Coverage Report

Created: 2026-06-15 06:57

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/FreeRDP/channels/drdynvc/client/test/TestFuzzDrdynvc.c
Line
Count
Source
1
/**
2
 * FreeRDP: A Remote Desktop Protocol Implementation
3
 * libFuzzer harness for DVC wire framing
4
 */
5
6
#include <stddef.h>
7
#include <stdint.h>
8
9
#include <winpr/stream.h>
10
#include <winpr/wtypes.h>
11
12
static UINT32 fuzz_var_uint_bytes(UINT8 cbLen)
13
8.93k
{
14
8.93k
  switch (cbLen)
15
8.93k
  {
16
5.31k
    case 0:
17
5.31k
      return 1;
18
1.40k
    case 1:
19
1.40k
      return 2;
20
2.21k
    default:
21
2.21k
      return 4;
22
8.93k
  }
23
8.93k
}
24
25
static UINT32 fuzz_read_variable_uint(wStream* s, UINT8 cbLen)
26
5.55k
{
27
5.55k
  UINT32 value = 0;
28
29
5.55k
  switch (cbLen)
30
5.55k
  {
31
2.43k
    case 0:
32
2.43k
      value = Stream_Get_UINT8(s);
33
2.43k
      break;
34
1.28k
    case 1:
35
1.28k
      value = Stream_Get_UINT16(s);
36
1.28k
      break;
37
1.83k
    default:
38
1.83k
      value = Stream_Get_UINT32(s);
39
1.83k
      break;
40
5.55k
  }
41
42
5.55k
  return value;
43
5.55k
}
44
45
enum
46
{
47
  CREATE_REQUEST_PDU = 0x01,
48
  DATA_FIRST_PDU = 0x02,
49
  DATA_PDU = 0x03,
50
  CLOSE_REQUEST_PDU = 0x04,
51
  CAPABILITY_REQUEST_PDU = 0x05,
52
  DATA_FIRST_COMPRESSED_PDU = 0x06,
53
  DATA_COMPRESSED_PDU = 0x07
54
};
55
56
static int fuzz_process_one_pdu(wStream* s)
57
7.29k
{
58
7.29k
  const size_t required = 1;
59
60
7.29k
  if (!Stream_CheckAndLogRequiredLength("fuzz", s, required))
61
0
    return -1;
62
63
7.29k
  UINT8 header = Stream_Get_UINT8(s);
64
7.29k
  UINT8 command = (header & 0xf0) >> 4;
65
7.29k
  UINT8 spacing = (header & 0x0c) >> 2;
66
7.29k
  UINT8 cbChId = (header & 0x03);
67
7.29k
  size_t needed = fuzz_var_uint_bytes(cbChId);
68
69
7.29k
  switch (command)
70
7.29k
  {
71
776
    case DATA_FIRST_PDU:
72
1.64k
    case DATA_FIRST_COMPRESSED_PDU:
73
1.64k
      if (!Stream_CheckAndLogRequiredLength("fuzz", s, needed + fuzz_var_uint_bytes(spacing)))
74
32
        return -1;
75
1.60k
      (void)fuzz_read_variable_uint(s, cbChId);
76
1.60k
      (void)fuzz_read_variable_uint(s, spacing);
77
1.60k
      break;
78
551
    case DATA_PDU:
79
1.33k
    case DATA_COMPRESSED_PDU:
80
1.90k
    case CLOSE_REQUEST_PDU:
81
2.38k
    case CREATE_REQUEST_PDU:
82
2.38k
      if (!Stream_CheckAndLogRequiredLength("fuzz", s, needed))
83
50
        return -1;
84
2.33k
      (void)fuzz_read_variable_uint(s, cbChId);
85
2.33k
      break;
86
194
    case CAPABILITY_REQUEST_PDU:
87
194
      if (!Stream_CheckAndLogRequiredLength("fuzz", s, 2))
88
2
        return -1;
89
192
      Stream_Seek(s, 2);
90
192
      break;
91
3.07k
    default:
92
3.07k
      break;
93
7.29k
  }
94
95
7.21k
  if (!Stream_CheckAndLogRequiredLength("fuzz", s, 2))
96
111
    return -1;
97
98
7.10k
  {
99
7.10k
    size_t bodyLen = Stream_Get_UINT16(s);
100
7.10k
    const size_t remaining = Stream_GetRemainingLength(s);
101
7.10k
    if (bodyLen > remaining)
102
182
      bodyLen = remaining;
103
7.10k
    Stream_Seek(s, bodyLen);
104
7.10k
  }
105
106
7.10k
  return 0;
107
7.21k
}
108
109
int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
110
422
{
111
422
  if ((size == 0) || (size > (1u << 20)))
112
0
    return 0;
113
114
422
  wStream* s = Stream_New((BYTE*)data, size);
115
422
  if (!s)
116
0
    return 0;
117
118
7.52k
  for (size_t index = 0; index < 64; index++)
119
7.48k
  {
120
7.48k
    if (Stream_GetRemainingLength(s) == 0)
121
190
      break;
122
7.29k
    if (fuzz_process_one_pdu(s) != 0)
123
195
      break;
124
7.29k
  }
125
126
422
  Stream_Free(s, FALSE);
127
422
  return 0;
128
422
}