mirror of
https://gitlab.gnome.org/GNOME/glib.git
synced 2024-12-24 14:36:13 +01:00
fuzzing: Add fuzz tests for GDataInputStream’s complex read methods
While reading a single byte or uint16 from an input stream is fairly simple and uncontroversial, the code to read a line or read up to any of a set of stop characters is not so trivial. People may be using `GDataInputStream` to parse untrusted input like this, so we should probably test that it’s robust against a variety of input conditions. Signed-off-by: Philip Withnall <pwithnall@gnome.org>
This commit is contained in:
parent
26d8553af5
commit
2732650bfb
44
fuzzing/fuzz_data_input_stream_read_line.c
Normal file
44
fuzzing/fuzz_data_input_stream_read_line.c
Normal file
@ -0,0 +1,44 @@
|
||||
/*
|
||||
* Copyright 2024 GNOME Foundation, Inc.
|
||||
*
|
||||
* SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include "fuzz.h"
|
||||
|
||||
int
|
||||
LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
|
||||
{
|
||||
GInputStream *base_stream = NULL;
|
||||
GDataInputStream *input_stream = NULL;
|
||||
char *line = NULL;
|
||||
size_t line_length = 0;
|
||||
|
||||
fuzz_set_logging_func ();
|
||||
|
||||
base_stream = g_memory_input_stream_new_from_data (data, size, NULL);
|
||||
input_stream = g_data_input_stream_new (base_stream);
|
||||
|
||||
line = g_data_input_stream_read_line (input_stream, &line_length, NULL, NULL);
|
||||
g_assert (line != NULL || line_length == 0);
|
||||
g_assert (line_length <= size);
|
||||
g_free (line);
|
||||
|
||||
g_clear_object (&input_stream);
|
||||
g_clear_object (&base_stream);
|
||||
|
||||
return 0;
|
||||
}
|
44
fuzzing/fuzz_data_input_stream_read_line_utf8.c
Normal file
44
fuzzing/fuzz_data_input_stream_read_line_utf8.c
Normal file
@ -0,0 +1,44 @@
|
||||
/*
|
||||
* Copyright 2024 GNOME Foundation, Inc.
|
||||
*
|
||||
* SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include "fuzz.h"
|
||||
|
||||
int
|
||||
LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
|
||||
{
|
||||
GInputStream *base_stream = NULL;
|
||||
GDataInputStream *input_stream = NULL;
|
||||
char *line = NULL;
|
||||
size_t line_length = 0;
|
||||
|
||||
fuzz_set_logging_func ();
|
||||
|
||||
base_stream = g_memory_input_stream_new_from_data (data, size, NULL);
|
||||
input_stream = g_data_input_stream_new (base_stream);
|
||||
|
||||
line = g_data_input_stream_read_line_utf8 (input_stream, &line_length, NULL, NULL);
|
||||
g_assert (line != NULL || line_length == 0);
|
||||
g_assert (line_length <= size);
|
||||
g_free (line);
|
||||
|
||||
g_clear_object (&input_stream);
|
||||
g_clear_object (&base_stream);
|
||||
|
||||
return 0;
|
||||
}
|
76
fuzzing/fuzz_data_input_stream_read_upto.c
Normal file
76
fuzzing/fuzz_data_input_stream_read_upto.c
Normal file
@ -0,0 +1,76 @@
|
||||
/*
|
||||
* Copyright 2024 GNOME Foundation, Inc.
|
||||
*
|
||||
* SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include "fuzz.h"
|
||||
|
||||
int
|
||||
LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
|
||||
{
|
||||
GInputStream *base_stream = NULL;
|
||||
GDataInputStream *input_stream = NULL;
|
||||
char *line = NULL;
|
||||
size_t line_length = 0;
|
||||
const unsigned char *separator, *first_nul;
|
||||
const unsigned char *stop_chars;
|
||||
size_t stop_chars_len;
|
||||
const unsigned char *stream_data;
|
||||
size_t stream_data_len;
|
||||
|
||||
fuzz_set_logging_func ();
|
||||
|
||||
/* Split the data into two arguments: the first for the array of stop
|
||||
* characters, and the second for the data in the stream. Both may contain
|
||||
* embedded nuls, so we have to be careful about lengths here. It’s also
|
||||
* possible for the fuzzer to not include any nuls and/or the pipe separator
|
||||
* (which has been chosen arbitrarily), so we need to handle that too.
|
||||
*
|
||||
* The fuzzer *will* manage to exploit all code paths here, as it uses
|
||||
* coverage guided fuzzing. */
|
||||
separator = memchr (data, '|', size);
|
||||
first_nul = memchr (data, '\0', size);
|
||||
|
||||
if (separator == NULL)
|
||||
{
|
||||
stop_chars = (const unsigned char *) "";
|
||||
stop_chars_len = 0;
|
||||
stream_data = data;
|
||||
stream_data_len = size;
|
||||
}
|
||||
else
|
||||
{
|
||||
stop_chars = data;
|
||||
stop_chars_len = (first_nul != NULL && first_nul < separator) ? separator - data : -1;
|
||||
stream_data = separator + 1;
|
||||
stream_data_len = size - (separator + 1 - data);
|
||||
}
|
||||
|
||||
/* Build the stream and test read_upto(). */
|
||||
base_stream = g_memory_input_stream_new_from_data (stream_data, stream_data_len, NULL);
|
||||
input_stream = g_data_input_stream_new (base_stream);
|
||||
|
||||
line = g_data_input_stream_read_upto (input_stream, (const char *) stop_chars, stop_chars_len, &line_length, NULL, NULL);
|
||||
g_assert (line != NULL || line_length == 0);
|
||||
g_assert (line_length <= size);
|
||||
g_free (line);
|
||||
|
||||
g_clear_object (&input_stream);
|
||||
g_clear_object (&base_stream);
|
||||
|
||||
return 0;
|
||||
}
|
@ -19,6 +19,9 @@
|
||||
fuzz_targets = [
|
||||
'fuzz_bookmark',
|
||||
'fuzz_canonicalize_filename',
|
||||
'fuzz_data_input_stream_read_line',
|
||||
'fuzz_data_input_stream_read_line_utf8',
|
||||
'fuzz_data_input_stream_read_upto',
|
||||
'fuzz_date_parse',
|
||||
'fuzz_date_time_new_from_iso8601',
|
||||
'fuzz_dbus_message',
|
||||
|
Loading…
Reference in New Issue
Block a user