/proc/self/cwd/pw_protobuf/decoder_fuzzer.cc

Source
// Copyright 2022 The Pigweed Authors
//
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
// use this file except in compliance with the License. You may obtain a copy of
// the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// License for the specific language governing permissions and limitations under
// the License.

#include <algorithm>
#include <cstddef>
#include <cstdint>
#include <cstring>
#include <vector>

#include "fuzz.h"
#include "pw_fuzzer/fuzzed_data_provider.h"
#include "pw_protobuf/stream_decoder.h"
#include "pw_span/span.h"
#include "pw_status/status.h"
#include "pw_status/status_with_size.h"
#include "pw_stream/memory_stream.h"
#include "pw_stream/stream.h"

namespace pw::protobuf::fuzz {
namespace {

void RecursiveFuzzedDecode(FuzzedDataProvider& provider,
                           StreamDecoder& decoder,
                           uint32_t depth = 0) {
  constexpr size_t kMaxRepeatedRead = 256;
  constexpr size_t kMaxDepth = 3;

  if (depth > kMaxDepth) {
    return;
  }
  while (provider.remaining_bytes() != 0 && decoder.Next().ok()) {
    FieldType field_type = provider.ConsumeEnum<FieldType>();
    switch (field_type) {
      case kUint32:
        if (!decoder.ReadUint32().status().ok()) {
          return;
        }
        break;
      case kPackedUint32: {
        uint32_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedUint32(packed).status().ok()) {
          return;
        }
      } break;
      case kUint64:
        if (!decoder.ReadUint64().status().ok()) {
          return;
        }
        break;
      case kPackedUint64: {
        uint64_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedUint64(packed).status().ok()) {
          return;
        }
      } break;
      case kInt32:
        if (!decoder.ReadInt32().status().ok()) {
          return;
        }
        break;
      case kPackedInt32: {
        int32_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedInt32(packed).status().ok()) {
          return;
        }
      } break;
      case kInt64:
        if (!decoder.ReadInt64().status().ok()) {
          return;
        }
        break;
      case kPackedInt64: {
        int64_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedInt64(packed).status().ok()) {
          return;
        }
      } break;
      case kSint32:
        if (!decoder.ReadSint32().status().ok()) {
          return;
        }
        break;
      case kPackedSint32: {
        int32_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedSint32(packed).status().ok()) {
          return;
        }
      } break;
      case kSint64:
        if (!decoder.ReadSint64().status().ok()) {
          return;
        }
        break;
      case kPackedSint64: {
        int64_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedSint64(packed).status().ok()) {
          return;
        }
      } break;
      case kBool:
        if (!decoder.ReadBool().status().ok()) {
          return;
        }
        break;
      case kFixed32:
        if (!decoder.ReadFixed32().status().ok()) {
          return;
        }
        break;
      case kPackedFixed32: {
        uint32_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedFixed32(packed).status().ok()) {
          return;
        }
      } break;
      case kFixed64:
        if (!decoder.ReadFixed64().status().ok()) {
          return;
        }
        break;
      case kPackedFixed64: {
        uint64_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedFixed64(packed).status().ok()) {
          return;
        }
      } break;
      case kSfixed32:
        if (!decoder.ReadSfixed32().status().ok()) {
          return;
        }
        break;
      case kPackedSfixed32: {
        int32_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedSfixed32(packed).status().ok()) {
          return;
        }
      } break;
      case kSfixed64:
        if (!decoder.ReadSfixed64().status().ok()) {
          return;
        }
        break;
      case kPackedSfixed64: {
        int64_t packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedSfixed64(packed).status().ok()) {
          return;
        }
      } break;
      case kFloat:
        if (!decoder.ReadFloat().status().ok()) {
          return;
        }
        break;
      case kPackedFloat: {
        float packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedFloat(packed).status().ok()) {
          return;
        }
      } break;
      case kDouble:
        if (!decoder.ReadDouble().status().ok()) {
          return;
        }
        break;
      case kPackedDouble: {
        double packed[kMaxRepeatedRead] = {0};
        if (!decoder.ReadPackedDouble(packed).status().ok()) {
          return;
        }
      } break;
      case kBytes: {
        std::byte bytes[kMaxRepeatedRead] = {std::byte{0}};
        if (!decoder.ReadBytes(bytes).status().ok()) {
          return;
        }
      } break;
      case kString: {
        char str[kMaxRepeatedRead] = {0};
        if (!decoder.ReadString(str).status().ok()) {
          return;
        }
      } break;
      case kPush: {
        StreamDecoder nested_decoder = decoder.GetNestedDecoder();
        RecursiveFuzzedDecode(provider, nested_decoder, depth + 1);
      } break;
      case kPop:
        if (depth > 0) {
          // Special "field". The marks the end of a nested message.
          return;
        }
    }
  }
}

void TestOneInput(FuzzedDataProvider& provider) {
  constexpr size_t kMaxFuzzedProtoSize = 4096;
  std::vector<std::byte> proto_message_data = provider.ConsumeBytes<std::byte>(
      provider.ConsumeIntegralInRange<size_t>(0, kMaxFuzzedProtoSize));
  stream::MemoryReader memory_reader(proto_message_data);
  StreamDecoder decoder(memory_reader);
  RecursiveFuzzedDecode(provider, decoder);
}

}  // namespace
}  // namespace pw::protobuf::fuzz

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  FuzzedDataProvider provider(data, size);
  pw::protobuf::fuzz::TestOneInput(provider);
  return 0;
}

Coverage Report

Created: 2026-02-04 06:32

Line	Count	Source
1		// Copyright 2022 The Pigweed Authors
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License"); you may not
4		// use this file except in compliance with the License. You may obtain a copy of
5		// the License at
6		//
7		// https://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11		// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12		// License for the specific language governing permissions and limitations under
13		// the License.
14
15		#include <algorithm>
16		#include <cstddef>
17		#include <cstdint>
18		#include <cstring>
19		#include <vector>
20
21		#include "fuzz.h"
22		#include "pw_fuzzer/fuzzed_data_provider.h"
23		#include "pw_protobuf/stream_decoder.h"
24		#include "pw_span/span.h"
25		#include "pw_status/status.h"
26		#include "pw_status/status_with_size.h"
27		#include "pw_stream/memory_stream.h"
28		#include "pw_stream/stream.h"
29
30		namespace pw::protobuf::fuzz {
31		namespace {
32
33		void RecursiveFuzzedDecode(FuzzedDataProvider& provider,
34		StreamDecoder& decoder,
35	5.59k	uint32_t depth = 0) {
36	5.59k	constexpr size_t kMaxRepeatedRead = 256;
37	5.59k	constexpr size_t kMaxDepth = 3;
38
39	5.59k	if (depth > kMaxDepth) {
40	778	return;
41	778	}
42	15.9k	while (provider.remaining_bytes() != 0 && decoder.Next().ok()) {
43	12.7k	FieldType field_type = provider.ConsumeEnum<FieldType>();
44	12.7k	switch (field_type) {
45	408	case kUint32:
46	408	if (!decoder.ReadUint32().status().ok()) {
47	142	return;
48	142	}
49	266	break;
50	423	case kPackedUint32: {
51	423	uint32_t packed[kMaxRepeatedRead] = {0};
52	423	if (!decoder.ReadPackedUint32(packed).status().ok()) {
53	122	return;
54	122	}
55	423	} break;
56	301	case kUint64:
57	223	if (!decoder.ReadUint64().status().ok()) {
58	24	return;
59	24	}
60	199	break;
61	373	case kPackedUint64: {
62	373	uint64_t packed[kMaxRepeatedRead] = {0};
63	373	if (!decoder.ReadPackedUint64(packed).status().ok()) {
64	67	return;
65	67	}
66	373	} break;
67	486	case kInt32:
68	486	if (!decoder.ReadInt32().status().ok()) {
69	221	return;
70	221	}
71	265	break;
72	314	case kPackedInt32: {
73	314	int32_t packed[kMaxRepeatedRead] = {0};
74	314	if (!decoder.ReadPackedInt32(packed).status().ok()) {
75	45	return;
76	45	}
77	314	} break;
78	269	case kInt64:
79	216	if (!decoder.ReadInt64().status().ok()) {
80	22	return;
81	22	}
82	194	break;
83	335	case kPackedInt64: {
84	335	int64_t packed[kMaxRepeatedRead] = {0};
85	335	if (!decoder.ReadPackedInt64(packed).status().ok()) {
86	55	return;
87	55	}
88	335	} break;
89	419	case kSint32:
90	419	if (!decoder.ReadSint32().status().ok()) {
91	133	return;
92	133	}
93	286	break;
94	517	case kPackedSint32: {
95	517	int32_t packed[kMaxRepeatedRead] = {0};
96	517	if (!decoder.ReadPackedSint32(packed).status().ok()) {
97	112	return;
98	112	}
99	517	} break;
100	405	case kSint64:
101	270	if (!decoder.ReadSint64().status().ok()) {
102	73	return;
103	73	}
104	197	break;
105	325	case kPackedSint64: {
106	325	int64_t packed[kMaxRepeatedRead] = {0};
107	325	if (!decoder.ReadPackedSint64(packed).status().ok()) {
108	35	return;
109	35	}
110	325	} break;
111	365	case kBool:
112	365	if (!decoder.ReadBool().status().ok()) {
113	168	return;
114	168	}
115	197	break;
116	462	case kFixed32:
117	462	if (!decoder.ReadFixed32().status().ok()) {
118	7	return;
119	7	}
120	455	break;
121	455	case kPackedFixed32: {
122	299	uint32_t packed[kMaxRepeatedRead] = {0};
123	299	if (!decoder.ReadPackedFixed32(packed).status().ok()) {
124	41	return;
125	41	}
126	299	} break;
127	258	case kFixed64:
128	207	if (!decoder.ReadFixed64().status().ok()) {
129	8	return;
130	8	}
131	199	break;
132	583	case kPackedFixed64: {
133	583	uint64_t packed[kMaxRepeatedRead] = {0};
134	583	if (!decoder.ReadPackedFixed64(packed).status().ok()) {
135	43	return;
136	43	}
137	583	} break;
138	540	case kSfixed32:
139	226	if (!decoder.ReadSfixed32().status().ok()) {
140	12	return;
141	12	}
142	214	break;
143	303	case kPackedSfixed32: {
144	303	int32_t packed[kMaxRepeatedRead] = {0};
145	303	if (!decoder.ReadPackedSfixed32(packed).status().ok()) {
146	36	return;
147	36	}
148	303	} break;
149	267	case kSfixed64:
150	207	if (!decoder.ReadSfixed64().status().ok()) {
151	10	return;
152	10	}
153	197	break;
154	325	case kPackedSfixed64: {
155	325	int64_t packed[kMaxRepeatedRead] = {0};
156	325	if (!decoder.ReadPackedSfixed64(packed).status().ok()) {
157	48	return;
158	48	}
159	325	} break;
160	331	case kFloat:
161	331	if (!decoder.ReadFloat().status().ok()) {
162	8	return;
163	8	}
164	323	break;
165	323	case kPackedFloat: {
166	314	float packed[kMaxRepeatedRead] = {0};
167	314	if (!decoder.ReadPackedFloat(packed).status().ok()) {
168	38	return;
169	38	}
170	314	} break;
171	276	case kDouble:
172	212	if (!decoder.ReadDouble().status().ok()) {
173	6	return;
174	6	}
175	206	break;
176	335	case kPackedDouble: {
177	335	double packed[kMaxRepeatedRead] = {0};
178	335	if (!decoder.ReadPackedDouble(packed).status().ok()) {
179	58	return;
180	58	}
181	335	} break;
182	607	case kBytes: {
183	607	std::byte bytes[kMaxRepeatedRead] = {std::byte{0}};
184	607	if (!decoder.ReadBytes(bytes).status().ok()) {
185	56	return;
186	56	}
187	607	} break;
188	551	case kString: {
189	414	char str[kMaxRepeatedRead] = {0};
190	414	if (!decoder.ReadString(str).status().ok()) {
191	61	return;
192	61	}
193	414	} break;
194	3.26k	case kPush: {
195	3.26k	StreamDecoder nested_decoder = decoder.GetNestedDecoder();
196	3.26k	RecursiveFuzzedDecode(provider, nested_decoder, depth + 1);
197	3.26k	} break;
198	0	case kPop:
199	0	if (depth > 0) {
200		// Special "field". The marks the end of a nested message.
201	0	return;
202	0	}
203	12.7k	}
204	12.7k	}
205	4.81k	}
206
207	2.33k	void TestOneInput(FuzzedDataProvider& provider) {
208	2.33k	constexpr size_t kMaxFuzzedProtoSize = 4096;
209	2.33k	std::vector<std::byte> proto_message_data = provider.ConsumeBytes<std::byte>(
210	2.33k	provider.ConsumeIntegralInRange<size_t>(0, kMaxFuzzedProtoSize));
211	2.33k	stream::MemoryReader memory_reader(proto_message_data);
212	2.33k	StreamDecoder decoder(memory_reader);
213	2.33k	RecursiveFuzzedDecode(provider, decoder);
214	2.33k	}
215
216		} // namespace
217		} // namespace pw::protobuf::fuzz
218
219	16.6k	extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
220	16.6k	FuzzedDataProvider provider(data, size);
221	16.6k	pw::protobuf::fuzz::TestOneInput(provider);
222	16.6k	return 0;
223	16.6k	}