1*a03ca8b9SKrzysztof Kosiński // Copyright 2018 The Chromium Authors. All rights reserved. 2*a03ca8b9SKrzysztof Kosiński // Use of this source code is governed by a BSD-style license that can be 3*a03ca8b9SKrzysztof Kosiński // found in the LICENSE file. 4*a03ca8b9SKrzysztof Kosiński 5*a03ca8b9SKrzysztof Kosiński #include <stdint.h> 6*a03ca8b9SKrzysztof Kosiński #include <stdlib.h> 7*a03ca8b9SKrzysztof Kosiński 8*a03ca8b9SKrzysztof Kosiński #include <iostream> 9*a03ca8b9SKrzysztof Kosiński #include <vector> 10*a03ca8b9SKrzysztof Kosiński 11*a03ca8b9SKrzysztof Kosiński #include "base/environment.h" 12*a03ca8b9SKrzysztof Kosiński #include "base/logging.h" 13*a03ca8b9SKrzysztof Kosiński #include "components/zucchini/buffer_view.h" 14*a03ca8b9SKrzysztof Kosiński #include "components/zucchini/fuzzers/file_pair.pb.h" 15*a03ca8b9SKrzysztof Kosiński #include "components/zucchini/patch_reader.h" 16*a03ca8b9SKrzysztof Kosiński #include "components/zucchini/zucchini.h" 17*a03ca8b9SKrzysztof Kosiński #include "testing/libfuzzer/proto/lpm_interface.h" 18*a03ca8b9SKrzysztof Kosiński 19*a03ca8b9SKrzysztof Kosiński struct Environment { EnvironmentEnvironment20*a03ca8b9SKrzysztof Kosiński Environment() { 21*a03ca8b9SKrzysztof Kosiński logging::SetMinLogLevel(logging::LOG_FATAL); // Disable console spamming. 22*a03ca8b9SKrzysztof Kosiński } 23*a03ca8b9SKrzysztof Kosiński }; 24*a03ca8b9SKrzysztof Kosiński 25*a03ca8b9SKrzysztof Kosiński Environment* env = new Environment(); 26*a03ca8b9SKrzysztof Kosiński DEFINE_BINARY_PROTO_FUZZER(const zucchini::fuzzers::FilePair & file_pair)27*a03ca8b9SKrzysztof KosińskiDEFINE_BINARY_PROTO_FUZZER(const zucchini::fuzzers::FilePair& file_pair) { 28*a03ca8b9SKrzysztof Kosiński // Dump code for debugging. 29*a03ca8b9SKrzysztof Kosiński if (base::Environment::Create()->HasVar("LPM_DUMP_NATIVE_INPUT")) { 30*a03ca8b9SKrzysztof Kosiński std::cout << "Old File: " << file_pair.old_file() << std::endl 31*a03ca8b9SKrzysztof Kosiński << "Patch File: " << file_pair.new_or_patch_file() << std::endl; 32*a03ca8b9SKrzysztof Kosiński } 33*a03ca8b9SKrzysztof Kosiński 34*a03ca8b9SKrzysztof Kosiński // Prepare data. 35*a03ca8b9SKrzysztof Kosiński zucchini::ConstBufferView old_image( 36*a03ca8b9SKrzysztof Kosiński reinterpret_cast<const uint8_t*>(file_pair.old_file().data()), 37*a03ca8b9SKrzysztof Kosiński file_pair.old_file().size()); 38*a03ca8b9SKrzysztof Kosiński zucchini::ConstBufferView patch_file( 39*a03ca8b9SKrzysztof Kosiński reinterpret_cast<const uint8_t*>(file_pair.new_or_patch_file().data()), 40*a03ca8b9SKrzysztof Kosiński file_pair.new_or_patch_file().size()); 41*a03ca8b9SKrzysztof Kosiński 42*a03ca8b9SKrzysztof Kosiński // Generate a patch reader. 43*a03ca8b9SKrzysztof Kosiński auto patch_reader = zucchini::EnsemblePatchReader::Create(patch_file); 44*a03ca8b9SKrzysztof Kosiński // Abort if the patch can't be read. 45*a03ca8b9SKrzysztof Kosiński if (!patch_reader.has_value()) 46*a03ca8b9SKrzysztof Kosiński return; 47*a03ca8b9SKrzysztof Kosiński 48*a03ca8b9SKrzysztof Kosiński // Create the underlying new file. 49*a03ca8b9SKrzysztof Kosiński size_t new_size = patch_reader->header().new_size; 50*a03ca8b9SKrzysztof Kosiński // Reject unreasonably large "new" files that fuzzed patch may specify. 51*a03ca8b9SKrzysztof Kosiński if (new_size > 64 * 1024) 52*a03ca8b9SKrzysztof Kosiński return; 53*a03ca8b9SKrzysztof Kosiński std::vector<uint8_t> new_data(new_size); 54*a03ca8b9SKrzysztof Kosiński zucchini::MutableBufferView new_image(new_data.data(), new_size); 55*a03ca8b9SKrzysztof Kosiński 56*a03ca8b9SKrzysztof Kosiński // Fuzz target. 57*a03ca8b9SKrzysztof Kosiński zucchini::ApplyBuffer(old_image, *patch_reader, new_image); 58*a03ca8b9SKrzysztof Kosiński // No need to check whether output exist, or if so, whether it's valid. 59*a03ca8b9SKrzysztof Kosiński } 60