Coverage Report

Created: 2026-05-11 06:55

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/FreeRDP/channels/drdynvc/client/test/TestFuzzDrdynvc.c
Line
Count
Source
1
/**
2
 * FreeRDP: A Remote Desktop Protocol Implementation
3
 * libFuzzer harness for DVC wire framing
4
 */
5
6
#include <stddef.h>
7
#include <stdint.h>
8
9
#include <winpr/stream.h>
10
#include <winpr/wtypes.h>
11
12
static UINT32 fuzz_var_uint_bytes(UINT8 cbLen)
13
9.80k
{
14
9.80k
  switch (cbLen)
15
9.80k
  {
16
5.90k
    case 0:
17
5.90k
      return 1;
18
1.40k
    case 1:
19
1.40k
      return 2;
20
2.49k
    default:
21
2.49k
      return 4;
22
9.80k
  }
23
9.80k
}
24
25
static UINT32 fuzz_read_variable_uint(wStream* s, UINT8 cbLen)
26
6.51k
{
27
6.51k
  UINT32 value = 0;
28
29
6.51k
  switch (cbLen)
30
6.51k
  {
31
3.05k
    case 0:
32
3.05k
      value = Stream_Get_UINT8(s);
33
3.05k
      break;
34
1.30k
    case 1:
35
1.30k
      value = Stream_Get_UINT16(s);
36
1.30k
      break;
37
2.16k
    default:
38
2.16k
      value = Stream_Get_UINT32(s);
39
2.16k
      break;
40
6.51k
  }
41
42
6.51k
  return value;
43
6.51k
}
44
45
enum
46
{
47
  CREATE_REQUEST_PDU = 0x01,
48
  DATA_FIRST_PDU = 0x02,
49
  DATA_PDU = 0x03,
50
  CLOSE_REQUEST_PDU = 0x04,
51
  CAPABILITY_REQUEST_PDU = 0x05,
52
  DATA_FIRST_COMPRESSED_PDU = 0x06,
53
  DATA_COMPRESSED_PDU = 0x07
54
};
55
56
static int fuzz_process_one_pdu(wStream* s)
57
7.96k
{
58
7.96k
  const size_t required = 1;
59
60
7.96k
  if (!Stream_CheckAndLogRequiredLength("fuzz", s, required))
61
0
    return -1;
62
63
7.96k
  UINT8 header = Stream_Get_UINT8(s);
64
7.96k
  UINT8 command = (header & 0xf0) >> 4;
65
7.96k
  UINT8 spacing = (header & 0x0c) >> 2;
66
7.96k
  UINT8 cbChId = (header & 0x03);
67
7.96k
  size_t needed = fuzz_var_uint_bytes(cbChId);
68
69
7.96k
  switch (command)
70
7.96k
  {
71
1.02k
    case DATA_FIRST_PDU:
72
1.83k
    case DATA_FIRST_COMPRESSED_PDU:
73
1.83k
      if (!Stream_CheckAndLogRequiredLength("fuzz", s, needed + fuzz_var_uint_bytes(spacing)))
74
31
        return -1;
75
1.80k
      (void)fuzz_read_variable_uint(s, cbChId);
76
1.80k
      (void)fuzz_read_variable_uint(s, spacing);
77
1.80k
      break;
78
521
    case DATA_PDU:
79
1.38k
    case DATA_COMPRESSED_PDU:
80
2.38k
    case CLOSE_REQUEST_PDU:
81
2.95k
    case CREATE_REQUEST_PDU:
82
2.95k
      if (!Stream_CheckAndLogRequiredLength("fuzz", s, needed))
83
49
        return -1;
84
2.90k
      (void)fuzz_read_variable_uint(s, cbChId);
85
2.90k
      break;
86
154
    case CAPABILITY_REQUEST_PDU:
87
154
      if (!Stream_CheckAndLogRequiredLength("fuzz", s, 2))
88
4
        return -1;
89
150
      Stream_Seek(s, 2);
90
150
      break;
91
3.02k
    default:
92
3.02k
      break;
93
7.96k
  }
94
95
7.88k
  if (!Stream_CheckAndLogRequiredLength("fuzz", s, 2))
96
96
    return -1;
97
98
7.78k
  {
99
7.78k
    size_t bodyLen = Stream_Get_UINT16(s);
100
7.78k
    const size_t remaining = Stream_GetRemainingLength(s);
101
7.78k
    if (bodyLen > remaining)
102
177
      bodyLen = remaining;
103
7.78k
    Stream_Seek(s, bodyLen);
104
7.78k
  }
105
106
7.78k
  return 0;
107
7.88k
}
108
109
int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
110
412
{
111
412
  if ((size == 0) || (size > (1u << 20)))
112
0
    return 0;
113
114
412
  wStream* s = Stream_New((BYTE*)data, size);
115
412
  if (!s)
116
0
    return 0;
117
118
8.19k
  for (size_t index = 0; index < 64; index++)
119
8.15k
  {
120
8.15k
    if (Stream_GetRemainingLength(s) == 0)
121
186
      break;
122
7.96k
    if (fuzz_process_one_pdu(s) != 0)
123
180
      break;
124
7.96k
  }
125
126
412
  Stream_Free(s, FALSE);
127
412
  return 0;
128
412
}