Unverified Commit e239eda3 authored by Max Dymond's avatar Max Dymond Committed by Daniel Stenberg
Browse files

ossfuzz: don't write out to stdout 

Don't make the fuzzer write out to stdout - instead write some of the
contents to a memory block so we exercise the data output code but
quietly.

Closes #1885
parent 2bc230de

tests/fuzz/curl_fuzzer.cc

+30 −0
Original line number Diff line number Diff line
@@ -136,6 +136,12 @@ int fuzz_initialize_fuzz_data(FUZZ_DATA *fuzz, 
                        fuzz_read_callback));

  FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_READDATA, fuzz));



  /* Set the standard write function callback. */

  FTRY(curl_easy_setopt(fuzz->easy,

                        CURLOPT_WRITEFUNCTION,

                        fuzz_write_callback));

  FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_WRITEDATA, fuzz));



  /* Can enable verbose mode by changing 0L to 1L */

  FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_VERBOSE, 0L));
@@ -269,6 +275,30 @@ static size_t fuzz_read_callback(char *buffer, 
  return fuzz->upload1_data_len;

}



/**

 * Callback function for handling data output quietly.

 */

static size_t fuzz_write_callback(void *contents,

                                  size_t size,

                                  size_t nmemb,

                                  void *ptr)

{

  size_t total = size * nmemb;

  FUZZ_DATA *fuzz = (FUZZ_DATA *)ptr;

  size_t copy_len = total;



  /* Restrict copy_len to at most TEMP_WRITE_ARRAY_SIZE. */

  if(copy_len > TEMP_WRITE_ARRAY_SIZE) {

    copy_len = TEMP_WRITE_ARRAY_SIZE;

  }



  /* Copy bytes to the temp store just to ensure the parameters are

     exercised. */

  memcpy(fuzz->write_array, contents, copy_len);



  return total;

}



/**

 * TLV access function - gets the first TLV from a data stream.

 */

tests/fuzz/curl_fuzzer.h

+10 −0
Original line number Diff line number Diff line
@@ -46,6 +46,9 @@ 
#define TLV_RC_NO_MORE_TLVS             1

#define TLV_RC_SIZE_ERROR               2



/* Temporary write array size */

#define TEMP_WRITE_ARRAY_SIZE           10



/**

 * Byte stream representation of the TLV header. Casting the byte stream

 * to a TLV_RAW allows us to examine the type and length.
@@ -98,6 +101,9 @@ typedef struct fuzz_data 
  /* Parser state */

  FUZZ_PARSE_STATE state;



  /* Temporary writefunction state */

  char write_array[TEMP_WRITE_ARRAY_SIZE];



  /* Response data and length */

  const uint8_t *rsp1_data;

  size_t rsp1_data_len;
@@ -142,6 +148,10 @@ static size_t fuzz_read_callback(char *buffer, 
                                 size_t size,

                                 size_t nitems,

                                 void *ptr);

static size_t fuzz_write_callback(void *contents,

                                  size_t size,

                                  size_t nmemb,

                                  void *ptr);

int fuzz_get_first_tlv(FUZZ_DATA *fuzz, TLV *tlv);

int fuzz_get_next_tlv(FUZZ_DATA *fuzz, TLV *tlv);

int fuzz_get_tlv_comn(FUZZ_DATA *fuzz, TLV *tlv);