| /* |
| * Copyright 2020 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include <fuzzer/FuzzedDataProvider.h> |
| #include "osi/include/allocator.h" |
| #include "osi/test/fuzzers/include/libosiFuzzHelperFunctions.h" |
| |
| #define MAX_NUM_FUNCTIONS 512 |
| #define MAX_BUF_SIZE 256 |
| |
| void callArbitraryFunction(std::vector<void*>* alloc_vector, |
| FuzzedDataProvider* dataProvider) { |
| // Get our function identifier |
| char func_id = dataProvider->ConsumeIntegralInRange<char>(0, 6); |
| |
| switch (func_id) { |
| // Let 0 be a NO-OP, as ConsumeIntegral will return 0 on an empty buffer |
| // (This will likely bias whatever action is here to run more often) |
| case 0: |
| return; |
| // Let case 1 be osi_malloc, and 2 be osi_calloc |
| case 1: |
| case 2: { |
| size_t size = |
| dataProvider->ConsumeIntegralInRange<size_t>(0, MAX_BUF_SIZE); |
| void* ptr = nullptr; |
| if (size == 0) { |
| return; |
| } |
| if (func_id == 1) { |
| ptr = osi_malloc(size); |
| } else { |
| ptr = osi_calloc(size); |
| } |
| if (ptr) { |
| alloc_vector->push_back(ptr); |
| } |
| } |
| return; |
| // Let case 3 be osi_free, and 4 be osi_free_and_reset |
| case 3: |
| case 4: { |
| if (alloc_vector->size() == 0) { |
| return; |
| } |
| size_t index = dataProvider->ConsumeIntegralInRange<size_t>( |
| 0, alloc_vector->size() - 1); |
| void* ptr = alloc_vector->at(index); |
| if (ptr) { |
| if (func_id == 3) { |
| osi_free(ptr); |
| } else { |
| osi_free_and_reset(&ptr); |
| } |
| } |
| alloc_vector->erase(alloc_vector->begin() + index); |
| } |
| return; |
| // Let case 5 be osi_strdup, and 6 be osi_strdup |
| case 5: |
| case 6: { |
| // Make a src buffer |
| char* buf = generateBuffer(dataProvider, MAX_BUF_SIZE, true); |
| char* str = nullptr; |
| if (buf == nullptr) { |
| return; |
| } |
| if (func_id == 5) { |
| str = osi_strdup(buf); |
| } else { |
| size_t size = |
| dataProvider->ConsumeIntegralInRange<size_t>(1, MAX_BUF_SIZE); |
| str = osi_strndup(buf, size); |
| } |
| free(buf); |
| if (str) { |
| alloc_vector->push_back(str); |
| } |
| } |
| return; |
| default: |
| return; |
| } |
| } |
| |
| extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) { |
| // Init our wrapper |
| FuzzedDataProvider dataProvider(Data, Size); |
| |
| // Keep a vector of our allocated objects for freeing later |
| std::vector<void*> alloc_vector; |
| // Call some functions, create some buffers |
| size_t num_functions = |
| dataProvider.ConsumeIntegralInRange<size_t>(0, MAX_NUM_FUNCTIONS); |
| for (size_t i = 0; i < num_functions; i++) { |
| callArbitraryFunction(&alloc_vector, &dataProvider); |
| } |
| // Free anything we've allocated |
| for (const auto& alloc : alloc_vector) { |
| if (alloc != nullptr) { |
| osi_free(alloc); |
| } |
| } |
| alloc_vector.clear(); |
| return 0; |
| } |