blob: bcbaef1c43119c931b54b87012035e6306a10cc2 [file] [log] [blame]
// Copyright 2020 The Pigweed Authors
//
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
// use this file except in compliance with the License. You may obtain a copy of
// the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// License for the specific language governing permissions and limitations under
// the License.
// This is a simple example of how to write a fuzzer. The target function is
// crafted to demonstrates how the fuzzer can analyze conditional branches and
// incrementally cover more and more code until a defect is found.
//
// See build_and_run_toy_fuzzer.sh for examples of how you can build and run
// this example.
#include <cstddef>
#include <cstdint>
#include <cstring>
#include "pw_string/util.h"
namespace {
// The code to fuzz. This would normally be in separate library.
void toy_example(const char* word1, const char* word2) {
bool greeted = false;
if (word1[0] == 'h') {
if (word1[1] == 'e') {
if (word1[2] == 'l') {
if (word1[3] == 'l') {
if (word1[4] == 'o') {
greeted = true;
}
}
}
}
}
if (word2[0] == 'w') {
if (word2[1] == 'o') {
if (word2[2] == 'r') {
if (word2[3] == 'l') {
if (word2[4] == 'd') {
if (greeted) {
// Our "defect", simulating a crash.
__builtin_trap();
}
}
}
}
}
}
}
} // namespace
// The fuzz target function
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
// We want to split our input into two strings.
const char* word1 = reinterpret_cast<const char*>(data);
// If that's not feasible, toss this input. The fuzzer will quickly learn that
// inputs without null-terminators are uninteresting.
size_t offset = pw::string::Length(word1, size) + 1;
if (offset >= size) {
return 0;
}
// Actually, inputs without TWO null terminators are uninteresting.
const char* word2 = reinterpret_cast<const char*>(&data[offset]);
size -= offset;
if (pw::string::Length(word2, size) == size) {
return 0;
}
// Call the code we're targeting!
toy_example(word1, word2);
// By convention, the fuzzer always returns zero.
return 0;
}