Line | Count | Source |
1 | | /* Copyright 2023 Google LLC |
2 | | Licensed under the Apache License, Version 2.0 (the "License"); |
3 | | you may not use this file except in compliance with the License. |
4 | | You may obtain a copy of the License at |
5 | | http://www.apache.org/licenses/LICENSE-2.0 |
6 | | Unless required by applicable law or agreed to in writing, software |
7 | | distributed under the License is distributed on an "AS IS" BASIS, |
8 | | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
9 | | See the License for the specific language governing permissions and |
10 | | limitations under the License. |
11 | | */ |
12 | | |
13 | | #include <stddef.h> |
14 | | #include <stdint.h> |
15 | | #include <stdlib.h> |
16 | | #include <string> |
17 | | #include <sys/socket.h> |
18 | | #include <sys/stat.h> |
19 | | #include <unistd.h> |
20 | | |
21 | | #include <fuzzer/FuzzedDataProvider.h> |
22 | | |
23 | | extern "C" { |
24 | | #include "libevent/include/event2/event.h" |
25 | | #include "libevent/include/event2/buffer.h" |
26 | | #include "libevent/include/event2/buffer_compat.h" |
27 | | #include "libevent/include/event2/util.h" |
28 | | #include "util-internal.h" |
29 | | } |
30 | | |
31 | 984 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
32 | 984 | FuzzedDataProvider data_provider(data, size); |
33 | | |
34 | 984 | std::string s1 = data_provider.ConsumeRandomLengthString(); |
35 | 984 | std::string s2 = data_provider.ConsumeRandomLengthString(); |
36 | 984 | std::string s3 = data_provider.ConsumeRandomLengthString(); |
37 | 984 | std::string s4 = data_provider.ConsumeRandomLengthString(); |
38 | | |
39 | 984 | struct evbuffer *buf = evbuffer_new(); |
40 | 984 | size_t sz; |
41 | 984 | evbuffer_add(buf, s1.c_str(), s1.size()); |
42 | 984 | char *cp = NULL; |
43 | 984 | cp = evbuffer_readln(buf, &sz, EVBUFFER_EOL_ANY); |
44 | 984 | if (cp != NULL) { |
45 | 438 | free(cp); |
46 | 438 | cp = NULL; |
47 | 438 | } |
48 | 984 | struct evbuffer *buf2 = evbuffer_new(); |
49 | 984 | struct evbuffer *buf3 = evbuffer_new(); |
50 | 984 | struct evbuffer_iovec vec[1]; |
51 | | |
52 | 984 | evbuffer_add(buf2, s1.c_str(), s1.size()); |
53 | 984 | evbuffer_add_reference(buf2, s2.c_str(), s2.size(), NULL, NULL); |
54 | 984 | evbuffer_add_buffer(buf, buf2); |
55 | 984 | evbuffer_expand(buf, 2000); |
56 | 984 | evbuffer_pullup(buf, 2); |
57 | 984 | evbuffer_prepend(buf, s3.c_str(), s3.size()); |
58 | 984 | evbuffer_prepend_buffer(buf, buf2); |
59 | 984 | evbuffer_find(buf2, (const unsigned char *)s4.c_str(), s4.size()); |
60 | 984 | evbuffer_commit_space(buf, vec, 1); |
61 | 984 | evbuffer_add_buffer_reference(buf, buf2); |
62 | 984 | evbuffer_remove_buffer(buf, buf3, 10); |
63 | | |
64 | | /* Logic from buffer_add_file_fuzzer.cc */ |
65 | 984 | if (data_provider.remaining_bytes() > 0) { |
66 | 31 | std::string file_content = data_provider.ConsumeRandomLengthString(); |
67 | 31 | uint32_t flags = data_provider.ConsumeIntegral<uint32_t>(); |
68 | 31 | char bufferFile[50]; |
69 | 31 | sprintf(bufferFile, "/tmp/buffer.%d", getpid()); |
70 | 31 | FILE *fp = fopen(bufferFile, "wb"); |
71 | 31 | if (fp) { |
72 | 31 | fwrite(file_content.c_str(), file_content.size(), 1, fp); |
73 | 31 | fclose(fp); |
74 | | |
75 | 31 | fp = fopen(bufferFile, "rb"); |
76 | 31 | if (fp) { |
77 | 31 | int fd = fileno(fp); |
78 | 31 | struct stat st; |
79 | 31 | fstat(fd, &st); |
80 | 31 | evbuffer_set_flags(buf, flags); |
81 | 31 | evbuffer_add_file(buf, fd, 0, st.st_size); |
82 | 31 | fclose(fp); |
83 | 31 | } |
84 | 31 | unlink(bufferFile); |
85 | 31 | } |
86 | 31 | } |
87 | | |
88 | 984 | evbuffer_free(buf); |
89 | 984 | evbuffer_free(buf2); |
90 | 984 | evbuffer_free(buf3); |
91 | | |
92 | 984 | return 0; |
93 | 984 | } |