/proc/self/cwd/pw_protobuf/decoder_fuzzer.cc

Source (jump to first uncovered line)
// Copyright 2022 The Pigweed Authors
//
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
// use this file except in compliance with the License. You may obtain a copy of
// the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// License for the specific language governing permissions and limitations under
// the License.

#include <algorithm>
#include <cstddef>
#include <cstdint>
#include <cstring>
#include <vector>

#include "fuzz.h"
#include "pw_fuzzer/fuzzed_data_provider.h"
#include "pw_protobuf/stream_decoder.h"
#include "pw_span/span.h"
#include "pw_status/status.h"
#include "pw_status/status_with_size.h"
#include "pw_stream/memory_stream.h"
#include "pw_stream/stream.h"

namespace pw::protobuf::fuzz {
namespace {

void RecursiveFuzzedDecode(FuzzedDataProvider& provider,
                           StreamDecoder& decoder,
                           uint32_t depth = 0) {
  constexpr size_t kMaxRepeatedRead = 256;
  constexpr size_t kMaxDepth = 3;

  if (depth > kMaxDepth) {
    return;
  }
  while (provider.remaining_bytes() != 0 && decoder.Next().ok()) {
    FieldType field_type = provider.ConsumeEnum<FieldType>();
    switch (field_type) {
      case kUint32:
        if (!decoder.ReadUint32().status().ok()) {
          return;
        }
        break;
      case kPackedUint32: {
        uint32_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedUint32(packed).status().ok()) {
          return;
        }
      } break;
      case kUint64:
        if (!decoder.ReadUint64().status().ok()) {
          return;
        }
        break;
      case kPackedUint64: {
        uint64_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedUint64(packed).status().ok()) {
          return;
        }
      } break;
      case kInt32:
        if (!decoder.ReadInt32().status().ok()) {
          return;
        }
        break;
      case kPackedInt32: {
        int32_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedInt32(packed).status().ok()) {
          return;
        }
      } break;
      case kInt64:
        if (!decoder.ReadInt64().status().ok()) {
          return;
        }
        break;
      case kPackedInt64: {
        int64_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedInt64(packed).status().ok()) {
          return;
        }
      } break;
      case kSint32:
        if (!decoder.ReadSint32().status().ok()) {
          return;
        }
        break;
      case kPackedSint32: {
        int32_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedSint32(packed).status().ok()) {
          return;
        }
      } break;
      case kSint64:
        if (!decoder.ReadSint64().status().ok()) {
          return;
        }
        break;
      case kPackedSint64: {
        int64_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedSint64(packed).status().ok()) {
          return;
        }
      } break;
      case kBool:
        if (!decoder.ReadBool().status().ok()) {
          return;
        }
        break;
      case kFixed32:
        if (!decoder.ReadFixed32().status().ok()) {
          return;
        }
        break;
      case kPackedFixed32: {
        uint32_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedFixed32(packed).status().ok()) {
          return;
        }
      } break;
      case kFixed64:
        if (!decoder.ReadFixed64().status().ok()) {
          return;
        }
        break;
      case kPackedFixed64: {
        uint64_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedFixed64(packed).status().ok()) {
          return;
        }
      } break;
      case kSfixed32:
        if (!decoder.ReadSfixed32().status().ok()) {
          return;
        }
        break;
      case kPackedSfixed32: {
        int32_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedSfixed32(packed).status().ok()) {
          return;
        }
      } break;
      case kSfixed64:
        if (!decoder.ReadSfixed64().status().ok()) {
          return;
        }
        break;
      case kPackedSfixed64: {
        int64_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedSfixed64(packed).status().ok()) {
          return;
        }
      } break;
      case kFloat:
        if (!decoder.ReadFloat().status().ok()) {
          return;
        }
        break;
      case kPackedFloat: {
        float packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedFloat(packed).status().ok()) {
          return;
        }
      } break;
      case kDouble:
        if (!decoder.ReadDouble().status().ok()) {
          return;
        }
        break;
      case kPackedDouble: {
        double packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedDouble(packed).status().ok()) {
          return;
        }
      } break;
      case kBytes: {
        std::byte bytes[kMaxRepeatedRead] = {std::byte{0}};
        if (!decoder.ReadBytes(bytes).status().ok()) {
          return;
        }
      } break;
      case kString: {
        char str[kMaxRepeatedRead] = {0};
        if (!decoder.ReadString(str).status().ok()) {
          return;
        }
      } break;
      case kPush: {
        StreamDecoder nested_decoder = decoder.GetNestedDecoder();
        RecursiveFuzzedDecode(provider, nested_decoder, depth + 1);
      } break;
      case kPop:
        if (depth > 0) {
          // Special "field". The marks the end of a nested message.
          return;
        }
    }
  }
}

void TestOneInput(FuzzedDataProvider& provider) {
  constexpr size_t kMaxFuzzedProtoSize = 4096;
  std::vector<std::byte> proto_message_data = provider.ConsumeBytes<std::byte>(
      provider.ConsumeIntegralInRange<size_t>(0, kMaxFuzzedProtoSize));
  stream::MemoryReader memory_reader(proto_message_data);
  StreamDecoder decoder(memory_reader);
  RecursiveFuzzedDecode(provider, decoder);
}

}  // namespace
}  // namespace pw::protobuf::fuzz

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  FuzzedDataProvider provider(data, size);
  pw::protobuf::fuzz::TestOneInput(provider);
  return 0;
}

Coverage Report

Created: 2025-08-28 06:26

Line	Count	Source (jump to first uncovered line)
1		// Copyright 2022 The Pigweed Authors
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License"); you may not
4		// use this file except in compliance with the License. You may obtain a copy of
5		// the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11		// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12		// License for the specific language governing permissions and limitations under
13		// the License.
14
15		#include <algorithm>
16		#include <cstddef>
17		#include <cstdint>
18		#include <cstring>
19		#include <vector>
20
21		#include "fuzz.h"
22		#include "pw_fuzzer/fuzzed_data_provider.h"
23		#include "pw_protobuf/stream_decoder.h"
24		#include "pw_span/span.h"
25		#include "pw_status/status.h"
26		#include "pw_status/status_with_size.h"
27		#include "pw_stream/memory_stream.h"
28		#include "pw_stream/stream.h"
29
30		namespace pw::protobuf::fuzz {
31		namespace {
32
33		void RecursiveFuzzedDecode(FuzzedDataProvider& provider,
34		StreamDecoder& decoder,
35	5.56k	uint32_t depth = 0) {
36	5.56k	constexpr size_t kMaxRepeatedRead = 256;
37	5.56k	constexpr size_t kMaxDepth = 3;
38
39	5.56k	if (depth > kMaxDepth) {
40	780	return;
41	780	}
42	15.8k	while (provider.remaining_bytes() != 0 && decoder.Next().ok()) {
43	12.7k	FieldType field_type = provider.ConsumeEnum<FieldType>();
44	12.7k	switch (field_type) {
45	418	case kUint32:
46	418	if (!decoder.ReadUint32().status().ok()) {
47	148	return;
48	148	}
49	270	break;
50	412	case kPackedUint32: {
51	412	uint32_t packed[kMaxRepeatedRead] = {0};
52	412	if (!decoder.ReadPackedUint32(packed).status().ok()) {
53	122	return;
54	122	}
55	412	} break;
56	290	case kUint64:
57	225	if (!decoder.ReadUint64().status().ok()) {
58	26	return;
59	26	}
60	199	break;
61	385	case kPackedUint64: {
62	385	uint64_t packed[kMaxRepeatedRead] = {0};
63	385	if (!decoder.ReadPackedUint64(packed).status().ok()) {
64	73	return;
65	73	}
66	385	} break;
67	474	case kInt32:
68	474	if (!decoder.ReadInt32().status().ok()) {
69	216	return;
70	216	}
71	258	break;
72	306	case kPackedInt32: {
73	306	int32_t packed[kMaxRepeatedRead] = {0};
74	306	if (!decoder.ReadPackedInt32(packed).status().ok()) {
75	41	return;
76	41	}
77	306	} break;
78	265	case kInt64:
79	217	if (!decoder.ReadInt64().status().ok()) {
80	22	return;
81	22	}
82	195	break;
83	339	case kPackedInt64: {
84	339	int64_t packed[kMaxRepeatedRead] = {0};
85	339	if (!decoder.ReadPackedInt64(packed).status().ok()) {
86	57	return;
87	57	}
88	339	} break;
89	421	case kSint32:
90	421	if (!decoder.ReadSint32().status().ok()) {
91	133	return;
92	133	}
93	288	break;
94	492	case kPackedSint32: {
95	492	int32_t packed[kMaxRepeatedRead] = {0};
96	492	if (!decoder.ReadPackedSint32(packed).status().ok()) {
97	131	return;
98	131	}
99	492	} break;
100	361	case kSint64:
101	277	if (!decoder.ReadSint64().status().ok()) {
102	81	return;
103	81	}
104	196	break;
105	328	case kPackedSint64: {
106	328	int64_t packed[kMaxRepeatedRead] = {0};
107	328	if (!decoder.ReadPackedSint64(packed).status().ok()) {
108	42	return;
109	42	}
110	328	} break;
111	368	case kBool:
112	368	if (!decoder.ReadBool().status().ok()) {
113	172	return;
114	172	}
115	196	break;
116	461	case kFixed32:
117	461	if (!decoder.ReadFixed32().status().ok()) {
118	10	return;
119	10	}
120	451	break;
121	451	case kPackedFixed32: {
122	297	uint32_t packed[kMaxRepeatedRead] = {0};
123	297	if (!decoder.ReadPackedFixed32(packed).status().ok()) {
124	47	return;
125	47	}
126	297	} break;
127	250	case kFixed64:
128	209	if (!decoder.ReadFixed64().status().ok()) {
129	10	return;
130	10	}
131	199	break;
132	571	case kPackedFixed64: {
133	571	uint64_t packed[kMaxRepeatedRead] = {0};
134	571	if (!decoder.ReadPackedFixed64(packed).status().ok()) {
135	44	return;
136	44	}
137	571	} break;
138	527	case kSfixed32:
139	242	if (!decoder.ReadSfixed32().status().ok()) {
140	6	return;
141	6	}
142	236	break;
143	311	case kPackedSfixed32: {
144	311	int32_t packed[kMaxRepeatedRead] = {0};
145	311	if (!decoder.ReadPackedSfixed32(packed).status().ok()) {
146	35	return;
147	35	}
148	311	} break;
149	276	case kSfixed64:
150	209	if (!decoder.ReadSfixed64().status().ok()) {
151	11	return;
152	11	}
153	198	break;
154	315	case kPackedSfixed64: {
155	315	int64_t packed[kMaxRepeatedRead] = {0};
156	315	if (!decoder.ReadPackedSfixed64(packed).status().ok()) {
157	50	return;
158	50	}
159	315	} break;
160	316	case kFloat:
161	316	if (!decoder.ReadFloat().status().ok()) {
162	9	return;
163	9	}
164	307	break;
165	318	case kPackedFloat: {
166	318	float packed[kMaxRepeatedRead] = {0};
167	318	if (!decoder.ReadPackedFloat(packed).status().ok()) {
168	42	return;
169	42	}
170	318	} break;
171	276	case kDouble:
172	213	if (!decoder.ReadDouble().status().ok()) {
173	6	return;
174	6	}
175	207	break;
176	386	case kPackedDouble: {
177	386	double packed[kMaxRepeatedRead] = {0};
178	386	if (!decoder.ReadPackedDouble(packed).status().ok()) {
179	53	return;
180	53	}
181	386	} break;
182	640	case kBytes: {
183	640	std::byte bytes[kMaxRepeatedRead] = {std::byte{0}};
184	640	if (!decoder.ReadBytes(bytes).status().ok()) {
185	72	return;
186	72	}
187	640	} break;
188	568	case kString: {
189	379	char str[kMaxRepeatedRead] = {0};
190	379	if (!decoder.ReadString(str).status().ok()) {
191	59	return;
192	59	}
193	379	} break;
194	3.23k	case kPush: {
195	3.23k	StreamDecoder nested_decoder = decoder.GetNestedDecoder();
196	3.23k	RecursiveFuzzedDecode(provider, nested_decoder, depth + 1);
197	3.23k	} break;
198	0	case kPop:
199	0	if (depth > 0) {
200		// Special "field". The marks the end of a nested message.
201	0	return;
202	0	}
203	12.7k	}
204	12.7k	}
205	4.78k	}
206
207	2.32k	void TestOneInput(FuzzedDataProvider& provider) {
208	2.32k	constexpr size_t kMaxFuzzedProtoSize = 4096;
209	2.32k	std::vector<std::byte> proto_message_data = provider.ConsumeBytes<std::byte>(
210	2.32k	provider.ConsumeIntegralInRange<size_t>(0, kMaxFuzzedProtoSize));
211	2.32k	stream::MemoryReader memory_reader(proto_message_data);
212	2.32k	StreamDecoder decoder(memory_reader);
213	2.32k	RecursiveFuzzedDecode(provider, decoder);
214	2.32k	}
215
216		} // namespace
217		} // namespace pw::protobuf::fuzz
218
219	17.5k	extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
220	17.5k	FuzzedDataProvider provider(data, size);
221	17.5k	pw::protobuf::fuzz::TestOneInput(provider);
222	17.5k	return 0;
223	17.5k	}