diff options
| author | Max Dymond <cmeister2@gmail.com> | 2019-07-24 19:14:17 +0100 |
|---|---|---|
| committer | Max Dymond <cmeister2@gmail.com> | 2019-07-24 19:14:17 +0100 |
| commit | 3858607be03ba91bb212a306a5175cfe9662bc37 (patch) | |
| tree | a45aced8bb8b1da7770f6272ff60b8c303b8c1bd /test/ossfuzz | |
| parent | 66dec35c8c69449c1f85690b4ba58e2b6ce1f4ba (diff) | |
| download | jansson-3858607be03ba91bb212a306a5175cfe9662bc37.zip jansson-3858607be03ba91bb212a306a5175cfe9662bc37.tar.gz jansson-3858607be03ba91bb212a306a5175cfe9662bc37.tar.bz2 | |
Depending on the dump_mode byte, dump out as a string or as a callback.
Diffstat (limited to 'test/ossfuzz')
| -rw-r--r-- | test/ossfuzz/json_load_dump_fuzzer.cc | 41 |
1 files changed, 34 insertions, 7 deletions
diff --git a/test/ossfuzz/json_load_dump_fuzzer.cc b/test/ossfuzz/json_load_dump_fuzzer.cc index 29f92f6..bc3844e 100644 --- a/test/ossfuzz/json_load_dump_fuzzer.cc +++ b/test/ossfuzz/json_load_dump_fuzzer.cc @@ -23,16 +23,22 @@ static int json_dump_counter(const char *buffer, size_t size, void *data) } +#define NUM_COMMAND_BYTES (sizeof(size_t) + sizeof(size_t) + 1) + +#define FUZZ_DUMP_CALLBACK 0x00 +#define FUZZ_DUMP_STRING 0x01 + extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { json_error_t error; + unsigned char dump_mode; // Enable or disable diagnostics based on the FUZZ_VERBOSE environment flag. enable_diags = (getenv("FUZZ_VERBOSE") != NULL); FUZZ_DEBUG("Input data length: %zd", size); - if (size < sizeof(size_t) + sizeof(size_t)) + if (size < NUM_COMMAND_BYTES) { return 0; } @@ -40,7 +46,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) // Use the first sizeof(size_t) bytes as load flags. size_t load_flags = *(const size_t*)data; data += sizeof(size_t); - size -= sizeof(size_t); FUZZ_DEBUG("load_flags: 0x%zx\n" "& JSON_REJECT_DUPLICATES = 0x%zx\n" @@ -58,7 +63,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) // Use the next sizeof(size_t) bytes as dump flags. size_t dump_flags = *(const size_t*)data; data += sizeof(size_t); - size -= sizeof(size_t); FUZZ_DEBUG("dump_flags: 0x%zx\n" "& JSON_MAX_INDENT = 0x%zx\n" @@ -81,6 +85,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) ((dump_flags >> 11) & 0x1F) << 11, dump_flags & JSON_EMBED); + // Use the next byte as the dump mode. + dump_mode = data[0]; + data++; + + FUZZ_DEBUG("dump_mode: 0x%x", (unsigned int)dump_mode); + + // Remove the command bytes from the size total. + size -= NUM_COMMAND_BYTES; + // Attempt to load the remainder of the data with the given load flags. const char* text = reinterpret_cast<const char *>(data); json_t* jobj = json_loadb(text, size, load_flags, &error); @@ -90,11 +103,25 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) return 0; } - // Attempt to dump the loaded json object with the given dump flags. - uint64_t counter = 0; + if (dump_mode & FUZZ_DUMP_STRING) + { + // Dump as a string. Remove indents so that we don't run out of memory. + char *out = json_dumps(jobj, dump_flags & ~JSON_MAX_INDENT); + if (out != NULL) + { + free(out); + } + } + else + { + // Default is callback mode. + // + // Attempt to dump the loaded json object with the given dump flags. + uint64_t counter = 0; - json_dump_callback(jobj, json_dump_counter, &counter, dump_flags); - FUZZ_DEBUG("Counter function counted %" PRIu64 " bytes.", counter); + json_dump_callback(jobj, json_dump_counter, &counter, dump_flags); + FUZZ_DEBUG("Counter function counted %" PRIu64 " bytes.", counter); + } if (jobj) { |