From 59be24be32bf3eeec12ce19ecff6227267fc9d84 Mon Sep 17 00:00:00 2001
From: David Korczynski <david@adalogics.com>
Date: Thu, 4 Aug 2022 15:24:27 +0100
Subject: [PATCH 1/2] fuzz: add frames fuzzer

---
 fuzz/fuzz_frames.cc | 161 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 161 insertions(+)
 create mode 100644 fuzz/fuzz_frames.cc

diff --git a/fuzz/fuzz_frames.cc b/fuzz/fuzz_frames.cc
new file mode 100644
index 00000000..e6d6e650
--- /dev/null
+++ b/fuzz/fuzz_frames.cc
@@ -0,0 +1,161 @@
+#include <string>
+#include <fuzzer/FuzzedDataProvider.h>
+
+extern "C" {
+#include <string.h>
+#include "nghttp2_hd.h"
+#include "nghttp2_frame.h"
+
+#include "nghttp2_test_helper.h"
+
+#define HEADERS_LENGTH 7
+
+static nghttp2_nv fuzz_make_nv(std::string s1, std::string s2) {
+  nghttp2_nv nv;
+  uint8_t *n = (uint8_t*) malloc(s1.size());
+  memcpy(n, s1.c_str(), s1.size());
+
+  uint8_t *v = (uint8_t*) malloc(s2.size());
+  memcpy(v, s2.c_str(), s2.size());
+
+  nv.name = n;
+  nv.value = v;
+  nv.namelen = s1.size();
+  nv.valuelen = s2.size();
+  nv.flags = NGHTTP2_NV_FLAG_NONE;
+
+  return nv;
+}
+
+static void fuzz_free_nv(nghttp2_nv *nv) {
+  free(nv->name);
+  free(nv->value);
+}
+
+static nghttp2_nv *fuzz_headers(nghttp2_mem *mem,
+                                FuzzedDataProvider* data_provider) {
+  nghttp2_nv *nva = (nghttp2_nv *)mem->malloc(
+      sizeof(nghttp2_nv) * HEADERS_LENGTH, NULL);
+  return nva;
+}
+
+void check_frame_pack_headers(FuzzedDataProvider* data_provider) {
+  nghttp2_hd_deflater deflater;
+  nghttp2_hd_inflater inflater;
+  nghttp2_headers frame, oframe;
+  nghttp2_bufs bufs;
+  nghttp2_nv *nva;
+  nghttp2_priority_spec pri_spec;
+  size_t nvlen;
+  nva_out out;
+  size_t hdblocklen;
+  int rv;
+  nghttp2_mem *mem;
+
+  mem = nghttp2_mem_default();
+  frame_pack_bufs_init(&bufs);
+
+  nva_out_init(&out);
+  nghttp2_hd_deflate_init(&deflater, mem);
+  nghttp2_hd_inflate_init(&inflater, mem);
+
+  /* Create a set of headers seeded with data from the fuzzer */
+  nva = (nghttp2_nv *)mem->malloc(sizeof(nghttp2_nv) * HEADERS_LENGTH, NULL);
+  for (int i = 0; i < HEADERS_LENGTH; i++) {
+    nva[i] = fuzz_make_nv(data_provider->ConsumeRandomLengthString(30),
+                          data_provider->ConsumeRandomLengthString(300));
+  }
+
+  nvlen = HEADERS_LENGTH;
+  nghttp2_priority_spec_default_init(&pri_spec);
+  nghttp2_frame_headers_init(
+      &frame, NGHTTP2_FLAG_END_STREAM | NGHTTP2_FLAG_END_HEADERS, 1000000007,
+      NGHTTP2_HCAT_REQUEST, &pri_spec, nva, nvlen);
+
+  /* Perform a set of operations with the fuzz data */
+  rv = nghttp2_frame_pack_headers(&bufs, &frame, &deflater);
+  unpack_framebuf((nghttp2_frame *)&oframe, &bufs);
+
+  inflate_hd(&inflater, &out, &bufs, NGHTTP2_FRAME_HDLEN, mem);
+  nva_out_reset(&out, mem);
+
+  nghttp2_nv *nva2 = NULL;
+  rv = nghttp2_nv_array_copy(&nva2, nva, nvlen, mem);
+  nghttp2_nv_array_del(nva2, mem);
+
+  /* Cleanup */
+  for (int i = 0; i < HEADERS_LENGTH; i++) {
+    fuzz_free_nv(&nva[i]);
+  }
+
+  nghttp2_bufs_reset(&bufs);
+  nghttp2_bufs_free(&bufs);
+
+  nghttp2_frame_headers_free(&frame, mem);
+  nghttp2_hd_inflate_free(&inflater);
+  nghttp2_hd_deflate_free(&deflater);
+}
+
+void check_frame_push_promise(FuzzedDataProvider* data_provider) {
+  nghttp2_hd_deflater deflater;
+  nghttp2_hd_inflater inflater;
+  nghttp2_push_promise frame, oframe;
+  nghttp2_bufs bufs;
+  nghttp2_nv *nva;
+  nghttp2_priority_spec pri_spec;
+  size_t nvlen;
+  nva_out out;
+  size_t hdblocklen;
+  int rv;
+  nghttp2_mem *mem;
+
+  mem = nghttp2_mem_default();
+  frame_pack_bufs_init(&bufs);
+
+  nva_out_init(&out);
+  nghttp2_hd_deflate_init(&deflater, mem);
+  nghttp2_hd_inflate_init(&inflater, mem);
+
+  /* Create a set of headers seeded with data from the fuzzer */
+  nva = (nghttp2_nv *)mem->malloc(sizeof(nghttp2_nv) * HEADERS_LENGTH, NULL);
+  for (int i = 0; i < HEADERS_LENGTH; i++) {
+    nva[i] = fuzz_make_nv(data_provider->ConsumeRandomLengthString(30),
+                          data_provider->ConsumeRandomLengthString(300));
+  }
+  nvlen = HEADERS_LENGTH;
+  nghttp2_priority_spec_default_init(&pri_spec);
+
+  /* Perform a set of operations with the fuzz data */
+  nghttp2_frame_push_promise_init(&frame, NGHTTP2_FLAG_END_HEADERS, 1000000007,
+                                  (1U << 31) - 1, nva, nvlen);
+
+  rv = nghttp2_frame_pack_push_promise(&bufs, &frame, &deflater);
+  unpack_framebuf((nghttp2_frame *)&oframe, &bufs);
+
+  nghttp2_nv *nva2 = NULL;
+  rv = nghttp2_nv_array_copy(&nva2, nva, nvlen, mem);
+  nghttp2_nv_array_del(nva2, mem);
+
+  /* Cleanup */
+  for (int i = 0; i < HEADERS_LENGTH; i++) {
+    fuzz_free_nv(&nva[i]);
+  }
+
+  nghttp2_bufs_reset(&bufs);
+  nghttp2_bufs_free(&bufs);
+
+  nghttp2_frame_push_promise_free(&frame, mem);
+  nghttp2_hd_inflate_free(&inflater);
+  nghttp2_hd_deflate_free(&deflater);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  FuzzedDataProvider data_provider(data, size);
+
+  check_frame_pack_headers(&data_provider);
+  check_frame_push_promise(&data_provider);
+  return 0;
+}
+
+} // extern C
+

From 651f3bfce2df19c355b14ecdd6bc47be1bafbbb3 Mon Sep 17 00:00:00 2001
From: David Korczynski <david@adalogics.com>
Date: Tue, 9 Aug 2022 15:34:04 +0100
Subject: [PATCH 2/2] cleanup

---
 fuzz/fuzz_frames.cc | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/fuzz/fuzz_frames.cc b/fuzz/fuzz_frames.cc
index e6d6e650..511625ff 100644
--- a/fuzz/fuzz_frames.cc
+++ b/fuzz/fuzz_frames.cc
@@ -32,13 +32,6 @@ static void fuzz_free_nv(nghttp2_nv *nv) {
   free(nv->value);
 }
 
-static nghttp2_nv *fuzz_headers(nghttp2_mem *mem,
-                                FuzzedDataProvider* data_provider) {
-  nghttp2_nv *nva = (nghttp2_nv *)mem->malloc(
-      sizeof(nghttp2_nv) * HEADERS_LENGTH, NULL);
-  return nva;
-}
-
 void check_frame_pack_headers(FuzzedDataProvider* data_provider) {
   nghttp2_hd_deflater deflater;
   nghttp2_hd_inflater inflater;
@@ -74,23 +67,26 @@ void check_frame_pack_headers(FuzzedDataProvider* data_provider) {
 
   /* Perform a set of operations with the fuzz data */
   rv = nghttp2_frame_pack_headers(&bufs, &frame, &deflater);
-  unpack_framebuf((nghttp2_frame *)&oframe, &bufs);
+  if (rv == 0) {
+    unpack_framebuf((nghttp2_frame *)&oframe, &bufs);
 
-  inflate_hd(&inflater, &out, &bufs, NGHTTP2_FRAME_HDLEN, mem);
-  nva_out_reset(&out, mem);
+    inflate_hd(&inflater, &out, &bufs, NGHTTP2_FRAME_HDLEN, mem);
+    nva_out_reset(&out, mem);
+    nghttp2_bufs_reset(&bufs);
+  }
 
   nghttp2_nv *nva2 = NULL;
   rv = nghttp2_nv_array_copy(&nva2, nva, nvlen, mem);
-  nghttp2_nv_array_del(nva2, mem);
+  if (rv == 0) {
+    nghttp2_nv_array_del(nva2, mem);
+  }
 
   /* Cleanup */
   for (int i = 0; i < HEADERS_LENGTH; i++) {
     fuzz_free_nv(&nva[i]);
   }
 
-  nghttp2_bufs_reset(&bufs);
   nghttp2_bufs_free(&bufs);
-
   nghttp2_frame_headers_free(&frame, mem);
   nghttp2_hd_inflate_free(&inflater);
   nghttp2_hd_deflate_free(&deflater);
@@ -130,11 +126,15 @@ void check_frame_push_promise(FuzzedDataProvider* data_provider) {
                                   (1U << 31) - 1, nva, nvlen);
 
   rv = nghttp2_frame_pack_push_promise(&bufs, &frame, &deflater);
-  unpack_framebuf((nghttp2_frame *)&oframe, &bufs);
+  if (rv == 0) {
+    unpack_framebuf((nghttp2_frame *)&oframe, &bufs);
+  }
 
   nghttp2_nv *nva2 = NULL;
   rv = nghttp2_nv_array_copy(&nva2, nva, nvlen, mem);
-  nghttp2_nv_array_del(nva2, mem);
+  if (rv == 0) {
+    nghttp2_nv_array_del(nva2, mem);
+  }
 
   /* Cleanup */
   for (int i = 0; i < HEADERS_LENGTH; i++) {