From b8c7c0a0e6ceb133f8c2e8f4ab15ca1633123fd2 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Fri, 1 Jul 2022 12:11:15 -0600
Subject: [PATCH] [fuzzer] In 50% of runs don't fail the allocator

---
 test/fuzzing/hb-draw-fuzzer.cc   |  2 +-
 test/fuzzing/hb-fuzzer.hh        | 16 ++++++++++++++++
 test/fuzzing/hb-set-fuzzer.cc    |  2 +-
 test/fuzzing/hb-shape-fuzzer.cc  |  2 +-
 test/fuzzing/hb-subset-fuzzer.cc |  2 +-
 5 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/test/fuzzing/hb-draw-fuzzer.cc b/test/fuzzing/hb-draw-fuzzer.cc
index b552739ca..3c1e68c4e 100644
--- a/test/fuzzing/hb-draw-fuzzer.cc
+++ b/test/fuzzing/hb-draw-fuzzer.cc
@@ -118,7 +118,7 @@ static void misc_calls_for_gid (hb_face_t *face, hb_font_t *font, hb_set_t *set,
 
 extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 {
-  alloc_state = size; /* see src/failing-alloc.c */
+  alloc_state = _fuzzing_alloc_state (data, size);
 
   hb_blob_t *blob = hb_blob_create ((const char *) data, size,
 				    HB_MEMORY_MODE_READONLY, nullptr, nullptr);
diff --git a/test/fuzzing/hb-fuzzer.hh b/test/fuzzing/hb-fuzzer.hh
index 52e00dd0e..b7090a94a 100644
--- a/test/fuzzing/hb-fuzzer.hh
+++ b/test/fuzzing/hb-fuzzer.hh
@@ -10,9 +10,25 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size);
 #endif
 
 #ifdef HB_IS_IN_FUZZER
+
 /* See src/failing-alloc.c */
 extern "C" int alloc_state;
+
 #else
+
 /* Just a dummy global variable */
 static int HB_UNUSED alloc_state = 0;
+
 #endif
+
+static inline int
+_fuzzing_alloc_state (const uint8_t *data, size_t size)
+{
+  /* https://github.com/harfbuzz/harfbuzz/pull/2764#issuecomment-1172589849 */
+
+  /* In 50% of the runs, don't fail the allocator. */
+  if (size && data[size - 1] < 0x80)
+    return 0;
+
+  return size;
+}
diff --git a/test/fuzzing/hb-set-fuzzer.cc b/test/fuzzing/hb-set-fuzzer.cc
index 613699f5d..065e54902 100644
--- a/test/fuzzing/hb-set-fuzzer.cc
+++ b/test/fuzzing/hb-set-fuzzer.cc
@@ -38,7 +38,7 @@ static hb_set_t *create_set (const uint32_t *value_array, int count)
 
 extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 {
-  alloc_state = size; /* see src/failing-alloc.c */
+  alloc_state = _fuzzing_alloc_state (data, size);
 
   if (size < sizeof (instructions_t))
     return 0;
diff --git a/test/fuzzing/hb-shape-fuzzer.cc b/test/fuzzing/hb-shape-fuzzer.cc
index ce6e356e0..f14f6518e 100644
--- a/test/fuzzing/hb-shape-fuzzer.cc
+++ b/test/fuzzing/hb-shape-fuzzer.cc
@@ -11,7 +11,7 @@
 
 extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 {
-  alloc_state = size; /* see src/failing-alloc.c */
+  alloc_state = _fuzzing_alloc_state (data, size);
 
   hb_blob_t *blob = hb_blob_create ((const char *)data, size,
 				    HB_MEMORY_MODE_READONLY, nullptr, nullptr);
diff --git a/test/fuzzing/hb-subset-fuzzer.cc b/test/fuzzing/hb-subset-fuzzer.cc
index fa95c8735..f883a3d3c 100644
--- a/test/fuzzing/hb-subset-fuzzer.cc
+++ b/test/fuzzing/hb-subset-fuzzer.cc
@@ -45,7 +45,7 @@ trySubset (hb_face_t *face,
 
 extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 {
-  alloc_state = size; /* see src/failing-alloc.c */
+  alloc_state = _fuzzing_alloc_state (data, size);
 
   hb_blob_t *blob = hb_blob_create ((const char *) data, size,
 				    HB_MEMORY_MODE_READONLY, nullptr, nullptr);