1/* 2 * Copyright (c) 2014-2019 Pavel Kalvoda <me@pavelkalvoda.com> 3 * 4 * libcbor is free software; you can redistribute it and/or modify 5 * it under the terms of the MIT license. See LICENSE for details. 6 */ 7 8#include <setjmp.h> 9#include <stdarg.h> 10#include <stddef.h> 11 12#include <cmocka.h> 13 14#include <time.h> 15#include "cbor.h" 16 17#ifdef HUGE_FUZZ 18#define ROUNDS 65536ULL 19#define MAXLEN 131072ULL 20#else 21#define ROUNDS 256ULL 22#define MAXLEN 2048ULL 23#endif 24 25#ifdef PRINT_FUZZ 26static void printmem(const unsigned char *ptr, size_t length) { 27 for (size_t i = 0; i < length; i++) printf("%02X", ptr[i]); 28 printf("\n"); 29} 30#endif 31 32unsigned seed; 33 34#if CBOR_CUSTOM_ALLOC 35void *mock_malloc(size_t size) { 36 if (size > (1 << 19)) 37 return NULL; 38 else 39 return malloc(size); 40} 41#endif 42 43static void run_round() { 44 cbor_item_t *item; 45 struct cbor_load_result res; 46 47 size_t length = rand() % MAXLEN + 1; 48 unsigned char *data = malloc(length); 49 for (size_t i = 0; i < length; i++) { 50 data[i] = rand() % 0xFF; 51 } 52 53#ifdef PRINT_FUZZ 54 printmem(data, length); 55#endif 56 57 item = cbor_load(data, length, &res); 58 59 if (res.error.code == CBOR_ERR_NONE) cbor_decref(&item); 60 /* Otherwise there should be nothing left behind by the decoder */ 61 62 free(data); 63} 64 65static void fuzz(void **state) { 66#if CBOR_CUSTOM_ALLOC 67 cbor_set_allocs(mock_malloc, realloc, free); 68#endif 69 printf("Fuzzing %llu rounds of up to %llu bytes with seed %u\n", ROUNDS, 70 MAXLEN, seed); 71 srand(seed); 72 73 for (size_t i = 0; i < ROUNDS; i++) run_round(); 74 75 printf("Successfully fuzzed through %llu kB of data\n", 76 (ROUNDS * MAXLEN) / 1024); 77} 78 79int main(int argc, char *argv[]) { 80 if (argc > 1) 81 seed = (unsigned)strtoul(argv[1], NULL, 10); 82 else 83 seed = (unsigned)time(NULL); 84 85 const struct CMUnitTest tests[] = {cmocka_unit_test(fuzz)}; 86 return cmocka_run_group_tests(tests, NULL, NULL); 87} 88