/src/FreeRDP/winpr/libwinpr/utils/test/TestFuzzCredSSP_Asn1.c

Source
/**
 * WinPR: Windows Portable Runtime
 * libFuzzer harness for the WinPrAsn1 decoder
 */

#include <stddef.h>
#include <stdint.h>

#include <winpr/asn1.h>
#include <winpr/crt.h>
#include <winpr/wlog.h>

static void fuzz_walk_sequence(WinPrAsn1Decoder* outer, int depth);

static void fuzz_consume_one(WinPrAsn1Decoder* decoder, int depth)
{
  WinPrAsn1Decoder inner = WinPrAsn1Decoder_init();
  WinPrAsn1_tag tag = 0;
  size_t len = 0;

  if (depth > 6)
    return;

  if (WinPrAsn1DecReadTagLenValue(decoder, &tag, &len, &inner) == 0)
    return;

  switch (tag & ER_TAG_MASK)
  {
    case ER_TAG_BOOLEAN:
    {
      WinPrAsn1_BOOL value = 0;
      (void)WinPrAsn1DecReadBoolean(&inner, &value);
      break;
    }
    case ER_TAG_INTEGER:
    {
      WinPrAsn1_INTEGER value = 0;
      (void)WinPrAsn1DecReadInteger(&inner, &value);
      break;
    }
    case ER_TAG_OCTET_STRING:
    {
      WinPrAsn1_OctetString value = WINPR_C_ARRAY_INIT;
      if (WinPrAsn1DecReadOctetString(&inner, &value, TRUE))
        WinPrAsn1FreeOctetString(&value);
      break;
    }
    case ER_TAG_OBJECT_IDENTIFIER:
    {
      WinPrAsn1_OID value = WINPR_C_ARRAY_INIT;
      if (WinPrAsn1DecReadOID(&inner, &value, TRUE))
        WinPrAsn1FreeOID(&value);
      break;
    }
    case ER_TAG_ENUMERATED:
    {
      WinPrAsn1_ENUMERATED value = 0;
      (void)WinPrAsn1DecReadEnumerated(&inner, &value);
      break;
    }
    case ER_TAG_UTCTIME:
    {
      WinPrAsn1_UTCTIME value = WINPR_C_ARRAY_INIT;
      (void)WinPrAsn1DecReadUtcTime(&inner, &value);
      break;
    }
    case ER_TAG_IA5STRING:
    {
      WinPrAsn1_IA5STRING value = nullptr;
      (void)WinPrAsn1DecReadIA5String(&inner, &value);
      free(value);
      break;
    }
    case ER_TAG_NULL:
      (void)WinPrAsn1DecReadNull(&inner);
      break;
    default:
      break;
  }

  if ((tag == ER_TAG_SEQUENCE) || (tag == ER_TAG_SET))
    fuzz_walk_sequence(&inner, depth + 1);
  else if ((tag & 0xC0) == 0x80)
    fuzz_walk_sequence(&inner, depth + 1);
}

static void fuzz_walk_sequence(WinPrAsn1Decoder* outer, int depth)
{
  if (depth > 6)
    return;

  for (size_t index = 0; index < 64; index++)
  {
    WinPrAsn1_tag tag = 0;

    if (!WinPrAsn1DecPeekTag(outer, &tag))
      return;

    fuzz_consume_one(outer, depth);
  }
}

int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
  static BOOL loggingInitialized = FALSE;

  if (!loggingInitialized)
  {
    (void)WLog_SetLogLevel(WLog_GetRoot(), WLOG_TRACE);
    loggingInitialized = TRUE;
  }

  if ((size == 0) || (size > (1u << 20)))
    return 0;

  {
    WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
    WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, data, size);
    fuzz_walk_sequence(&decoder, 0);
  }

  {
    WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
    WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_BER, data, size);
    fuzz_walk_sequence(&decoder, 0);
  }

  {
    WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
    WinPrAsn1Decoder sequence = WinPrAsn1Decoder_init();

    WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, data, size);
    if (WinPrAsn1DecReadSequence(&decoder, &sequence))
      fuzz_walk_sequence(&sequence, 1);
  }

  return 0;
}

Line	Count	Source
1		/**
2		* WinPR: Windows Portable Runtime
3		* libFuzzer harness for the WinPrAsn1 decoder
4		*/
5
6		#include <stddef.h>
7		#include <stdint.h>
8
9		#include <winpr/asn1.h>
10		#include <winpr/crt.h>
11		#include <winpr/wlog.h>
12
13		static void fuzz_walk_sequence(WinPrAsn1Decoder* outer, int depth);
14
15		static void fuzz_consume_one(WinPrAsn1Decoder* decoder, int depth)
16	150k	{
17	150k	WinPrAsn1Decoder inner = WinPrAsn1Decoder_init();
18	150k	WinPrAsn1_tag tag = 0;
19	150k	size_t len = 0;
20
21	150k	if (depth > 6)
22	0	return;
23
24	150k	if (WinPrAsn1DecReadTagLenValue(decoder, &tag, &len, &inner) == 0)
25	112k	return;
26
27	37.6k	switch (tag & ER_TAG_MASK)
28	37.6k	{
29	5.21k	case ER_TAG_BOOLEAN:
30	5.21k	{
31	5.21k	WinPrAsn1_BOOL value = 0;
32	5.21k	(void)WinPrAsn1DecReadBoolean(&inner, &value);
33	5.21k	break;
34	0	}
35	2.44k	case ER_TAG_INTEGER:
36	2.44k	{
37	2.44k	WinPrAsn1_INTEGER value = 0;
38	2.44k	(void)WinPrAsn1DecReadInteger(&inner, &value);
39	2.44k	break;
40	0	}
41	1.41k	case ER_TAG_OCTET_STRING:
42	1.41k	{
43	1.41k	WinPrAsn1_OctetString value = WINPR_C_ARRAY_INIT;
44	1.41k	if (WinPrAsn1DecReadOctetString(&inner, &value, TRUE))
45	119	WinPrAsn1FreeOctetString(&value);
46	1.41k	break;
47	0	}
48	1.20k	case ER_TAG_OBJECT_IDENTIFIER:
49	1.20k	{
50	1.20k	WinPrAsn1_OID value = WINPR_C_ARRAY_INIT;
51	1.20k	if (WinPrAsn1DecReadOID(&inner, &value, TRUE))
52	446	WinPrAsn1FreeOID(&value);
53	1.20k	break;
54	0	}
55	868	case ER_TAG_ENUMERATED:
56	868	{
57	868	WinPrAsn1_ENUMERATED value = 0;
58	868	(void)WinPrAsn1DecReadEnumerated(&inner, &value);
59	868	break;
60	0	}
61	3.41k	case ER_TAG_UTCTIME:
62	3.41k	{
63	3.41k	WinPrAsn1_UTCTIME value = WINPR_C_ARRAY_INIT;
64	3.41k	(void)WinPrAsn1DecReadUtcTime(&inner, &value);
65	3.41k	break;
66	0	}
67	1.44k	case ER_TAG_IA5STRING:
68	1.44k	{
69	1.44k	WinPrAsn1_IA5STRING value = nullptr;
70	1.44k	(void)WinPrAsn1DecReadIA5String(&inner, &value);
71	1.44k	free(value);
72	1.44k	break;
73	0	}
74	1.36k	case ER_TAG_NULL:
75	1.36k	(void)WinPrAsn1DecReadNull(&inner);
76	1.36k	break;
77	20.3k	default:
78	20.3k	break;
79	37.6k	}
80
81	37.6k	if ((tag == ER_TAG_SEQUENCE) \|\| (tag == ER_TAG_SET))
82	1.71k	fuzz_walk_sequence(&inner, depth + 1);
83	35.9k	else if ((tag & 0xC0) == 0x80)
84	12.2k	fuzz_walk_sequence(&inner, depth + 1);
85	37.6k	}
86
87		static void fuzz_walk_sequence(WinPrAsn1Decoder* outer, int depth)
88	17.1k	{
89	17.1k	if (depth > 6)
90	241	return;
91
92	167k	for (size_t index = 0; index < 64; index++)
93	166k	{
94	166k	WinPrAsn1_tag tag = 0;
95
96	166k	if (!WinPrAsn1DecPeekTag(outer, &tag))
97	16.4k	return;
98
99	150k	fuzz_consume_one(outer, depth);
100	150k	}
101	16.8k	}
102
103		int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
104	1.46k	{
105	1.46k	static BOOL loggingInitialized = FALSE;
106
107	1.46k	if (!loggingInitialized)
108	1	{
109	1	(void)WLog_SetLogLevel(WLog_GetRoot(), WLOG_TRACE);
110	1	loggingInitialized = TRUE;
111	1	}
112
113	1.46k	if ((size == 0) \|\| (size > (1u << 20)))
114	0	return 0;
115
116	1.46k	{
117	1.46k	WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
118	1.46k	WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, data, size);
119	1.46k	fuzz_walk_sequence(&decoder, 0);
120	1.46k	}
121
122	1.46k	{
123	1.46k	WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
124	1.46k	WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_BER, data, size);
125	1.46k	fuzz_walk_sequence(&decoder, 0);
126	1.46k	}
127
128	1.46k	{
129	1.46k	WinPrAsn1Decoder decoder = WinPrAsn1Decoder_init();
130	1.46k	WinPrAsn1Decoder sequence = WinPrAsn1Decoder_init();
131
132	1.46k	WinPrAsn1Decoder_InitMem(&decoder, WINPR_ASN1_DER, data, size);
133	1.46k	if (WinPrAsn1DecReadSequence(&decoder, &sequence))
134	217	fuzz_walk_sequence(&sequence, 1);
135	1.46k	}
136
137	1.46k	return 0;
138	1.46k	}

Coverage Report

Created: 2026-06-15 06:57