| // Copyright 2020 The Pigweed Authors |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); you may not |
| // use this file except in compliance with the License. You may obtain a copy of |
| // the License at |
| // |
| // https://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| // License for the specific language governing permissions and limitations under |
| // the License. |
| |
| // This is a simple example of how to write a fuzzer. The target function is |
| // crafted to demonstrates how the fuzzer can analyze conditional branches and |
| // incrementally cover more and more code until a defect is found. |
| // |
| // See build_and_run_toy_fuzzer.sh for examples of how you can build and run |
| // this example. |
| |
| #include <cstddef> |
| #include <cstdint> |
| #include <cstring> |
| |
| #include "pw_string/util.h" |
| |
| namespace { |
| |
| // The code to fuzz. This would normally be in separate library. |
| void toy_example(const char* word1, const char* word2) { |
| bool greeted = false; |
| if (word1[0] == 'h') { |
| if (word1[1] == 'e') { |
| if (word1[2] == 'l') { |
| if (word1[3] == 'l') { |
| if (word1[4] == 'o') { |
| greeted = true; |
| } |
| } |
| } |
| } |
| } |
| if (word2[0] == 'w') { |
| if (word2[1] == 'o') { |
| if (word2[2] == 'r') { |
| if (word2[3] == 'l') { |
| if (word2[4] == 'd') { |
| if (greeted) { |
| // Our "defect", simulating a crash. |
| __builtin_trap(); |
| } |
| } |
| } |
| } |
| } |
| } |
| } |
| |
| } // namespace |
| |
| // The fuzz target function |
| extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { |
| // We want to split our input into two strings. |
| const char* word1 = reinterpret_cast<const char*>(data); |
| |
| // If that's not feasible, toss this input. The fuzzer will quickly learn that |
| // inputs without null-terminators are uninteresting. |
| size_t offset = pw::string::Length(word1, size) + 1; |
| if (offset >= size) { |
| return 0; |
| } |
| |
| // Actually, inputs without TWO null terminators are uninteresting. |
| const char* word2 = reinterpret_cast<const char*>(&data[offset]); |
| size -= offset; |
| if (pw::string::Length(word2, size) == size) { |
| return 0; |
| } |
| |
| // Call the code we're targeting! |
| toy_example(word1, word2); |
| |
| // By convention, the fuzzer always returns zero. |
| return 0; |
| } |