2
0
Fork 0
mirror of https://github.com/simonask/libyaml-safer synced 2025-02-21 06:48:30 +00:00

Add fuzz targets for scan and load

This commit is contained in:
David Tolnay 2022-07-08 16:20:32 -07:00
parent 824b0966a8
commit 8bc7d69374
No known key found for this signature in database
GPG key ID: F9BA143B95FF6D82
4 changed files with 111 additions and 4 deletions

View file

@ -12,8 +12,20 @@ libfuzzer-sys = "0.4"
unsafe-libyaml = { path = ".." }
[[bin]]
name = "parser"
path = "fuzz_targets/parser.rs"
name = "scan"
path = "fuzz_targets/scan.rs"
test = false
doc = false
[[bin]]
name = "parse"
path = "fuzz_targets/parse.rs"
test = false
doc = false
[[bin]]
name = "load"
path = "fuzz_targets/load.rs"
test = false
doc = false

47
fuzz/fuzz_targets/load.rs Normal file
View file

@ -0,0 +1,47 @@
#![no_main]
use libfuzzer_sys::fuzz_target;
use std::cmp;
use std::ffi::c_void;
use std::mem::MaybeUninit;
use std::ptr;
use std::ptr::addr_of_mut;
use unsafe_libyaml::{
yaml_document_delete, yaml_document_get_root_node, yaml_document_t, yaml_parser_delete,
yaml_parser_initialize, yaml_parser_load, yaml_parser_set_input, yaml_parser_t,
};
fuzz_target!(|data: &[u8]| { unsafe { fuzz_target(data) } });
unsafe fn fuzz_target(mut data: &[u8]) {
let mut parser = MaybeUninit::<yaml_parser_t>::uninit();
let parser = parser.as_mut_ptr();
assert_ne!(yaml_parser_initialize(parser), 0);
yaml_parser_set_input(parser, Some(read_from_slice), addr_of_mut!(data).cast());
let mut document = MaybeUninit::<yaml_document_t>::uninit();
let document = document.as_mut_ptr();
while yaml_parser_load(parser, document) != 0 {
let done = yaml_document_get_root_node(document).is_null();
yaml_document_delete(document);
if done {
break;
}
}
yaml_parser_delete(parser);
}
unsafe fn read_from_slice(
data: *mut c_void,
buffer: *mut u8,
size: u64,
size_read: *mut u64,
) -> i32 {
let data = data.cast::<&[u8]>();
let input = data.read();
let n = cmp::min(input.len(), size as usize);
ptr::copy_nonoverlapping(input.as_ptr(), buffer, n);
data.write(&input[n..]);
*size_read = n as u64;
1
}

View file

@ -16,10 +16,11 @@ fuzz_target!(|data: &[u8]| { unsafe { fuzz_target(data) } });
unsafe fn fuzz_target(mut data: &[u8]) {
let mut parser = MaybeUninit::<yaml_parser_t>::uninit();
let parser = parser.as_mut_ptr();
let mut event = MaybeUninit::<yaml_event_t>::uninit();
let event = event.as_mut_ptr();
assert_ne!(yaml_parser_initialize(parser), 0);
yaml_parser_set_input(parser, Some(read_from_slice), addr_of_mut!(data).cast());
let mut event = MaybeUninit::<yaml_event_t>::uninit();
let event = event.as_mut_ptr();
while yaml_parser_parse(parser, event) != 0 {
let type_ = (*event).type_;
yaml_event_delete(event);

47
fuzz/fuzz_targets/scan.rs Normal file
View file

@ -0,0 +1,47 @@
#![no_main]
use libfuzzer_sys::fuzz_target;
use std::cmp;
use std::ffi::c_void;
use std::mem::MaybeUninit;
use std::ptr;
use std::ptr::addr_of_mut;
use unsafe_libyaml::{
yaml_parser_delete, yaml_parser_initialize, yaml_parser_scan, yaml_parser_set_input,
yaml_parser_t, yaml_token_delete, yaml_token_t, YAML_STREAM_END_TOKEN,
};
fuzz_target!(|data: &[u8]| { unsafe { fuzz_target(data) } });
unsafe fn fuzz_target(mut data: &[u8]) {
let mut parser = MaybeUninit::<yaml_parser_t>::uninit();
let parser = parser.as_mut_ptr();
assert_ne!(yaml_parser_initialize(parser), 0);
yaml_parser_set_input(parser, Some(read_from_slice), addr_of_mut!(data).cast());
let mut token = MaybeUninit::<yaml_token_t>::uninit();
let token = token.as_mut_ptr();
while yaml_parser_scan(parser, token) != 0 {
let type_ = (*token).type_;
yaml_token_delete(token);
if type_ == YAML_STREAM_END_TOKEN {
break;
}
}
yaml_parser_delete(parser);
}
unsafe fn read_from_slice(
data: *mut c_void,
buffer: *mut u8,
size: u64,
size_read: *mut u64,
) -> i32 {
let data = data.cast::<&[u8]>();
let input = data.read();
let n = cmp::min(input.len(), size as usize);
ptr::copy_nonoverlapping(input.as_ptr(), buffer, n);
data.write(&input[n..]);
*size_read = n as u64;
1
}