libusb_alloc_transfer: 1293| 260|{ 1294| 260| assert(iso_packets >= 0); ------------------ | Branch (1294:2): [True: 0, False: 260] | Branch (1294:2): [True: 260, False: 0] ------------------ 1295| 260| if (iso_packets < 0) ------------------ | Branch (1295:6): [True: 0, False: 260] ------------------ 1296| 0| return NULL; 1297| | 1298| 260| size_t priv_size = PTR_ALIGN(usbi_backend.transfer_priv_size); ------------------ | | 87| 260| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) ------------------ 1299| 260| size_t usbi_transfer_size = PTR_ALIGN(sizeof(struct usbi_transfer)); ------------------ | | 87| 260| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) ------------------ 1300| 260| size_t libusb_transfer_size = PTR_ALIGN(sizeof(struct libusb_transfer)); ------------------ | | 87| 260| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) ------------------ 1301| 260| size_t iso_packets_size = sizeof(struct libusb_iso_packet_descriptor) * (size_t)iso_packets; 1302| 260| size_t alloc_size = priv_size + usbi_transfer_size + libusb_transfer_size + iso_packets_size; 1303| 260| unsigned char *ptr = (unsigned char *)calloc(1, alloc_size); 1304| 260| if (!ptr) ------------------ | Branch (1304:6): [True: 0, False: 260] ------------------ 1305| 0| return NULL; 1306| | 1307| 260| struct usbi_transfer *itransfer = (struct usbi_transfer *)(ptr + priv_size); 1308| 260| itransfer->priv = ptr; 1309| 260| usbi_mutex_init(&itransfer->lock); 1310| 260| struct libusb_transfer *transfer = USBI_TRANSFER_TO_LIBUSB_TRANSFER(itransfer); ------------------ | | 650| 260| ((struct libusb_transfer *) \ | | 651| 260| ((unsigned char *)(itransfer) \ | | 652| 260| + PTR_ALIGN(sizeof(struct usbi_transfer)))) | | ------------------ | | | | 87| 260| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) | | ------------------ ------------------ 1311| | 1312| 260| return transfer; 1313| 260|} libusb_fuzzer.cc:_ZL25libusb_fill_control_setupPhhhttt: 1943| 260|{ 1944| 260| struct libusb_control_setup *setup = (struct libusb_control_setup *)(void *)buffer; 1945| 260| setup->bmRequestType = bmRequestType; 1946| 260| setup->bRequest = bRequest; 1947| 260| setup->wValue = libusb_cpu_to_le16(wValue); 1948| 260| setup->wIndex = libusb_cpu_to_le16(wIndex); 1949| 260| setup->wLength = libusb_cpu_to_le16(wLength); 1950| 260|} libusb_fuzzer.cc:_ZL18libusb_cpu_to_le16t: 198| 780|{ 199| 780| union { 200| 780| uint8_t b8[2]; 201| 780| uint16_t b16; 202| 780| } _tmp; 203| 780| _tmp.b8[1] = (uint8_t) (x >> 8); 204| 780| _tmp.b8[0] = (uint8_t) (x & 0xff); 205| 780| return _tmp.b16; 206| 780|} libusb_fuzzer.cc:_ZL18usbi_mutex_destroyP15pthread_mutex_t: 61| 260|{ 62| | PTHREAD_CHECK(pthread_mutex_destroy(mutex)); ------------------ | | 29| 260|#define PTHREAD_CHECK(expression) ASSERT_EQ(expression, 0) | | ------------------ | | | | 54| 260|#define ASSERT_EQ(expression, value) assert(expression == value) | | ------------------ ------------------ | Branch (62:2): [True: 260, False: 0] ------------------ 63| 260|} io.c:usbi_mutex_init: 44| 260|{ 45| | PTHREAD_CHECK(pthread_mutex_init(mutex, NULL)); ------------------ | | 29| 260|#define PTHREAD_CHECK(expression) ASSERT_EQ(expression, 0) | | ------------------ | | | | 54| 260|#define ASSERT_EQ(expression, value) assert(expression == value) | | ------------------ ------------------ | Branch (45:2): [True: 0, False: 260] | Branch (45:2): [True: 260, False: 0] ------------------ 46| 260|} LLVMFuzzerTestOneInput: 23| 260|extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 24| 260| struct libusb_transfer *transfer = NULL; 25| 260| FuzzedDataProvider stream(data, size); 26| 260| uint8_t bmRequestType = stream.ConsumeIntegral(); 27| 260| uint8_t bRequest = stream.ConsumeIntegral(); 28| 260| uint16_t wValue = stream.ConsumeIntegral(); 29| 260| uint16_t wIndex = stream.ConsumeIntegral(); 30| 260| uint16_t wLength = stream.ConsumeIntegral(); 31| 260| std::string input = stream.ConsumeRandomLengthString(); 32| 260| const char *d = input.c_str(); 33| | 34| 260| transfer = libusb_alloc_transfer(0); 35| 260| if (!transfer) { ------------------ | Branch (35:7): [True: 0, False: 260] ------------------ 36| 0| return LIBUSB_ERROR_NO_MEM; 37| 0| } 38| | 39| 260| libusb_fill_control_setup((unsigned char *)d, bmRequestType, bRequest, wValue, wIndex, wLength); 40| | 41| | // Cleanup. 42| | // We cannot call libusb_free_transfer as no callbacks has occurred. Calling 43| | // libusb_free_transfer without this will trigger false positive errors. 44| 260| struct usbi_transfer *itransfer = LIBUSB_TRANSFER_TO_USBI_TRANSFER(transfer); ------------------ | | 655| 260| ((struct usbi_transfer *) \ | | 656| 260| ((unsigned char *)(transfer) \ | | 657| 260| - PTR_ALIGN(sizeof(struct usbi_transfer)))) | | ------------------ | | | | 87| 260| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) | | ------------------ ------------------ 45| 260| usbi_mutex_destroy(&itransfer->lock); 46| 260| size_t priv_size = PTR_ALIGN(usbi_backend.transfer_priv_size); ------------------ | | 87| 260| (((v) + (sizeof(void *) - 1)) & ~(sizeof(void *) - 1)) ------------------ 47| 260| unsigned char *ptr = (unsigned char *)itransfer - priv_size; 48| 260| free(ptr); 49| | 50| 260| return 0; 51| 260|}