lib/Fuzzer/test/UserSuppliedFuzzerTest.cpp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

// Simple test for a fuzzer.
// The fuzzer must find the string "Hi!" preceded by a magic value.
// Uses UserSuppliedFuzzer which ensures that the magic is present.
#include <cstdint>
#include <cassert>
#include <cstdlib>
#include <cstddef>
#include <cstring>
#include <iostream>

#include "FuzzerInterface.h"

static const uint64_t kMagic = 8860221463604ULL;

class MyFuzzer : public fuzzer::UserSuppliedFuzzer {
 public:
  MyFuzzer(fuzzer::FuzzerRandomBase *Rand)
      : fuzzer::UserSuppliedFuzzer(Rand) {}
  int TargetFunction(const uint8_t *Data, size_t Size) {
    if (Size <= 10) return 0;
    if (memcmp(Data, &kMagic, sizeof(kMagic))) return 0;
    // It's hard to get here w/o advanced fuzzing techniques (e.g. cmp tracing).
    // So, we simply 'fix' the data in the custom mutator.
    if (Data[8] == 'H') {
      if (Data[9] == 'i') {
        if (Data[10] == '!') {
          std::cout << "BINGO; Found the target, exiting\n";
          exit(1);
        }
      }
    }
    return 0;
  }
  // Custom mutator.
  virtual size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize) {
    assert(MaxSize > sizeof(kMagic));
    if (Size < sizeof(kMagic))
      Size = sizeof(kMagic);
    // "Fix" the data, then mutate.
    memcpy(Data, &kMagic, std::min(MaxSize, sizeof(kMagic)));
    return fuzzer::UserSuppliedFuzzer::Mutate(
        Data + sizeof(kMagic), Size - sizeof(kMagic), MaxSize - sizeof(kMagic));
  }
  // No need to redefine CrossOver() here.
};

int main(int argc, char **argv) {
  fuzzer::FuzzerRandomLibc Rand(0);
  MyFuzzer F(&Rand);
  fuzzer::FuzzerDriver(argc, argv, F);
}