walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[fuzzer] In 50% of runs don't fail the allocator

This commit is contained in:
Behdad Esfahbod 2022-07-01 12:11:15 -06:00
parent 14b018124c
commit b8c7c0a0e6
5 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
test/fuzzing/hb-draw-fuzzer.cc
View File

@ -118,7 +118,7 @@ static void misc_calls_for_gid (hb_face_t *face, hb_font_t *font, hb_set_t *set,
extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size) extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
{ {
alloc_state = size; /* see src/failing-alloc.c */ alloc_state = _fuzzing_alloc_state (data, size);
hb_blob_t *blob = hb_blob_create ((const char *) data, size, hb_blob_t *blob = hb_blob_create ((const char *) data, size,
HB_MEMORY_MODE_READONLY, nullptr, nullptr); HB_MEMORY_MODE_READONLY, nullptr, nullptr);

16
test/fuzzing/hb-fuzzer.hh
View File

@ -10,9 +10,25 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size);
#endif #endif
#ifdef HB_IS_IN_FUZZER #ifdef HB_IS_IN_FUZZER
/* See src/failing-alloc.c */ /* See src/failing-alloc.c */
extern "C" int alloc_state; extern "C" int alloc_state;
#else #else
/* Just a dummy global variable */ /* Just a dummy global variable */
static int HB_UNUSED alloc_state = 0; static int HB_UNUSED alloc_state = 0;
#endif #endif
static inline int
_fuzzing_alloc_state (const uint8_t *data, size_t size)
{
/* https://github.com/harfbuzz/harfbuzz/pull/2764#issuecomment-1172589849 */
/* In 50% of the runs, don't fail the allocator. */
if (size && data[size - 1] < 0x80)
return 0;
return size;
}

2
test/fuzzing/hb-set-fuzzer.cc
View File

@ -38,7 +38,7 @@ static hb_set_t *create_set (const uint32_t *value_array, int count)
extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size) extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
{ {
alloc_state = size; /* see src/failing-alloc.c */ alloc_state = _fuzzing_alloc_state (data, size);
if (size < sizeof (instructions_t)) if (size < sizeof (instructions_t))
return 0; return 0;

2
test/fuzzing/hb-shape-fuzzer.cc
View File

@ -11,7 +11,7 @@
extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size) extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
{ {
alloc_state = size; /* see src/failing-alloc.c */ alloc_state = _fuzzing_alloc_state (data, size);
hb_blob_t *blob = hb_blob_create ((const char *)data, size, hb_blob_t *blob = hb_blob_create ((const char *)data, size,
HB_MEMORY_MODE_READONLY, nullptr, nullptr); HB_MEMORY_MODE_READONLY, nullptr, nullptr);

2
test/fuzzing/hb-subset-fuzzer.cc
View File

@ -45,7 +45,7 @@ trySubset (hb_face_t *face,
extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size) extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
{ {
alloc_state = size; /* see src/failing-alloc.c */ alloc_state = _fuzzing_alloc_state (data, size);
hb_blob_t *blob = hb_blob_create ((const char *) data, size, hb_blob_t *blob = hb_blob_create ((const char *) data, size,
HB_MEMORY_MODE_READONLY, nullptr, nullptr); HB_MEMORY_MODE_READONLY, nullptr, nullptr);