaling) { + case 1: + invoke_inner(formatstring, item); + break; + case 2: + invoke_inner(formatstring, item); + break; + case 3: + invoke_inner(formatstring, item); + break; + case 4: + invoke_inner(formatstring, item); + break; + case 5: + invoke_inner(formatstring, item); + break; + case 6: + invoke_inner(formatstring, item); + break; + case 7: + invoke_inner(formatstring, item); + break; + case 8: + invoke_inner(formatstring, item); + break; + case 9: + invoke_inner(formatstring, item); + break; + case 10: + invoke_inner(formatstring, item); + break; + case 11: + invoke_inner(formatstring, item); + break; + case 12: + invoke_inner(formatstring, item); + break; + case 13: + invoke_inner(formatstring, item); + break; + case 14: + invoke_inner(formatstring, item); + break; + case 15: + invoke_inner(formatstring, item); + } + // doit_impl(buf.data(),item); + // doit_impl(buf.data(),item); +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, std::size_t Size) { + if (Size <= 4) { + return 0; + } + + const auto representation = Data[0]; + const auto scaling = Data[1]; + Data += 2; + Size -= 2; + + switch (representation) { + case 1: + invoke_outer(Data, Size, scaling); + break; + case 2: + invoke_outer(Data, Size, scaling); + break; + case 3: + invoke_outer(Data, Size, scaling); + break; + case 4: + invoke_outer(Data, Size, scaling); + break; + case 5: + invoke_outer(Data, Size, scaling); + break; + case 6: + invoke_outer(Data, Size, scaling); + break; + case 7: + invoke_outer(Data, Size, scaling); + break; + case 8: + invoke_outer(Data, Size, scaling); + break; + case 9: + invoke_outer(Data, Size, scaling); + break; + case 10: + invoke_outer(Data, Size, scaling); + break; + case 11: + invoke_outer(Data, Size, scaling); + break; + case 12: + invoke_outer(Data, Size, scaling); + break; + default: + break; + } + + return 0; +} diff --git a/test/fuzzing/fuzzer_common.h b/test/fuzzing/fuzzer_common.h new file mode 100644 index 00000000..02b3910c --- /dev/null +++ b/test/fuzzing/fuzzer_common.h @@ -0,0 +1,71 @@ +#ifndef FUZZER_COMMON_H +#define FUZZER_COMMON_H + +// Copyright (c) 2019, Paul Dreik +// License: see LICENSE.rst in the fmt root directory + +#include // memcpy +#include // trivially copyable +#include // std::uint8_t + +// one can format to either a string, or a buf. buf is faster, +// but one may be interested in formatting to a string instead to +// verify it works as intended. to avoid a combinatoric explosion, +// select this at compile time instead of dynamically from the fuzz data +#define FMT_FUZZ_FORMAT_TO_STRING 0 + +// if fmt is given a buffer that is separately allocated, +// chances that address sanitizer detects out of bound reads is +// much higher. However, it slows down the fuzzing. +#define FMT_FUZZ_SEPARATE_ALLOCATION 1 + +// To let the the fuzzer mutation be efficient at cross pollinating +// between different types, use a fixed size format. +// The same bit pattern, interpreted as another type, +// is likely interesting. +// For this, we must know the size of the largest possible type in use. + +// There are some problems on travis, claiming Nfixed is not a constant expression +// which seems to be an issue with older versions of libstdc++ +#if _GLIBCXX_RELEASE >= 7 +# include +namespace fmt_fuzzer { + constexpr auto Nfixed = std::max(sizeof(long double), sizeof(std::intmax_t)); +} +#else +namespace fmt_fuzzer { + constexpr auto Nfixed=16; +} +#endif + +namespace fmt_fuzzer { +// view data as a c char pointer. +template +inline const char* as_chars(const T* data) { + return static_cast(static_cast(data)); +} + +// view data as a byte pointer +template +inline const std::uint8_t* as_bytes(const T* data) { + return static_cast(static_cast(data)); +} + +// blits bytes from Data to form an (assumed trivially constructible) object +// of type Item +template +inline Item assignFromBuf(const std::uint8_t* Data) { + Item item{}; + std::memcpy(&item, Data, sizeof(Item)); + return item; +} + +// reads a boolean value by looking at the first byte from Data +template <> inline bool assignFromBuf(const std::uint8_t* Data) { + return !!Data[0]; +} + +} // namespace fmt_fuzzer + + +#endif // FUZZER_COMMON_H diff --git a/test/fuzzing/main.cpp b/test/fuzzing/main.cpp new file mode 100644 index 00000000..52f81f4b --- /dev/null +++ b/test/fuzzing/main.cpp @@ -0,0 +1,21 @@ +#include +#include +#include +#include +#include "fuzzer_common.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, std::size_t Size); +int main(int argc, char* argv[]) { + for (int i = 1; i < argc; ++i) { + std::ifstream in(argv[i]); + assert(in); + in.seekg(0, std::ios_base::end); + const auto pos = in.tellg(); + assert(pos>=0); + in.seekg(0, std::ios_base::beg); + std::vector buf(static_cast(pos)); + in.read(buf.data(), static_cast(buf.size())); + assert(in.gcount() == pos); + LLVMFuzzerTestOneInput(fmt_fuzzer::as_bytes(buf.data()), buf.size()); + } +} diff --git a/test/fuzzing/named_arg.cpp b/test/fuzzing/named_arg.cpp new file mode 100644 index 00000000..af9890e2 --- /dev/null +++ b/test/fuzzing/named_arg.cpp @@ -0,0 +1,129 @@ +// Copyright (c) 2019, Paul Dreik +// License: see LICENSE.rst in the fmt root directory + +#include +#include +#include +#include +#include +#include +#include "fuzzer_common.h" + +template +void invoke_fmt(const uint8_t* Data, std::size_t Size, unsigned int argsize) { + constexpr auto N1 = sizeof(Item1); + static_assert (N1<=fmt_fuzzer::Nfixed,"Nfixed too small"); + if (Size <= fmt_fuzzer::Nfixed) { + return; + } + const Item1 item1 = fmt_fuzzer::assignFromBuf(Data); + + Data += fmt_fuzzer::Nfixed; + Size -= fmt_fuzzer::Nfixed; + + // how many chars should be used for the argument name? + if (argsize <= 0 || argsize >= Size) { + return; + } + + // allocating buffers separately is slower, but increases chances + // of detecting memory errors +#if FMT_FUZZ_SEPARATE_ALLOCATION + std::vector argnamebuffer(argsize); + std::memcpy(argnamebuffer.data(), Data, argsize); + auto argname = fmt::string_view(argnamebuffer.data(), argsize); +#else + auto argname = fmt::string_view(fmt_fuzzer::as_chars(Data), argsize); +#endif + Data += argsize; + Size -= argsize; + +#if FMT_FUZZ_SEPARATE_ALLOCATION + // allocates as tight as possible, making it easier to catch buffer overruns. + std::vector fmtstringbuffer(Size); + std::memcpy(fmtstringbuffer.data(), Data, Size); + auto fmtstring = fmt::string_view(fmtstringbuffer.data(), Size); +#else + auto fmtstring = fmt::string_view(fmt_fuzzer::as_chars(Data), Size); +#endif + +#if FMT_FUZZ_FORMAT_TO_STRING + std::string message = fmt::format(fmtstring, fmt::arg(argname, item1)); +#else + fmt::memory_buffer outbuf; + fmt::format_to(outbuf, fmtstring, fmt::arg(argname, item1)); +#endif +} + +// for dynamic dispatching to an explicit instantiation +template void invoke(int index, Callback callback) { + switch (index) { + case 0: + callback(bool{}); + break; + case 1: + callback(char{}); + break; + case 2: + using sc = signed char; + callback(sc{}); + break; + case 3: + using uc = unsigned char; + callback(uc{}); + break; + case 4: + callback(short{}); + break; + case 5: + using us = unsigned short; + callback(us{}); + break; + case 6: + callback(int{}); + break; + case 7: + callback(unsigned{}); + break; + case 8: + callback(long{}); + break; + case 9: + using ul = unsigned long; + callback(ul{}); + break; + case 10: + callback(float{}); + break; + case 11: + callback(double{}); + break; + case 12: + using LD = long double; + callback(LD{}); + break; + } +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, std::size_t Size) { + if (Size <= 3) { + return 0; + } + + // switch types depending on the first byte of the input + const auto first = Data[0] & 0x0F; + const unsigned int second = (Data[0] & 0xF0) >> 4; + Data++; + Size--; + + auto outerfcn = [=](auto param1) { + invoke_fmt(Data, Size, second); + }; + + try { + invoke(first, outerfcn); + } catch (std::exception& /*e*/) { + } + return 0; +} + diff --git a/test/fuzzing/one_arg.cpp b/test/fuzzing/one_arg.cpp new file mode 100644 index 00000000..70b06b9b --- /dev/null +++ b/test/fuzzing/one_arg.cpp @@ -0,0 +1,131 @@ +// Copyright (c) 2019, Paul Dreik +// License: see LICENSE.rst in the fmt root directory + +#include +#include +#include +#include +#include + +#include +#include "fuzzer_common.h" + +using fmt_fuzzer::Nfixed; + +template +void invoke_fmt(const uint8_t* Data, std::size_t Size) { + constexpr auto N = sizeof(Item); + static_assert (N<=Nfixed,"Nfixed is too small"); + if (Size <= Nfixed) { + return; + } + const Item item = fmt_fuzzer::assignFromBuf(Data); + Data += Nfixed; + Size -= Nfixed; + +#if FMT_FUZZ_SEPARATE_ALLOCATION + // allocates as tight as possible, making it easier to catch buffer overruns. + std::vector fmtstringbuffer(Size); + std::memcpy(fmtstringbuffer.data(), Data, Size); + auto fmtstring = fmt::string_view(fmtstringbuffer.data(), Size); +#else + auto fmtstring = fmt::string_view(fmt_fuzzer::as_chars(Data), Size); +#endif + +#if FMT_FUZZ_FORMAT_TO_STRING + std::string message = fmt::format(fmtstring, item); +#else + fmt::memory_buffer message; + fmt::format_to(message, fmtstring, item); +#endif +} + +void invoke_fmt_time(const uint8_t* Data, std::size_t Size) { + using Item = std::time_t; + constexpr auto N = sizeof(Item); + static_assert (N<=Nfixed,"Nfixed too small"); + if (Size <= Nfixed) { + return; + } + const Item item = fmt_fuzzer::assignFromBuf(Data); + Data += Nfixed; + Size -= Nfixed; +#if FMT_FUZZ_SEPARATE_ALLOCATION + // allocates as tight as possible, making it easier to catch buffer overruns. + std::vector fmtstringbuffer(Size); + std::memcpy(fmtstringbuffer.data(), Data, Size); + auto fmtstring = fmt::string_view(fmtstringbuffer.data(), Size); +#else + auto fmtstring = fmt::string_view(fmt_fuzzer::as_chars(Data), Size); +#endif + auto* b = std::localtime(&item); + if (b) { +#if FMT_FUZZ_FORMAT_TO_STRING + std::string message = fmt::format(fmtstring, *b); +#else + fmt::memory_buffer message; + fmt::format_to(message, fmtstring, *b); +#endif + } +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, std::size_t Size) { + if (Size <= 3) { + return 0; + } + + const auto first = Data[0]; + Data++; + Size--; + + try { + switch (first) { + case 0: + invoke_fmt(Data, Size); + break; + case 1: + invoke_fmt(Data, Size); + break; + case 2: + invoke_fmt(Data, Size); + break; + case 3: + invoke_fmt(Data, Size); + break; + case 4: + invoke_fmt(Data, Size); + break; + case 5: + invoke_fmt(Data, Size); + break; + case 6: + invoke_fmt(Data, Size); + break; + case 7: + invoke_fmt(Data, Size); + break; + case 8: + invoke_fmt(Data, Size); + break; + case 9: + invoke_fmt(Data, Size); + break; + case 10: + invoke_fmt(Data, Size); + break; + case 11: + invoke_fmt(Data, Size); + break; + case 12: + invoke_fmt(Data, Size); + break; + case 13: + invoke_fmt_time(Data, Size); + break; + default: + break; + } + } catch (std::exception& /*e*/) { + } + return 0; +} diff --git a/test/fuzzing/sprintf.cpp b/test/fuzzing/sprintf.cpp new file mode 100644 index 00000000..7dd02221 --- /dev/null +++ b/test/fuzzing/sprintf.cpp @@ -0,0 +1,116 @@ +// Copyright (c) 2019, Paul Dreik +// License: see LICENSE.rst in the fmt root directory +#include +#include +#include +#include + +#include "fuzzer_common.h" + +using fmt_fuzzer::Nfixed; + +template +void invoke_fmt(const uint8_t* Data, std::size_t Size) { + constexpr auto N1 = sizeof(Item1); + constexpr auto N2 = sizeof(Item2); + static_assert(N1 <= Nfixed, "size1 exceeded"); + static_assert(N2 <= Nfixed, "size2 exceeded"); + if (Size <= Nfixed + Nfixed) { + return; + } + Item1 item1 = fmt_fuzzer::assignFromBuf(Data); + Data += Nfixed; + Size -= Nfixed; + + Item2 item2 = fmt_fuzzer::assignFromBuf(Data); + Data += Nfixed; + Size -= Nfixed; + + auto fmtstring = fmt::string_view(fmt_fuzzer::as_chars(Data), Size); + +#if FMT_FUZZ_FORMAT_TO_STRING + std::string message = fmt::format(fmtstring, item1, item2); +#else + fmt::memory_buffer message; + fmt::format_to(message, fmtstring, item1, item2); +#endif +} + +// for dynamic dispatching to an explicit instantiation +template void invoke(int index, Callback callback) { + switch (index) { + case 0: + callback(bool{}); + break; + case 1: + callback(char{}); + break; + case 2: + using sc = signed char; + callback(sc{}); + break; + case 3: + using uc = unsigned char; + callback(uc{}); + break; + case 4: + callback(short{}); + break; + case 5: + using us = unsigned short; + callback(us{}); + break; + case 6: + callback(int{}); + break; + case 7: + callback(unsigned{}); + break; + case 8: + callback(long{}); + break; + case 9: + using ul = unsigned long; + callback(ul{}); + break; + case 10: + callback(float{}); + break; + case 11: + callback(double{}); + break; + case 12: + using LD = long double; + callback(LD{}); + break; + case 13: + using ptr = void*; + callback(ptr{}); + break; + } +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, std::size_t Size) { + if (Size <= 3) { + return 0; + } + + // switch types depending on the first byte of the input + const auto first = Data[0] & 0x0F; + const auto second = (Data[0] & 0xF0) >> 4; + Data++; + Size--; + + auto outer = [=](auto param1) { + auto inner = [=](auto param2) { + invoke_fmt(Data, Size); + }; + invoke(second, inner); + }; + + try { + invoke(first, outer); + } catch (std::exception& /*e*/) { + } + return 0; +} diff --git a/test/fuzzing/two_args.cpp b/test/fuzzing/two_args.cpp new file mode 100644 index 00000000..8cfc4be8 --- /dev/null +++ b/test/fuzzing/two_args.cpp @@ -0,0 +1,112 @@ +// Copyright (c) 2019, Paul Dreik +// License: see LICENSE.rst in the fmt root directory +#include +#include +#include +#include + +#include "fuzzer_common.h" + +constexpr auto Nfixed=fmt_fuzzer::Nfixed; + +template +void invoke_fmt(const uint8_t* Data, std::size_t Size) { + constexpr auto N1 = sizeof(Item1); + constexpr auto N2 = sizeof(Item2); + static_assert(N1 <= Nfixed, "size1 exceeded"); + static_assert(N2 <= Nfixed, "size2 exceeded"); + if (Size <= Nfixed + Nfixed) { + return; + } + const Item1 item1=fmt_fuzzer::assignFromBuf(Data); + Data += Nfixed; + Size -= Nfixed; + + const Item2 item2=fmt_fuzzer::assignFromBuf(Data); + Data += Nfixed; + Size -= Nfixed; + + auto fmtstring = fmt::string_view(fmt_fuzzer::as_chars(Data), Size); + +#if FMT_FUZZ_FORMAT_TO_STRING + std::string message = fmt::format(fmtstring, item1, item2); +#else + fmt::memory_buffer message; + fmt::format_to(message, fmtstring, item1, item2); +#endif +} + +// for dynamic dispatching to an explicit instantiation +template void invoke(int index, Callback callback) { + switch (index) { + case 0: + callback(bool{}); + break; + case 1: + callback(char{}); + break; + case 2: + using sc = signed char; + callback(sc{}); + break; + case 3: + using uc = unsigned char; + callback(uc{}); + break; + case 4: + callback(short{}); + break; + case 5: + using us = unsigned short; + callback(us{}); + break; + case 6: + callback(int{}); + break; + case 7: + callback(unsigned{}); + break; + case 8: + callback(long{}); + break; + case 9: + using ul = unsigned long; + callback(ul{}); + break; + case 10: + callback(float{}); + break; + case 11: + callback(double{}); + break; + case 12: + using LD = long double; + callback(LD{}); + break; + } +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, std::size_t Size) { + if (Size <= 3) { + return 0; + } + + // switch types depending on the first byte of the input + const auto first = Data[0] & 0x0F; + const auto second = (Data[0] & 0xF0) >> 4; + Data++; + Size--; + + auto outer = [=](auto param1) { + auto inner = [=](auto param2) { + invoke_fmt(Data, Size); + }; + invoke(second, inner); + }; + + try { + invoke(first, outer); + } catch (std::exception& /*e*/) { + } + return 0; +}