[fuzzer] Don't crash if LLVMFuzzerMutate was called by CustomCrossOver

Reviewers: kcc Subscribers: llvm-commits, mgorny Differential Revision: https://reviews.llvm.org/D30682 git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@297202 91177308-0d34-0410-b5e6-96231b3b80d8
2025-02-01 18:12:49 +00:00 · 2017-03-07 20:37:38 +00:00 · 2017-03-07 20:37:38 +00:00 · c3e4809203
commit c3e4809203
parent 80a7dbae8f
5 changed files with 40 additions and 2 deletions
--- a/lib/Fuzzer/FuzzerMutate.cpp
+++ b/lib/Fuzzer/FuzzerMutate.cpp
@ -81,8 +81,8 @@ size_t MutationDispatcher::Mutate_CustomCrossOver(uint8_t *Data, size_t Size,
  const Unit &Other = (*Corpus)[Idx];
  if (Other.empty())
    return 0;
-  MutateInPlaceHere.resize(MaxSize);
-  auto &U = MutateInPlaceHere;
+  CustomCrossOverInPlaceHere.resize(MaxSize);
+  auto &U = CustomCrossOverInPlaceHere;
  size_t NewSize = EF->LLVMFuzzerCustomCrossOver(
      Data, Size, Other.data(), Other.size(), U.data(), U.size(), Rand.Rand());
  if (!NewSize)
--- a/lib/Fuzzer/FuzzerMutate.h
+++ b/lib/Fuzzer/FuzzerMutate.h
@ -143,6 +143,9 @@ private:

  const InputCorpus *Corpus = nullptr;
  std::vector<uint8_t> MutateInPlaceHere;
+  // CustomCrossOver needs its own buffer as a custom implementation may call
+  // LLVMFuzzerMutate, which in turn may resize MutateInPlaceHere.
+  std::vector<uint8_t> CustomCrossOverInPlaceHere;

  std::vector<Mutator> Mutators;
  std::vector<Mutator> DefaultMutators;
--- a/lib/Fuzzer/test/CMakeLists.txt
+++ b/lib/Fuzzer/test/CMakeLists.txt
@ -80,6 +80,7 @@ set(Tests
  BufferOverflowOnInput
  CallerCalleeTest
  CounterTest
+  CustomCrossOverAndMutateTest
  CustomCrossOverTest
  CustomMutatorTest
  CxxStringEqTest
--- a/lib/Fuzzer/test/CustomCrossOverAndMutateTest.cpp
+++ b/lib/Fuzzer/test/CustomCrossOverAndMutateTest.cpp
@ -0,0 +1,33 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Test that libFuzzer does not crash when LLVMFuzzerMutate called from
+// LLVMFuzzerCustomCrossOver.
+#include <cstddef>
+#include <cstdint>
+#include <cstdlib>
+#include <string>
+#include <string.h>
+#include <vector>
+
+#include "FuzzerInterface.h"
+
+static volatile int sink;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  std::string Str(reinterpret_cast<const char *>(Data), Size);
+  if (Size && Data[0] == '0')
+    sink++;
+  return 0;
+}
+
+extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1,
+                                            const uint8_t *Data2, size_t Size2,
+                                            uint8_t *Out, size_t MaxOutSize,
+                                            unsigned int Seed) {
+  std::vector<uint8_t> Buffer(MaxOutSize * 10);
+  LLVMFuzzerMutate(Buffer.data(), Buffer.size(), Buffer.size());
+  size_t Size = std::min<size_t>(Size1, MaxOutSize);
+  memcpy(Out, Data1, Size);
+  return Size;
+}
--- a/lib/Fuzzer/test/fuzzer-customcrossoverandmutate.test
+++ b/lib/Fuzzer/test/fuzzer-customcrossoverandmutate.test
@ -0,0 +1 @@
+RUN: LLVMFuzzer-CustomCrossOverAndMutateTest -seed=1 -use_memcmp=0 -runs=100000
				`@ -0,0 +1 @@`
				`RUN: LLVMFuzzer-CustomCrossOverAndMutateTest -seed=1 -use_memcmp=0 -runs=100000`