diff options
| -rw-r--r-- | BUILD.gn | 1 | ||||
| -rw-r--r-- | fuzzers/BUILD.gn | 14 | ||||
| -rw-r--r-- | fuzzers/disassembler_dex_fuzzer.cc | 53 |
3 files changed, 68 insertions, 0 deletions
@@ -212,6 +212,7 @@ test("zucchini_integration_test") { group("zucchini_fuzzers") { testonly = true deps = [ + "//components/zucchini/fuzzers:zucchini_disassembler_dex_fuzzer", "//components/zucchini/fuzzers:zucchini_disassembler_win32_fuzzer", "//components/zucchini/fuzzers:zucchini_patch_fuzzer", ] diff --git a/fuzzers/BUILD.gn b/fuzzers/BUILD.gn index 10a8bba..12964f3 100644 --- a/fuzzers/BUILD.gn +++ b/fuzzers/BUILD.gn @@ -7,6 +7,20 @@ import("//third_party/protobuf/proto_library.gni") # To download the corpus for local fuzzing use: # gsutil -m rsync \ +# gs://clusterfuzz-corpus/libfuzzer/zucchini_disassembler_dex_fuzzer \ +# components/zucchini/fuzzing/testdata/disassembler_dex_fuzzer +fuzzer_test("zucchini_disassembler_dex_fuzzer") { + sources = [ + "disassembler_dex_fuzzer.cc", + ] + deps = [ + "//base", + "//components/zucchini:zucchini_lib", + ] +} + +# To download the corpus for local fuzzing use: +# gsutil -m rsync \ # gs://clusterfuzz-corpus/libfuzzer/zucchini_disassembler_win32_fuzzer \ # components/zucchini/fuzzing/testdata/disassembler_win32_fuzzer fuzzer_test("zucchini_disassembler_win32_fuzzer") { diff --git a/fuzzers/disassembler_dex_fuzzer.cc b/fuzzers/disassembler_dex_fuzzer.cc new file mode 100644 index 0000000..5968c98 --- /dev/null +++ b/fuzzers/disassembler_dex_fuzzer.cc @@ -0,0 +1,53 @@ +// Copyright 2018 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "base/logging.h" +#include "components/zucchini/buffer_view.h" +#include "components/zucchini/disassembler.h" +#include "components/zucchini/disassembler_dex.h" + +namespace { + +struct Environment { + Environment() { logging::SetMinLogLevel(logging::LOG_FATAL); } +}; + +} // namespace + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + static Environment env; + if (!size) + return 0; + // Prepare data. + std::vector<uint8_t> mutable_data(data, data + size); + zucchini::MutableBufferView mutable_image(mutable_data.data(), + mutable_data.size()); + + // Create disassembler. Early exit on failure. + auto disassembler_dex = + zucchini::Disassembler::Make<zucchini::DisassemblerDex>( + zucchini::ConstBufferView(mutable_image)); + if (!disassembler_dex) + return 0; + + std::vector<zucchini::Reference> references; + // Read all references in the file. + auto groups = disassembler_dex->MakeReferenceGroups(); + for (const auto& group : groups) { + auto reader = group.GetReader(disassembler_dex.get()); + for (auto ref = reader->GetNext(); ref.has_value(); + ref = reader->GetNext()) { + references.push_back(ref.value()); + } + reader.reset(); + auto writer = group.GetWriter(mutable_image, disassembler_dex.get()); + for (const auto& ref : references) + writer->PutNext(ref); + references.clear(); + } + return 0; +} |