/src/FreeRDP/winpr/libwinpr/utils/test/TestFuzzCredSSP_Asn1.c

Source
/**
 * WinPR: Windows Portable Runtime
 * libFuzzer harness for the WinPrAsn1 decoder
 */

#include <stddef.h>
#include <stdint.h>

#include <winpr/asn1.h>
#include <winpr/crt.h>
#include <winpr/wlog.h>

static void fuzz_walk_sequence(WinPrAsn1Decoder* outer, int depth);

static void fuzz_consume_one(WinPrAsn1Decoder* decoder, int depth)
{
  WinPrAsn1Decoder inner = WinPrAsn1Decoder_init();
  WinPrAsn1_tag tag = 0;
  size_t len = 0;

  if (depth > 6)
    return;

  if (WinPrAsn1DecReadTagLenValue(decoder, &tag, &len, &inner) == 0)
    return;

  switch (tag & ER_TAG_MASK)
  {
    case ER_TAG_BOOLEAN:
    {
      WinPrAsn1_BOOL value = 0;
      (void)WinPrAsn1DecReadBoolean(&inner, &value);
      break;
    }
    case ER_TAG_INTEGER:
    {
      WinPrAsn1_INTEGER value = 0;
      (void)WinPrAsn1DecReadInteger(&inner, &value);
      break;
    }
    case ER_TAG_OCTET_STRING:
    {
      WinPrAsn1_OctetString value = WINPR_C_ARRAY_INIT;
      if (WinPrAsn1DecReadOctetString(&inner, &value, TRUE))
        WinPrAsn1FreeOctetString(&value);
      break;
    }
    case ER_TAG_OBJECT_IDENTIFIER:
    {
      WinPrAsn1_OID value = WINPR_C_ARRAY_INIT;
      if (WinPrAsn1DecReadOID(&inner, &value, TRUE))
        WinPrAsn1FreeOID(&value);
      break;
    }
    case ER_TAG_ENUMERATED:
    {
      WinPrAsn1_ENUMERATED value = 0;
      (void)WinPrAsn1DecReadEnumerated(&inner, &value);
      break;
    }
    case ER_TAG_UTCTIME:
    {
      WinPrAsn1_UTCTIME value = WINPR_C_ARRAY_INIT;
      (void)WinPrAsn1DecReadUtcTime(&inner, &value);
      break;
    }
    case ER_TAG_IA5STRING:
    {
      WinPrAsn1_IA5STRING value = nullptr;
      (void)WinPrAsn1DecReadIA5String(&inner, &value);
      free(value);
      break;
    }
    case ER_TAG_NULL:
      (void)WinPrAsn1DecReadNull(&inner);
      break;
    default:
      break;
  }

  if ((tag == ER_TAG_SEQUENCE) || (tag == ER_TAG_SET))
    fuzz_walk_sequence(&inner, depth + 1);
  else if ((tag & 0xC0) == 0x80)
    fuzz_walk_sequence(&inner, depth + 1);
}

static void fuzz_walk_sequence(WinPrAsn1Decoder* outer, int depth)
{
  if (depth > 6)
    return;

  for (size_t index = 0; index < 64; index++)
  {
    WinPrAsn1_tag tag = 0;

    if (!WinPrAsn1DecPeekTag(outer, &tag))
      return;

    fuzz_consume_one(outer, depth);
  }
}

int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
  static BOOL loggingInitialized = FALSE;

  if (!loggingInitialized)
  {
    (void)WLog_SetLogLevel(WLog_GetRoot(), WLOG_TRACE);
    loggingInitialized = TRUE;
  }

  if ((size == 0) || (size > (1u << 20)))
    return 0;

  {
    WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
    WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, data, size);
    fuzz_walk_sequence(&decoder, 0);
  }

  {
    WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
    WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_BER, data, size);
    fuzz_walk_sequence(&decoder, 0);
  }

  {
    WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
    WinPrAsn1Decoder sequence = WinPrAsn1Decoder_init();

    WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, data, size);
    if (WinPrAsn1DecReadSequence(&decoder, &sequence))
      fuzz_walk_sequence(&sequence, 1);
  }

  return 0;
}

Line	Count	Source
1		/**
2		* WinPR: Windows Portable Runtime
3		* libFuzzer harness for the WinPrAsn1 decoder
4		*/
5
6		#include <stddef.h>
7		#include <stdint.h>
8
9		#include <winpr/asn1.h>
10		#include <winpr/crt.h>
11		#include <winpr/wlog.h>
12
13		static void fuzz_walk_sequence(WinPrAsn1Decoder* outer, int depth);
14
15		static void fuzz_consume_one(WinPrAsn1Decoder* decoder, int depth)
16	154k	{
17	154k	WinPrAsn1Decoder inner = WinPrAsn1Decoder_init();
18	154k	WinPrAsn1_tag tag = 0;
19	154k	size_t len = 0;
20
21	154k	if (depth > 6)
22	0	return;
23
24	154k	if (WinPrAsn1DecReadTagLenValue(decoder, &tag, &len, &inner) == 0)
25	120k	return;
26
27	34.3k	switch (tag & ER_TAG_MASK)
28	34.3k	{
29	5.77k	case ER_TAG_BOOLEAN:
30	5.77k	{
31	5.77k	WinPrAsn1_BOOL value = 0;
32	5.77k	(void)WinPrAsn1DecReadBoolean(&inner, &value);
33	5.77k	break;
34	0	}
35	2.60k	case ER_TAG_INTEGER:
36	2.60k	{
37	2.60k	WinPrAsn1_INTEGER value = 0;
38	2.60k	(void)WinPrAsn1DecReadInteger(&inner, &value);
39	2.60k	break;
40	0	}
41	2.06k	case ER_TAG_OCTET_STRING:
42	2.06k	{
43	2.06k	WinPrAsn1_OctetString value = WINPR_C_ARRAY_INIT;
44	2.06k	if (WinPrAsn1DecReadOctetString(&inner, &value, TRUE))
45	301	WinPrAsn1FreeOctetString(&value);
46	2.06k	break;
47	0	}
48	1.24k	case ER_TAG_OBJECT_IDENTIFIER:
49	1.24k	{
50	1.24k	WinPrAsn1_OID value = WINPR_C_ARRAY_INIT;
51	1.24k	if (WinPrAsn1DecReadOID(&inner, &value, TRUE))
52	410	WinPrAsn1FreeOID(&value);
53	1.24k	break;
54	0	}
55	984	case ER_TAG_ENUMERATED:
56	984	{
57	984	WinPrAsn1_ENUMERATED value = 0;
58	984	(void)WinPrAsn1DecReadEnumerated(&inner, &value);
59	984	break;
60	0	}
61	3.35k	case ER_TAG_UTCTIME:
62	3.35k	{
63	3.35k	WinPrAsn1_UTCTIME value = WINPR_C_ARRAY_INIT;
64	3.35k	(void)WinPrAsn1DecReadUtcTime(&inner, &value);
65	3.35k	break;
66	0	}
67	1.31k	case ER_TAG_IA5STRING:
68	1.31k	{
69	1.31k	WinPrAsn1_IA5STRING value = nullptr;
70	1.31k	(void)WinPrAsn1DecReadIA5String(&inner, &value);
71	1.31k	free(value);
72	1.31k	break;
73	0	}
74	1.43k	case ER_TAG_NULL:
75	1.43k	(void)WinPrAsn1DecReadNull(&inner);
76	1.43k	break;
77	15.5k	default:
78	15.5k	break;
79	34.3k	}
80
81	34.3k	if ((tag == ER_TAG_SEQUENCE) \|\| (tag == ER_TAG_SET))
82	1.72k	fuzz_walk_sequence(&inner, depth + 1);
83	32.6k	else if ((tag & 0xC0) == 0x80)
84	10.0k	fuzz_walk_sequence(&inner, depth + 1);
85	34.3k	}
86
87		static void fuzz_walk_sequence(WinPrAsn1Decoder* outer, int depth)
88	14.8k	{
89	14.8k	if (depth > 6)
90	249	return;
91
92	169k	for (size_t index = 0; index < 64; index++)
93	168k	{
94	168k	WinPrAsn1_tag tag = 0;
95
96	168k	if (!WinPrAsn1DecPeekTag(outer, &tag))
97	14.3k	return;
98
99	154k	fuzz_consume_one(outer, depth);
100	154k	}
101	14.6k	}
102
103		int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
104	1.46k	{
105	1.46k	static BOOL loggingInitialized = FALSE;
106
107	1.46k	if (!loggingInitialized)
108	1	{
109	1	(void)WLog_SetLogLevel(WLog_GetRoot(), WLOG_TRACE);
110	1	loggingInitialized = TRUE;
111	1	}
112
113	1.46k	if ((size == 0) \|\| (size > (1u << 20)))
114	0	return 0;
115
116	1.46k	{
117	1.46k	WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
118	1.46k	WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, data, size);
119	1.46k	fuzz_walk_sequence(&decoder, 0);
120	1.46k	}
121
122	1.46k	{
123	1.46k	WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
124	1.46k	WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_BER, data, size);
125	1.46k	fuzz_walk_sequence(&decoder, 0);
126	1.46k	}
127
128	1.46k	{
129	1.46k	WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
130	1.46k	WinPrAsn1Decoder sequence = WinPrAsn1Decoder_init();
131
132	1.46k	WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, data, size);
133	1.46k	if (WinPrAsn1DecReadSequence(&decoder, &sequence))
134	219	fuzz_walk_sequence(&sequence, 1);
135	1.46k	}
136
137	1.46k	return 0;
138	1.46k	}

Coverage Report

Created: 2026-06-09 06:17