libc/fuzzing/stdio/printf_parser_fuzz.cpp

   1 //===-- printf_parser_fuzz.cpp --------------------------------------------===//
   2 //
   3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
   4 // See https://llvm.org/LICENSE.txt for license information.
   5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
   6 //
   7 //===----------------------------------------------------------------------===//
   8 ///
   9 /// Fuzzing test for llvm-libc qsort implementation.
  10 ///
  11 //===----------------------------------------------------------------------===//
  12
  13 #include "src/__support/arg_list.h"
  14 #include "src/stdio/printf_core/parser.h"
  15
  16 #include <stdarg.h>
  17 #include <stdint.h>
  18
  19 using namespace LIBC_NAMESPACE;
  20
  21 // The design for the printf parser fuzzer is fairly simple. The parser uses a
  22 // mock arg list that will never fail, and is passed a randomized string. The
  23 // format sections it outputs are checked against a count of the number of '%'
  24 // signs are in the original string. This is a fairly basic test, and the main
  25 // intent is to run this under sanitizers, which will check for buffer overruns.
  26 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  27   char *in_str = new char[size + 1];
  28
  29   for (size_t i = 0; i < size; ++i)
  30     in_str[i] = data[i];
  31
  32   in_str[size] = '\0';
  33
  34   auto mock_arg_list = internal::MockArgList();
  35
  36   auto parser =
  37       printf_core::Parser<internal::MockArgList>(in_str, mock_arg_list);
  38
  39   int str_percent_count = 0;
  40
  41   for (size_t i = 0; i < size && in_str[i] != '\0'; ++i) {
  42     if (in_str[i] == '%') {
  43       ++str_percent_count;
  44     }
  45   }
  46
  47   int section_percent_count = 0;
  48
  49   for (printf_core::FormatSection cur_section = parser.get_next_section();
  50        !cur_section.raw_string.empty();
  51        cur_section = parser.get_next_section()) {
  52     if (cur_section.has_conv) {
  53       ++section_percent_count;
  54       if (cur_section.conv_name == '%') {
  55         ++section_percent_count;
  56       }
  57     } else if (cur_section.raw_string[0] == '%') {
  58       // If the conversion would be undefined, it's instead raw, but it still
  59       // starts with a %.
  60       ++section_percent_count;
  61     }
  62   }
  63
  64   if (str_percent_count != section_percent_count) {
  65     __builtin_trap();
  66   }
  67
  68   delete[] in_str;
  69   return 0;
  70 }