/src/FreeRDP/winpr/libwinpr/utils/test/TestFuzzCredSSP_Asn1.c

Source
/**
 * WinPR: Windows Portable Runtime
 * libFuzzer harness for the WinPrAsn1 decoder
 */

#include <stddef.h>
#include <stdint.h>

#include <winpr/asn1.h>
#include <winpr/crt.h>
#include <winpr/wlog.h>

static void fuzz_walk_sequence(WinPrAsn1Decoder* outer, int depth);

static void fuzz_consume_one(WinPrAsn1Decoder* decoder, int depth)
{
  WinPrAsn1Decoder inner = WinPrAsn1Decoder_init();
  WinPrAsn1_tag tag = 0;
  size_t len = 0;

  if (depth > 6)
    return;

  if (WinPrAsn1DecReadTagLenValue(decoder, &tag, &len, &inner) == 0)
    return;

  switch (tag & ER_TAG_MASK)
  {
    case ER_TAG_BOOLEAN:
    {
      WinPrAsn1_BOOL value = 0;
      (void)WinPrAsn1DecReadBoolean(&inner, &value);
      break;
    }
    case ER_TAG_INTEGER:
    {
      WinPrAsn1_INTEGER value = 0;
      (void)WinPrAsn1DecReadInteger(&inner, &value);
      break;
    }
    case ER_TAG_OCTET_STRING:
    {
      WinPrAsn1_OctetString value = WINPR_C_ARRAY_INIT;
      if (WinPrAsn1DecReadOctetString(&inner, &value, TRUE))
        WinPrAsn1FreeOctetString(&value);
      break;
    }
    case ER_TAG_OBJECT_IDENTIFIER:
    {
      WinPrAsn1_OID value = WINPR_C_ARRAY_INIT;
      if (WinPrAsn1DecReadOID(&inner, &value, TRUE))
        WinPrAsn1FreeOID(&value);
      break;
    }
    case ER_TAG_ENUMERATED:
    {
      WinPrAsn1_ENUMERATED value = 0;
      (void)WinPrAsn1DecReadEnumerated(&inner, &value);
      break;
    }
    case ER_TAG_UTCTIME:
    {
      WinPrAsn1_UTCTIME value = WINPR_C_ARRAY_INIT;
      (void)WinPrAsn1DecReadUtcTime(&inner, &value);
      break;
    }
    case ER_TAG_IA5STRING:
    {
      WinPrAsn1_IA5STRING value = nullptr;
      (void)WinPrAsn1DecReadIA5String(&inner, &value);
      free(value);
      break;
    }
    case ER_TAG_NULL:
      (void)WinPrAsn1DecReadNull(&inner);
      break;
    default:
      break;
  }

  if ((tag == ER_TAG_SEQUENCE) || (tag == ER_TAG_SET))
    fuzz_walk_sequence(&inner, depth + 1);
  else if ((tag & 0xC0) == 0x80)
    fuzz_walk_sequence(&inner, depth + 1);
}

static void fuzz_walk_sequence(WinPrAsn1Decoder* outer, int depth)
{
  if (depth > 6)
    return;

  for (size_t index = 0; index < 64; index++)
  {
    WinPrAsn1_tag tag = 0;

    if (!WinPrAsn1DecPeekTag(outer, &tag))
      return;

    fuzz_consume_one(outer, depth);
  }
}

int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
  static BOOL loggingInitialized = FALSE;

  if (!loggingInitialized)
  {
    (void)WLog_SetLogLevel(WLog_GetRoot(), WLOG_TRACE);
    loggingInitialized = TRUE;
  }

  if ((size == 0) || (size > (1u << 20)))
    return 0;

  {
    WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
    WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, data, size);
    fuzz_walk_sequence(&decoder, 0);
  }

  {
    WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
    WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_BER, data, size);
    fuzz_walk_sequence(&decoder, 0);
  }

  {
    WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
    WinPrAsn1Decoder sequence = WinPrAsn1Decoder_init();

    WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, data, size);
    if (WinPrAsn1DecReadSequence(&decoder, &sequence))
      fuzz_walk_sequence(&sequence, 1);
  }

  return 0;
}

Line	Count	Source
1		/**
2		* WinPR: Windows Portable Runtime
3		* libFuzzer harness for the WinPrAsn1 decoder
4		*/
5
6		#include <stddef.h>
7		#include <stdint.h>
8
9		#include <winpr/asn1.h>
10		#include <winpr/crt.h>
11		#include <winpr/wlog.h>
12
13		static void fuzz_walk_sequence(WinPrAsn1Decoder* outer, int depth);
14
15		static void fuzz_consume_one(WinPrAsn1Decoder* decoder, int depth)
16	128k	{
17	128k	WinPrAsn1Decoder inner = WinPrAsn1Decoder_init();
18	128k	WinPrAsn1_tag tag = 0;
19	128k	size_t len = 0;
20
21	128k	if (depth > 6)
22	0	return;
23
24	128k	if (WinPrAsn1DecReadTagLenValue(decoder, &tag, &len, &inner) == 0)
25	94.4k	return;
26
27	34.1k	switch (tag & ER_TAG_MASK)
28	34.1k	{
29	4.93k	case ER_TAG_BOOLEAN:
30	4.93k	{
31	4.93k	WinPrAsn1_BOOL value = 0;
32	4.93k	(void)WinPrAsn1DecReadBoolean(&inner, &value);
33	4.93k	break;
34	0	}
35	2.62k	case ER_TAG_INTEGER:
36	2.62k	{
37	2.62k	WinPrAsn1_INTEGER value = 0;
38	2.62k	(void)WinPrAsn1DecReadInteger(&inner, &value);
39	2.62k	break;
40	0	}
41	1.91k	case ER_TAG_OCTET_STRING:
42	1.91k	{
43	1.91k	WinPrAsn1_OctetString value = WINPR_C_ARRAY_INIT;
44	1.91k	if (WinPrAsn1DecReadOctetString(&inner, &value, TRUE))
45	255	WinPrAsn1FreeOctetString(&value);
46	1.91k	break;
47	0	}
48	1.23k	case ER_TAG_OBJECT_IDENTIFIER:
49	1.23k	{
50	1.23k	WinPrAsn1_OID value = WINPR_C_ARRAY_INIT;
51	1.23k	if (WinPrAsn1DecReadOID(&inner, &value, TRUE))
52	442	WinPrAsn1FreeOID(&value);
53	1.23k	break;
54	0	}
55	1.04k	case ER_TAG_ENUMERATED:
56	1.04k	{
57	1.04k	WinPrAsn1_ENUMERATED value = 0;
58	1.04k	(void)WinPrAsn1DecReadEnumerated(&inner, &value);
59	1.04k	break;
60	0	}
61	3.62k	case ER_TAG_UTCTIME:
62	3.62k	{
63	3.62k	WinPrAsn1_UTCTIME value = WINPR_C_ARRAY_INIT;
64	3.62k	(void)WinPrAsn1DecReadUtcTime(&inner, &value);
65	3.62k	break;
66	0	}
67	1.29k	case ER_TAG_IA5STRING:
68	1.29k	{
69	1.29k	WinPrAsn1_IA5STRING value = nullptr;
70	1.29k	(void)WinPrAsn1DecReadIA5String(&inner, &value);
71	1.29k	free(value);
72	1.29k	break;
73	0	}
74	1.65k	case ER_TAG_NULL:
75	1.65k	(void)WinPrAsn1DecReadNull(&inner);
76	1.65k	break;
77	15.8k	default:
78	15.8k	break;
79	34.1k	}
80
81	34.1k	if ((tag == ER_TAG_SEQUENCE) \|\| (tag == ER_TAG_SET))
82	1.91k	fuzz_walk_sequence(&inner, depth + 1);
83	32.2k	else if ((tag & 0xC0) == 0x80)
84	9.77k	fuzz_walk_sequence(&inner, depth + 1);
85	34.1k	}
86
87		static void fuzz_walk_sequence(WinPrAsn1Decoder* outer, int depth)
88	14.9k	{
89	14.9k	if (depth > 6)
90	203	return;
91
92	143k	for (size_t index = 0; index < 64; index++)
93	143k	{
94	143k	WinPrAsn1_tag tag = 0;
95
96	143k	if (!WinPrAsn1DecPeekTag(outer, &tag))
97	14.4k	return;
98
99	128k	fuzz_consume_one(outer, depth);
100	128k	}
101	14.7k	}
102
103		int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
104	1.51k	{
105	1.51k	static BOOL loggingInitialized = FALSE;
106
107	1.51k	if (!loggingInitialized)
108	1	{
109	1	(void)WLog_SetLogLevel(WLog_GetRoot(), WLOG_TRACE);
110	1	loggingInitialized = TRUE;
111	1	}
112
113	1.51k	if ((size == 0) \|\| (size > (1u << 20)))
114	0	return 0;
115
116	1.51k	{
117	1.51k	WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
118	1.51k	WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, data, size);
119	1.51k	fuzz_walk_sequence(&decoder, 0);
120	1.51k	}
121
122	1.51k	{
123	1.51k	WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
124	1.51k	WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_BER, data, size);
125	1.51k	fuzz_walk_sequence(&decoder, 0);
126	1.51k	}
127
128	1.51k	{
129	1.51k	WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
130	1.51k	WinPrAsn1Decoder sequence = WinPrAsn1Decoder_init();
131
132	1.51k	WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, data, size);
133	1.51k	if (WinPrAsn1DecReadSequence(&decoder, &sequence))
134	234	fuzz_walk_sequence(&sequence, 1);
135	1.51k	}
136
137	1.51k	return 0;
138	1.51k	}

Coverage Report

Created: 2026-05-30 06:46