/src/FreeRDP/channels/cliprdr/client/test/TestFuzzChannelCliprdr.c

Source
/**
 * FreeRDP: A Remote Desktop Protocol Implementation
 * libFuzzer harness for cliprdr PDU parsing
 */

#include <stddef.h>
#include <stdint.h>

#include <winpr/crt.h>
#include <winpr/stream.h>
#include <winpr/wlog.h>

#include <freerdp/channels/cliprdr.h>

#include "../../cliprdr_common.h"

static wLog* g_Log = nullptr;

static UINT32 fuzz_stream_len_u32(wStream* s)
{
  const size_t remaining = Stream_GetRemainingLength(s);
  return (remaining > UINT32_MAX) ? UINT32_MAX : (UINT32)remaining;
}

static void fuzz_format_list(wStream* s, BOOL longNames)
{
  CLIPRDR_FORMAT_LIST list = WINPR_C_ARRAY_INIT;
  list.common.dataLen = fuzz_stream_len_u32(s);

  if (cliprdr_read_format_list(g_Log, s, &list, longNames) == CHANNEL_RC_OK)
    cliprdr_free_format_list(&list);
}

static void fuzz_format_data_request(wStream* s)
{
  CLIPRDR_FORMAT_DATA_REQUEST request = WINPR_C_ARRAY_INIT;
  request.common.dataLen = fuzz_stream_len_u32(s);
  (void)cliprdr_read_format_data_request(s, &request);
}

static void fuzz_format_data_response(wStream* s)
{
  CLIPRDR_FORMAT_DATA_RESPONSE response = WINPR_C_ARRAY_INIT;
  response.common.dataLen = fuzz_stream_len_u32(s);
  (void)cliprdr_read_format_data_response(s, &response);
}

static void fuzz_file_contents_request(wStream* s)
{
  CLIPRDR_FILE_CONTENTS_REQUEST request = WINPR_C_ARRAY_INIT;
  request.common.dataLen = fuzz_stream_len_u32(s);
  (void)cliprdr_read_file_contents_request(s, &request);
}

static void fuzz_file_contents_response(wStream* s)
{
  CLIPRDR_FILE_CONTENTS_RESPONSE response = WINPR_C_ARRAY_INIT;
  const UINT32 dataLen = fuzz_stream_len_u32(s);

  response.common.dataLen = (dataLen >= 4) ? dataLen : 4;
  (void)cliprdr_read_file_contents_response(s, &response);
}

static void fuzz_unlock(wStream* s)
{
  CLIPRDR_UNLOCK_CLIPBOARD_DATA data = WINPR_C_ARRAY_INIT;
  data.common.dataLen = fuzz_stream_len_u32(s);
  (void)cliprdr_read_unlock_clipdata(s, &data);
}

int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
  if (size < 2)
    return 0;
  if (size > (1u << 20))
    return 0;

  if (!g_Log)
    g_Log = WLog_Get("fuzz.cliprdr");

  BOOL longNames = (data[1] & 0x1) != 0;
  const uint8_t* body = data + 2;
  wStream* s = Stream_New((BYTE*)body, size - 2);
  if (!s)
    return 0;

  switch (data[0] % 6)
  {
    case 0:
      fuzz_format_list(s, longNames);
      break;
    case 1:
      fuzz_format_data_request(s);
      break;
    case 2:
      fuzz_format_data_response(s);
      break;
    case 3:
      fuzz_file_contents_request(s);
      break;
    case 4:
      fuzz_file_contents_response(s);
      break;
    case 5:
      fuzz_unlock(s);
      break;
    default:
      break;
  }

  Stream_Free(s, FALSE);
  return 0;
}

Line	Count	Source
1		/**
2		* FreeRDP: A Remote Desktop Protocol Implementation
3		* libFuzzer harness for cliprdr PDU parsing
4		*/
5
6		#include <stddef.h>
7		#include <stdint.h>
8
9		#include <winpr/crt.h>
10		#include <winpr/stream.h>
11		#include <winpr/wlog.h>
12
13		#include <freerdp/channels/cliprdr.h>
14
15		#include "../../cliprdr_common.h"
16
17		static wLog* g_Log = nullptr;
18
19		static UINT32 fuzz_stream_len_u32(wStream* s)
20	0	{
21	0	const size_t remaining = Stream_GetRemainingLength(s);
22	0	return (remaining > UINT32_MAX) ? UINT32_MAX : (UINT32)remaining;
23	0	}
24
25		static void fuzz_format_list(wStream* s, BOOL longNames)
26	0	{
27	0	CLIPRDR_FORMAT_LIST list = WINPR_C_ARRAY_INIT;
28	0	list.common.dataLen = fuzz_stream_len_u32(s);
29
30	0	if (cliprdr_read_format_list(g_Log, s, &list, longNames) == CHANNEL_RC_OK)
31	0	cliprdr_free_format_list(&list);
32	0	}
33
34		static void fuzz_format_data_request(wStream* s)
35	0	{
36	0	CLIPRDR_FORMAT_DATA_REQUEST request = WINPR_C_ARRAY_INIT;
37	0	request.common.dataLen = fuzz_stream_len_u32(s);
38	0	(void)cliprdr_read_format_data_request(s, &request);
39	0	}
40
41		static void fuzz_format_data_response(wStream* s)
42	0	{
43	0	CLIPRDR_FORMAT_DATA_RESPONSE response = WINPR_C_ARRAY_INIT;
44	0	response.common.dataLen = fuzz_stream_len_u32(s);
45	0	(void)cliprdr_read_format_data_response(s, &response);
46	0	}
47
48		static void fuzz_file_contents_request(wStream* s)
49	0	{
50	0	CLIPRDR_FILE_CONTENTS_REQUEST request = WINPR_C_ARRAY_INIT;
51	0	request.common.dataLen = fuzz_stream_len_u32(s);
52	0	(void)cliprdr_read_file_contents_request(s, &request);
53	0	}
54
55		static void fuzz_file_contents_response(wStream* s)
56	0	{
57	0	CLIPRDR_FILE_CONTENTS_RESPONSE response = WINPR_C_ARRAY_INIT;
58	0	const UINT32 dataLen = fuzz_stream_len_u32(s);
59
60	0	response.common.dataLen = (dataLen >= 4) ? dataLen : 4;
61	0	(void)cliprdr_read_file_contents_response(s, &response);
62	0	}
63
64		static void fuzz_unlock(wStream* s)
65	0	{
66	0	CLIPRDR_UNLOCK_CLIPBOARD_DATA data = WINPR_C_ARRAY_INIT;
67	0	data.common.dataLen = fuzz_stream_len_u32(s);
68	0	(void)cliprdr_read_unlock_clipdata(s, &data);
69	0	}
70
71		int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
72	0	{
73	0	if (size < 2)
74	0	return 0;
75	0	if (size > (1u << 20))
76	0	return 0;
77
78	0	if (!g_Log)
79	0	g_Log = WLog_Get("fuzz.cliprdr");
80
81	0	BOOL longNames = (data[1] & 0x1) != 0;
82	0	const uint8_t* body = data + 2;
83	0	wStream* s = Stream_New((BYTE*)body, size - 2);
84	0	if (!s)
85	0	return 0;
86
87	0	switch (data[0] % 6)
88	0	{
89	0	case 0:
90	0	fuzz_format_list(s, longNames);
91	0	break;
92	0	case 1:
93	0	fuzz_format_data_request(s);
94	0	break;
95	0	case 2:
96	0	fuzz_format_data_response(s);
97	0	break;
98	0	case 3:
99	0	fuzz_file_contents_request(s);
100	0	break;
101	0	case 4:
102	0	fuzz_file_contents_response(s);
103	0	break;
104	0	case 5:
105	0	fuzz_unlock(s);
106	0	break;
107	0	default:
108	0	break;
109	0	}
110
111	0	Stream_Free(s, FALSE);
112	0	return 0;
113	0	}

Coverage Report

Created: 2026-05-11 06:55