libusb_alloc_transfer: 1291| 263|{ 1292| 263| assert(iso_packets >= 0); ------------------ | Branch (1292:2): [True: 0, False: 263] | Branch (1292:2): [True: 263, False: 0] ------------------ 1293| 263| if (iso_packets < 0) ------------------ | Branch (1293:6): [True: 0, False: 263] ------------------ 1294| 0| return NULL; 1295| | 1296| 263| size_t priv_size = PTR_ALIGN(usbi_backend.transfer_priv_size); ------------------ | | 84| 263| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) ------------------ 1297| 263| size_t usbi_transfer_size = PTR_ALIGN(sizeof(struct usbi_transfer)); ------------------ | | 84| 263| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) ------------------ 1298| 263| size_t libusb_transfer_size = PTR_ALIGN(sizeof(struct libusb_transfer)); ------------------ | | 84| 263| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) ------------------ 1299| 263| size_t iso_packets_size = sizeof(struct libusb_iso_packet_descriptor) * (size_t)iso_packets; 1300| 263| size_t alloc_size = priv_size + usbi_transfer_size + libusb_transfer_size + iso_packets_size; 1301| 263| unsigned char *ptr = calloc(1, alloc_size); 1302| 263| if (!ptr) ------------------ | Branch (1302:6): [True: 0, False: 263] ------------------ 1303| 0| return NULL; 1304| | 1305| 263| struct usbi_transfer *itransfer = (struct usbi_transfer *)(ptr + priv_size); 1306| 263| itransfer->priv = ptr; 1307| 263| usbi_mutex_init(&itransfer->lock); 1308| 263| struct libusb_transfer *transfer = USBI_TRANSFER_TO_LIBUSB_TRANSFER(itransfer); ------------------ | | 647| 263| ((struct libusb_transfer *) \ | | 648| 263| ((unsigned char *)(itransfer) \ | | 649| 263| + PTR_ALIGN(sizeof(struct usbi_transfer)))) | | ------------------ | | | | 84| 263| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) | | ------------------ ------------------ 1309| | 1310| 263| return transfer; 1311| 263|} libusb_fuzzer.cc:_ZL25libusb_fill_control_setupPhhhttt: 1924| 263|{ 1925| 263| struct libusb_control_setup *setup = (struct libusb_control_setup *)(void *)buffer; 1926| 263| setup->bmRequestType = bmRequestType; 1927| 263| setup->bRequest = bRequest; 1928| 263| setup->wValue = libusb_cpu_to_le16(wValue); 1929| 263| setup->wIndex = libusb_cpu_to_le16(wIndex); 1930| 263| setup->wLength = libusb_cpu_to_le16(wLength); 1931| 263|} libusb_fuzzer.cc:_ZL18libusb_cpu_to_le16t: 194| 789|{ 195| 789| union { 196| 789| uint8_t b8[2]; 197| 789| uint16_t b16; 198| 789| } _tmp; 199| 789| _tmp.b8[1] = (uint8_t) (x >> 8); 200| 789| _tmp.b8[0] = (uint8_t) (x & 0xff); 201| 789| return _tmp.b16; 202| 789|} libusb_fuzzer.cc:_ZL18usbi_mutex_destroyP15pthread_mutex_t: 58| 263|{ 59| | PTHREAD_CHECK(pthread_mutex_destroy(mutex)); ------------------ | | 26| 263|#define PTHREAD_CHECK(expression) ASSERT_EQ(expression, 0) | | ------------------ | | | | 51| 263|#define ASSERT_EQ(expression, value) assert(expression == value) | | ------------------ ------------------ | Branch (59:2): [True: 263, False: 0] ------------------ 60| 263|} io.c:usbi_mutex_init: 41| 263|{ 42| | PTHREAD_CHECK(pthread_mutex_init(mutex, NULL)); ------------------ | | 26| 263|#define PTHREAD_CHECK(expression) ASSERT_EQ(expression, 0) | | ------------------ | | | | 51| 263|#define ASSERT_EQ(expression, value) assert(expression == value) | | ------------------ ------------------ | Branch (42:2): [True: 0, False: 263] | Branch (42:2): [True: 263, False: 0] ------------------ 43| 263|} LLVMFuzzerTestOneInput: 23| 263|extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 24| 263| struct libusb_transfer *transfer = NULL; 25| 263| FuzzedDataProvider stream(data, size); 26| 263| uint8_t bmRequestType = stream.ConsumeIntegral(); 27| 263| uint8_t bRequest = stream.ConsumeIntegral(); 28| 263| uint16_t wValue = stream.ConsumeIntegral(); 29| 263| uint16_t wIndex = stream.ConsumeIntegral(); 30| 263| uint16_t wLength = stream.ConsumeIntegral(); 31| 263| std::string input = stream.ConsumeRandomLengthString(); 32| 263| const char *d = input.c_str(); 33| | 34| 263| transfer = libusb_alloc_transfer(0); 35| 263| if (!transfer) { ------------------ | Branch (35:7): [True: 0, False: 263] ------------------ 36| 0| return LIBUSB_ERROR_NO_MEM; 37| 0| } 38| | 39| 263| libusb_fill_control_setup((unsigned char *)d, bmRequestType, bRequest, wValue, wIndex, wLength); 40| | 41| | // Cleanup. 42| | // We cannot call libusb_free_transfer as no callbacks has occurred. Calling 43| | // libusb_free_transfer without this will trigger false positive errors. 44| 263| struct usbi_transfer *itransfer = LIBUSB_TRANSFER_TO_USBI_TRANSFER(transfer); ------------------ | | 652| 263| ((struct usbi_transfer *) \ | | 653| 263| ((unsigned char *)(transfer) \ | | 654| 263| - PTR_ALIGN(sizeof(struct usbi_transfer)))) | | ------------------ | | | | 84| 263| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) | | ------------------ ------------------ 45| 263| usbi_mutex_destroy(&itransfer->lock); 46| 263| size_t priv_size = PTR_ALIGN(usbi_backend.transfer_priv_size); ------------------ | | 84| 263| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) ------------------ 47| 263| unsigned char *ptr = (unsigned char *)itransfer - priv_size; 48| 263| free(ptr); 49| | 50| 263| return 0; 51| 263|}