libusb_alloc_transfer: 1291| 261|{ 1292| 261| assert(iso_packets >= 0); ------------------ | Branch (1292:2): [True: 0, False: 261] | Branch (1292:2): [True: 261, False: 0] ------------------ 1293| 261| if (iso_packets < 0) ------------------ | Branch (1293:6): [True: 0, False: 261] ------------------ 1294| 0| return NULL; 1295| | 1296| 261| size_t priv_size = PTR_ALIGN(usbi_backend.transfer_priv_size); ------------------ | | 84| 261| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) ------------------ 1297| 261| size_t usbi_transfer_size = PTR_ALIGN(sizeof(struct usbi_transfer)); ------------------ | | 84| 261| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) ------------------ 1298| 261| size_t libusb_transfer_size = PTR_ALIGN(sizeof(struct libusb_transfer)); ------------------ | | 84| 261| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) ------------------ 1299| 261| size_t iso_packets_size = sizeof(struct libusb_iso_packet_descriptor) * (size_t)iso_packets; 1300| 261| size_t alloc_size = priv_size + usbi_transfer_size + libusb_transfer_size + iso_packets_size; 1301| 261| unsigned char *ptr = calloc(1, alloc_size); 1302| 261| if (!ptr) ------------------ | Branch (1302:6): [True: 0, False: 261] ------------------ 1303| 0| return NULL; 1304| | 1305| 261| struct usbi_transfer *itransfer = (struct usbi_transfer *)(ptr + priv_size); 1306| 261| itransfer->priv = ptr; 1307| 261| usbi_mutex_init(&itransfer->lock); 1308| 261| struct libusb_transfer *transfer = USBI_TRANSFER_TO_LIBUSB_TRANSFER(itransfer); ------------------ | | 647| 261| ((struct libusb_transfer *) \ | | 648| 261| ((unsigned char *)(itransfer) \ | | 649| 261| + PTR_ALIGN(sizeof(struct usbi_transfer)))) | | ------------------ | | | | 84| 261| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) | | ------------------ ------------------ 1309| | 1310| 261| return transfer; 1311| 261|} libusb_fuzzer.cc:_ZL25libusb_fill_control_setupPhhhttt: 1924| 261|{ 1925| 261| struct libusb_control_setup *setup = (struct libusb_control_setup *)(void *)buffer; 1926| 261| setup->bmRequestType = bmRequestType; 1927| 261| setup->bRequest = bRequest; 1928| 261| setup->wValue = libusb_cpu_to_le16(wValue); 1929| 261| setup->wIndex = libusb_cpu_to_le16(wIndex); 1930| 261| setup->wLength = libusb_cpu_to_le16(wLength); 1931| 261|} libusb_fuzzer.cc:_ZL18libusb_cpu_to_le16t: 194| 783|{ 195| 783| union { 196| 783| uint8_t b8[2]; 197| 783| uint16_t b16; 198| 783| } _tmp; 199| 783| _tmp.b8[1] = (uint8_t) (x >> 8); 200| 783| _tmp.b8[0] = (uint8_t) (x & 0xff); 201| 783| return _tmp.b16; 202| 783|} libusb_fuzzer.cc:_ZL18usbi_mutex_destroyP15pthread_mutex_t: 58| 261|{ 59| | PTHREAD_CHECK(pthread_mutex_destroy(mutex)); ------------------ | | 26| 261|#define PTHREAD_CHECK(expression) ASSERT_EQ(expression, 0) | | ------------------ | | | | 51| 261|#define ASSERT_EQ(expression, value) assert(expression == value) | | ------------------ ------------------ | Branch (59:2): [True: 261, False: 0] ------------------ 60| 261|} io.c:usbi_mutex_init: 41| 261|{ 42| | PTHREAD_CHECK(pthread_mutex_init(mutex, NULL)); ------------------ | | 26| 261|#define PTHREAD_CHECK(expression) ASSERT_EQ(expression, 0) | | ------------------ | | | | 51| 261|#define ASSERT_EQ(expression, value) assert(expression == value) | | ------------------ ------------------ | Branch (42:2): [True: 0, False: 261] | Branch (42:2): [True: 261, False: 0] ------------------ 43| 261|} LLVMFuzzerTestOneInput: 23| 261|extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 24| 261| struct libusb_transfer *transfer = NULL; 25| 261| FuzzedDataProvider stream(data, size); 26| 261| uint8_t bmRequestType = stream.ConsumeIntegral(); 27| 261| uint8_t bRequest = stream.ConsumeIntegral(); 28| 261| uint16_t wValue = stream.ConsumeIntegral(); 29| 261| uint16_t wIndex = stream.ConsumeIntegral(); 30| 261| uint16_t wLength = stream.ConsumeIntegral(); 31| 261| std::string input = stream.ConsumeRandomLengthString(); 32| 261| const char *d = input.c_str(); 33| | 34| 261| transfer = libusb_alloc_transfer(0); 35| 261| if (!transfer) { ------------------ | Branch (35:7): [True: 0, False: 261] ------------------ 36| 0| return LIBUSB_ERROR_NO_MEM; 37| 0| } 38| | 39| 261| libusb_fill_control_setup((unsigned char *)d, bmRequestType, bRequest, wValue, wIndex, wLength); 40| | 41| | // Cleanup. 42| | // We cannot call libusb_free_transfer as no callbacks has occurred. Calling 43| | // libusb_free_transfer without this will trigger false positive errors. 44| 261| struct usbi_transfer *itransfer = LIBUSB_TRANSFER_TO_USBI_TRANSFER(transfer); ------------------ | | 652| 261| ((struct usbi_transfer *) \ | | 653| 261| ((unsigned char *)(transfer) \ | | 654| 261| - PTR_ALIGN(sizeof(struct usbi_transfer)))) | | ------------------ | | | | 84| 261| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) | | ------------------ ------------------ 45| 261| usbi_mutex_destroy(&itransfer->lock); 46| 261| size_t priv_size = PTR_ALIGN(usbi_backend.transfer_priv_size); ------------------ | | 84| 261| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) ------------------ 47| 261| unsigned char *ptr = (unsigned char *)itransfer - priv_size; 48| 261| free(ptr); 49| | 50| 261| return 0; 51| 261|}