[fuzz] Implement failing allocator
This commit is contained in:
parent
44a3136ae6
commit
c33e8006fd
|
@ -0,0 +1,57 @@
|
|||
/*
|
||||
* Copyright © 2020 Ebrahim Byagowi
|
||||
*
|
||||
* This is part of HarfBuzz, a text shaping library.
|
||||
*
|
||||
* Permission is hereby granted, without written agreement and without
|
||||
* license or royalty fees, to use, copy, modify, and distribute this
|
||||
* software and its documentation for any purpose, provided that the
|
||||
* above copyright notice and the following two paragraphs appear in
|
||||
* all copies of this software.
|
||||
*
|
||||
* IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR
|
||||
* DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
|
||||
* ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN
|
||||
* IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
|
||||
* DAMAGE.
|
||||
*
|
||||
* THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
|
||||
* BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS
|
||||
* ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO
|
||||
* PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
|
||||
int alloc_state = 0;
|
||||
|
||||
__attribute__((no_sanitize("integer")))
|
||||
static int fastrand ()
|
||||
{
|
||||
if (!alloc_state) return 1;
|
||||
/* Based on https://software.intel.com/content/www/us/en/develop/articles/fast-random-number-generator-on-the-intel-pentiumr-4-processor.html */
|
||||
alloc_state = (214013 * alloc_state + 2531011);
|
||||
return (alloc_state >> 16) & 0x7FFF;
|
||||
}
|
||||
|
||||
void* hb_malloc_impl (size_t size)
|
||||
{
|
||||
return (fastrand () % 16) ? malloc (size) : NULL;
|
||||
}
|
||||
|
||||
void* hb_calloc_impl (size_t nmemb, size_t size)
|
||||
{
|
||||
return (fastrand () % 16) ? calloc (nmemb, size) : NULL;
|
||||
}
|
||||
|
||||
void* hb_realloc_impl (void *ptr, size_t size)
|
||||
{
|
||||
return (fastrand () % 16) ? realloc (ptr, size) : NULL;
|
||||
}
|
||||
|
||||
void hb_free_impl (void *ptr)
|
||||
{
|
||||
return free (ptr);
|
||||
}
|
|
@ -397,6 +397,14 @@ else
|
|||
hb_so_version = '0'
|
||||
endif
|
||||
|
||||
if get_option('fuzzer_ldflags') != ''
|
||||
extra_hb_cpp_args += ['-DHB_CUSTOM_MALLOC']
|
||||
hb_sources += 'failing-alloc.c'
|
||||
hb_subset_sources += 'failing-alloc.c'
|
||||
hb_icu_sources += 'failing-alloc.c'
|
||||
hb_gobject_sources += 'failing-alloc.c'
|
||||
endif
|
||||
|
||||
libharfbuzz = library('harfbuzz', hb_sources,
|
||||
include_directories: incconfig,
|
||||
dependencies: harfbuzz_deps,
|
||||
|
|
|
@ -115,6 +115,8 @@ static void misc_calls_for_gid (hb_face_t *face, hb_font_t *font, hb_set_t *set,
|
|||
|
||||
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
||||
{
|
||||
alloc_state = size; /* see src/failing-alloc.c */
|
||||
|
||||
hb_blob_t *blob = hb_blob_create ((const char *) data, size,
|
||||
HB_MEMORY_MODE_READONLY, nullptr, nullptr);
|
||||
hb_face_t *face = hb_face_create (blob, 0);
|
||||
|
|
|
@ -2,3 +2,11 @@
|
|||
#include <stddef.h>
|
||||
|
||||
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
|
||||
|
||||
#ifdef HB_IS_IN_FUZZER
|
||||
/* See src/failing-alloc.c */
|
||||
extern "C" int alloc_state;
|
||||
#else
|
||||
/* Just a dummy global variable */
|
||||
static int alloc_state = 0;
|
||||
#endif
|
||||
|
|
|
@ -32,6 +32,8 @@ static hb_set_t *create_set (const uint32_t *value_array, int count)
|
|||
|
||||
extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
|
||||
{
|
||||
alloc_state = size; /* see src/failing-alloc.c */
|
||||
|
||||
if (size < sizeof (instructions_t))
|
||||
return 0;
|
||||
|
||||
|
|
|
@ -33,7 +33,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
|||
hb_buffer_t *buffer = hb_buffer_create ();
|
||||
hb_buffer_add_utf8 (buffer, text, -1, 0, -1);
|
||||
hb_buffer_guess_segment_properties (buffer);
|
||||
alloc_state = size; /* see src/failing-alloc.c TODO: move to top */
|
||||
hb_shape (font, buffer, nullptr, 0);
|
||||
alloc_state = 0; /* no failing alloc, TODO: remove */
|
||||
hb_buffer_destroy (buffer);
|
||||
}
|
||||
|
||||
|
@ -45,12 +47,16 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
|||
memcpy (text32, data + size - len, len);
|
||||
|
||||
/* Misc calls on font. */
|
||||
alloc_state = size; /* see src/failing-alloc.c TODO: move to top */
|
||||
text32[10] = test_font (font, text32[15]) % 256;
|
||||
alloc_state = 0; /* no failing alloc, TODO: remove */
|
||||
|
||||
hb_buffer_t *buffer = hb_buffer_create ();
|
||||
hb_buffer_add_utf32 (buffer, text32, sizeof (text32) / sizeof (text32[0]), 0, -1);
|
||||
hb_buffer_guess_segment_properties (buffer);
|
||||
alloc_state = size; /* see src/failing-alloc.c TODO: move to top */
|
||||
hb_shape (font, buffer, nullptr, 0);
|
||||
alloc_state = 0; /* no failing alloc, TODO: remove */
|
||||
hb_buffer_destroy (buffer);
|
||||
|
||||
hb_font_destroy (font);
|
||||
|
|
|
@ -67,6 +67,8 @@ trySubset (hb_face_t *face,
|
|||
|
||||
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
||||
{
|
||||
alloc_state = size; /* see src/failing-alloc.c */
|
||||
|
||||
hb_blob_t *blob = hb_blob_create ((const char *)data, size,
|
||||
HB_MEMORY_MODE_READONLY, nullptr, nullptr);
|
||||
hb_face_t *face = hb_face_create (blob, 0);
|
||||
|
|
|
@ -10,15 +10,17 @@ foreach file_name : tests
|
|||
|
||||
sources = [file_name]
|
||||
fuzzer_ldflags = []
|
||||
extra_cpp_args = []
|
||||
|
||||
if get_option('fuzzer_ldflags') == ''
|
||||
sources += 'main.cc'
|
||||
else
|
||||
fuzzer_ldflags += get_option('fuzzer_ldflags').split()
|
||||
extra_cpp_args += '-DHB_IS_IN_FUZZER'
|
||||
endif
|
||||
|
||||
exe = executable(test_name, sources,
|
||||
cpp_args: cpp_args,
|
||||
cpp_args: cpp_args + extra_cpp_args,
|
||||
include_directories: [incconfig, incsrc],
|
||||
link_args: fuzzer_ldflags,
|
||||
link_with: [libharfbuzz, libharfbuzz_subset],
|
||||
|
|
Loading…
Reference in New Issue