Coverage Report

Created: 2026-05-30 06:41

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/FreeRDP/channels/drdynvc/client/test/TestFuzzDrdynvc.c
Line
Count
Source
1
/**
2
 * FreeRDP: A Remote Desktop Protocol Implementation
3
 * libFuzzer harness for DVC wire framing
4
 */
5
6
#include <stddef.h>
7
#include <stdint.h>
8
9
#include <winpr/stream.h>
10
#include <winpr/wtypes.h>
11
12
static UINT32 fuzz_var_uint_bytes(UINT8 cbLen)
13
9.30k
{
14
9.30k
  switch (cbLen)
15
9.30k
  {
16
5.42k
    case 0:
17
5.42k
      return 1;
18
1.57k
    case 1:
19
1.57k
      return 2;
20
2.30k
    default:
21
2.30k
      return 4;
22
9.30k
  }
23
9.30k
}
24
25
static UINT32 fuzz_read_variable_uint(wStream* s, UINT8 cbLen)
26
5.90k
{
27
5.90k
  UINT32 value = 0;
28
29
5.90k
  switch (cbLen)
30
5.90k
  {
31
2.50k
    case 0:
32
2.50k
      value = Stream_Get_UINT8(s);
33
2.50k
      break;
34
1.44k
    case 1:
35
1.44k
      value = Stream_Get_UINT16(s);
36
1.44k
      break;
37
1.95k
    default:
38
1.95k
      value = Stream_Get_UINT32(s);
39
1.95k
      break;
40
5.90k
  }
41
42
5.90k
  return value;
43
5.90k
}
44
45
enum
46
{
47
  CREATE_REQUEST_PDU = 0x01,
48
  DATA_FIRST_PDU = 0x02,
49
  DATA_PDU = 0x03,
50
  CLOSE_REQUEST_PDU = 0x04,
51
  CAPABILITY_REQUEST_PDU = 0x05,
52
  DATA_FIRST_COMPRESSED_PDU = 0x06,
53
  DATA_COMPRESSED_PDU = 0x07
54
};
55
56
static int fuzz_process_one_pdu(wStream* s)
57
7.59k
{
58
7.59k
  const size_t required = 1;
59
60
7.59k
  if (!Stream_CheckAndLogRequiredLength("fuzz", s, required))
61
0
    return -1;
62
63
7.59k
  UINT8 header = Stream_Get_UINT8(s);
64
7.59k
  UINT8 command = (header & 0xf0) >> 4;
65
7.59k
  UINT8 spacing = (header & 0x0c) >> 2;
66
7.59k
  UINT8 cbChId = (header & 0x03);
67
7.59k
  size_t needed = fuzz_var_uint_bytes(cbChId);
68
69
7.59k
  switch (command)
70
7.59k
  {
71
816
    case DATA_FIRST_PDU:
72
1.71k
    case DATA_FIRST_COMPRESSED_PDU:
73
1.71k
      if (!Stream_CheckAndLogRequiredLength("fuzz", s, needed + fuzz_var_uint_bytes(spacing)))
74
28
        return -1;
75
1.68k
      (void)fuzz_read_variable_uint(s, cbChId);
76
1.68k
      (void)fuzz_read_variable_uint(s, spacing);
77
1.68k
      break;
78
600
    case DATA_PDU:
79
1.36k
    case DATA_COMPRESSED_PDU:
80
2.02k
    case CLOSE_REQUEST_PDU:
81
2.58k
    case CREATE_REQUEST_PDU:
82
2.58k
      if (!Stream_CheckAndLogRequiredLength("fuzz", s, needed))
83
48
        return -1;
84
2.53k
      (void)fuzz_read_variable_uint(s, cbChId);
85
2.53k
      break;
86
196
    case CAPABILITY_REQUEST_PDU:
87
196
      if (!Stream_CheckAndLogRequiredLength("fuzz", s, 2))
88
4
        return -1;
89
192
      Stream_Seek(s, 2);
90
192
      break;
91
3.10k
    default:
92
3.10k
      break;
93
7.59k
  }
94
95
7.51k
  if (!Stream_CheckAndLogRequiredLength("fuzz", s, 2))
96
107
    return -1;
97
98
7.40k
  {
99
7.40k
    size_t bodyLen = Stream_Get_UINT16(s);
100
7.40k
    const size_t remaining = Stream_GetRemainingLength(s);
101
7.40k
    if (bodyLen > remaining)
102
180
      bodyLen = remaining;
103
7.40k
    Stream_Seek(s, bodyLen);
104
7.40k
  }
105
106
7.40k
  return 0;
107
7.51k
}
108
109
int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
110
419
{
111
419
  if ((size == 0) || (size > (1u << 20)))
112
0
    return 0;
113
114
419
  wStream* s = Stream_New((BYTE*)data, size);
115
419
  if (!s)
116
0
    return 0;
117
118
7.82k
  for (size_t index = 0; index < 64; index++)
119
7.78k
  {
120
7.78k
    if (Stream_GetRemainingLength(s) == 0)
121
193
      break;
122
7.59k
    if (fuzz_process_one_pdu(s) != 0)
123
187
      break;
124
7.59k
  }
125
126
419
  Stream_Free(s, FALSE);
127
419
  return 0;
128
419
}