lib/fuzzing/fuzz_stable_sort_r_unstable.c

   1 /*
   2    Fuzzing for stable_sort
   3    Copyright © Catalyst IT 2024
   4
   5    This program is free software; you can redistribute it and/or modify
   6    it under the terms of the GNU General Public License as published by
   7    the Free Software Foundation; either version 3 of the License, or
   8    (at your option) any later version.
   9
  10    This program is distributed in the hope that it will be useful,
  11    but WITHOUT ANY WARRANTY; without even the implied warranty of
  12    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13    GNU General Public License for more details.
  14
  15    You should have received a copy of the GNU General Public License
  16    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 */
  18
  19 #include "includes.h"
  20 #include "fuzzing/fuzzing.h"
  21 #include "util/stable_sort.h"
  22
  23
  24 int LLVMFuzzerInitialize(int *argc, char ***argv)
  25 {
  26         return 0;
  27 }
  28
  29 /*
  30  * This function tries to never be a proper comparison function,
  31  * whatever the value of ctx.
  32  *
  33  * If ctx is an odd number, it will change on every comparison,
  34  * otherwise it will consistently use the same bad comparison
  35  * technique.
  36  */
  37 static int cmp_int8(int8_t *_a, int8_t *_b, int8_t *ctx)
  38 {
  39         int8_t a = *_a;
  40         int8_t b = *_b;
  41         int8_t c = *ctx;
  42
  43         if (c & 1) {
  44                 /* aim for sustained chaos. */
  45                 c += a;
  46                 c ^= b;
  47                 c ^= (c >> 5) + ((uint8_t)c << 3);
  48                 *ctx = (c + 99) | 1;
  49         }
  50         switch((c >> 1) & 7) {
  51         case 0:
  52                 return -1;
  53         case 1:
  54                 return 1;
  55         case 2:
  56                 return a + b;
  57         case 3:
  58                 return c - b;
  59         case 4:
  60                 return (a ^ b) > c;
  61         case 5:
  62                 return -(a > c);
  63         case 6:
  64                 return 2 * a - b;
  65         case 7:
  66                 break;
  67         }
  68         return a - c;
  69 }
  70
  71
  72 #define MAX_SIZE (1024 * 1024)
  73
  74 int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
  75 {
  76         const int8_t *buf = (const int8_t *)input;
  77         int8_t buf2[MAX_SIZE];
  78         int8_t aux[MAX_SIZE];
  79         int8_t context;
  80
  81         if (len < 3 || len > MAX_SIZE) {
  82                 return 0;
  83         }
  84         context = (int8_t)buf[0];
  85         buf++;
  86         len--;
  87
  88         memcpy(buf2, buf, len);
  89         stable_sort_r(buf2, aux, len - 1, 1,
  90                       (samba_compare_with_context_fn_t)cmp_int8,
  91                       &context);
  92
  93         /*
  94          * We sorted all but the last element, which should remain unchanged.
  95          * buf2[-1] should also be unchanged, but the sanitizers will catch
  96          * that one.
  97          */
  98         if (buf2[len - 1] != buf[len - 1]) {
  99                 abort();
 100         }
 101
 102         return 0;
 103 }