Improve libcppbor parser fuzzing
The parser should be fuzzed with arbitrary inputs including valid and
invaild examples. The corpus contains valid examples of encoded CBOR so
only use that for fuzzing the parser and directly pass the fuzz input
data to the parser.
libcppbor has a number of slightly different APIs for the parser so use
a number of them to parse the same input to get wider coverage.
Test: SANITIZE_HOST=address SANITIZE_TARGET=hwaddress make cppbor_parser_fuzzer
&& cppbor_parser_fuzzer corpus/
Change-Id: I9fc9b979fa21295ead9f6ae363e9f380009ac819
diff --git a/fuzzing/orphans/libcppbor/Android.bp b/fuzzing/orphans/libcppbor/Android.bp
index 8bc0436..3bb20f9 100644
--- a/fuzzing/orphans/libcppbor/Android.bp
+++ b/fuzzing/orphans/libcppbor/Android.bp
@@ -24,6 +24,17 @@
shared_libs: [
"libcppbor_external",
],
+ host_supported: true,
+}
+
+cc_fuzz {
+ name: "cppbor_parse_fuzzer",
+ srcs: [
+ "cppbor_parse_fuzzer.cpp",
+ ],
+ shared_libs: [
+ "libcppbor_external",
+ ],
corpus: ["corpus/*.cbor"],
host_supported: true,
}
diff --git a/fuzzing/orphans/libcppbor/cppbor_parse_fuzzer.cpp b/fuzzing/orphans/libcppbor/cppbor_parse_fuzzer.cpp
new file mode 100644
index 0000000..52ed8ad
--- /dev/null
+++ b/fuzzing/orphans/libcppbor/cppbor_parse_fuzzer.cpp
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <cppbor_parse.h>
+
+using namespace cppbor;
+
+class FuzzParseClient : public ParseClient {
+ public:
+ virtual ParseClient* item(std::unique_ptr<Item>&, const uint8_t*, const uint8_t*,
+ const uint8_t*) override {
+ return this;
+ }
+ virtual ParseClient* itemEnd(std::unique_ptr<Item>&, const uint8_t*, const uint8_t*,
+ const uint8_t*) override {
+ return this;
+ }
+ virtual void error(const uint8_t*, const std::string&) override {}
+};
+
+void FuzzParse(const uint8_t* data, size_t size) {
+ const uint8_t* cursor = data;
+ const uint8_t* end = data + size;
+ while (cursor < end) {
+ auto [item, newPos, errMsg] = parse(cursor, end);
+ if (!item || !errMsg.empty()) {
+ return;
+ }
+ cursor = newPos;
+ }
+}
+
+void FuzzParseWithViews(const uint8_t* data, size_t size) {
+ const uint8_t* cursor = data;
+ const uint8_t* end = data + size;
+ while (cursor < end) {
+ auto [item, newPos, errMsg] = parseWithViews(cursor, end);
+ if (!item || !errMsg.empty()) {
+ return;
+ }
+ cursor = newPos;
+ }
+}
+
+void FuzzParseWithClient(const uint8_t* data, size_t size) {
+ const uint8_t* end = data + size;
+ FuzzParseClient parseClient;
+ parse(data, end, &parseClient);
+}
+
+void FuzzParseWithClientAndViews(const uint8_t* data, size_t size) {
+ const uint8_t* end = data + size;
+ FuzzParseClient parseClient;
+ parseWithViews(data, end, &parseClient);
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ FuzzParse(data, size);
+ FuzzParseWithViews(data, size);
+ FuzzParseWithClient(data, size);
+ FuzzParseWithClientAndViews(data, size);
+ return 0;
+}
