| 1 | //===-- printf_parser_fuzz.cpp --------------------------------------------===// |
|---|---|
| 2 | // |
| 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
| 4 | // See https://llvm.org/LICENSE.txt for license information. |
| 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
| 6 | // |
| 7 | //===----------------------------------------------------------------------===// |
| 8 | /// |
| 9 | /// Fuzzing test for llvm-libc qsort implementation. |
| 10 | /// |
| 11 | //===----------------------------------------------------------------------===// |
| 12 | |
| 13 | #include "src/__support/arg_list.h" |
| 14 | #include "src/stdio/printf_core/parser.h" |
| 15 | |
| 16 | #include <stdarg.h> |
| 17 | #include <stdint.h> |
| 18 | |
| 19 | using namespace LIBC_NAMESPACE; |
| 20 | |
| 21 | // The design for the printf parser fuzzer is fairly simple. The parser uses a |
| 22 | // mock arg list that will never fail, and is passed a randomized string. The |
| 23 | // format sections it outputs are checked against a count of the number of '%' |
| 24 | // signs are in the original string. This is a fairly basic test, and the main |
| 25 | // intent is to run this under sanitizers, which will check for buffer overruns. |
| 26 | extern "C"int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
| 27 | char *in_str = new char[size + 1]; |
| 28 | |
| 29 | for (size_t i = 0; i < size; ++i) |
| 30 | in_str[i] = data[i]; |
| 31 | |
| 32 | in_str[size] = '\0'; |
| 33 | |
| 34 | auto mock_arg_list = internal::MockArgList(); |
| 35 | |
| 36 | auto parser = |
| 37 | printf_core::Parser<internal::MockArgList>(in_str, mock_arg_list); |
| 38 | |
| 39 | int str_percent_count = 0; |
| 40 | |
| 41 | for (size_t i = 0; i < size && in_str[i] != '\0'; ++i) { |
| 42 | if (in_str[i] == '%') { |
| 43 | ++str_percent_count; |
| 44 | } |
| 45 | } |
| 46 | |
| 47 | int section_percent_count = 0; |
| 48 | |
| 49 | for (printf_core::FormatSection cur_section = parser.get_next_section(); |
| 50 | !cur_section.raw_string.empty(); |
| 51 | cur_section = parser.get_next_section()) { |
| 52 | if (cur_section.has_conv) { |
| 53 | ++section_percent_count; |
| 54 | if (cur_section.conv_name == '%') { |
| 55 | ++section_percent_count; |
| 56 | } |
| 57 | } else if (cur_section.raw_string[0] == '%') { |
| 58 | // If the conversion would be undefined, it's instead raw, but it still |
| 59 | // starts with a %. |
| 60 | ++section_percent_count; |
| 61 | } |
| 62 | } |
| 63 | |
| 64 | if (str_percent_count != section_percent_count) { |
| 65 | __builtin_trap(); |
| 66 | } |
| 67 | |
| 68 | delete[] in_str; |
| 69 | return 0; |
| 70 | } |
| 71 |