diff options
author | Michael Jones <michaelrj@google.com> | 2023-02-16 11:23:44 -0800 |
---|---|---|
committer | Michael Jones <michaelrj@google.com> | 2023-02-27 13:21:35 -0800 |
commit | 62e7bdd22a95b92d04e61f93b6aea4d95a5030fd (patch) | |
tree | fb76bf4a35acf6ee0c3adb85585fcc8b681c28fa /libc/fuzzing | |
parent | 387452ec591c81def6d8869b23c2ab2f1c56f999 (diff) | |
download | llvm-62e7bdd22a95b92d04e61f93b6aea4d95a5030fd.tar.gz |
[libc] use vars in string to num fuzz targets
The string to integer and string to float standalone fuzz targets just
ran the functions and didn't do anything with the output. This was
intentional, since they are intended to be used with sanitizers to
detect buffer overflow bugs. Not using the variables was causing compile
warnings, so this patch adds trivial checks to use the variables.
Reviewed By: sivachandra, lntue
Differential Revision: https://reviews.llvm.org/D144208
Diffstat (limited to 'libc/fuzzing')
-rw-r--r-- | libc/fuzzing/stdlib/strtofloat_fuzz.cpp | 18 | ||||
-rw-r--r-- | libc/fuzzing/stdlib/strtointeger_fuzz.cpp | 10 |
2 files changed, 25 insertions, 3 deletions
diff --git a/libc/fuzzing/stdlib/strtofloat_fuzz.cpp b/libc/fuzzing/stdlib/strtofloat_fuzz.cpp index 209d3ee9b3e7..3366c5c64dda 100644 --- a/libc/fuzzing/stdlib/strtofloat_fuzz.cpp +++ b/libc/fuzzing/stdlib/strtofloat_fuzz.cpp @@ -13,6 +13,7 @@ #include "src/stdlib/strtod.h" #include "src/stdlib/strtof.h" #include "src/stdlib/strtold.h" +#include <math.h> #include <stddef.h> #include <stdint.h> @@ -30,10 +31,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { char *out_ptr = nullptr; - // This fuzzer only checks that the alrogithms didn't read beyond the end of + // This fuzzer only checks that the algorithms didn't read beyond the end of // the string in container. Combined with sanitizers, this will check that the - // code is not reading memory beyond what's expected. This test does not make - // any attempt to check correctness of the result. + // code is not reading memory beyond what's expected. This test does not + // effectively check the correctness of the result. auto volatile atof_output = __llvm_libc::atof(str_ptr); auto volatile strtof_output = __llvm_libc::strtof(str_ptr, &out_ptr); if (str_ptr + size < out_ptr) @@ -45,6 +46,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (str_ptr + size < out_ptr) __builtin_trap(); + // If any of the outputs are NaN + if (isnan(atof_output) || isnan(strtof_output) || isnan(strtod_output) || + isnan(strtold_output)) { + // Then all the outputs should be NaN. + // This is a trivial check meant to silence the "unused variable" warnings. + if (!isnan(atof_output) || !isnan(strtof_output) || !isnan(strtod_output) || + !isnan(strtold_output)) { + __builtin_trap(); + } + } + delete[] container; return 0; } diff --git a/libc/fuzzing/stdlib/strtointeger_fuzz.cpp b/libc/fuzzing/stdlib/strtointeger_fuzz.cpp index 3880d7b5f9c7..197bee01d3a3 100644 --- a/libc/fuzzing/stdlib/strtointeger_fuzz.cpp +++ b/libc/fuzzing/stdlib/strtointeger_fuzz.cpp @@ -65,6 +65,16 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (str_ptr + container_size - 1 < out_ptr) __builtin_trap(); + // If atoi is non-zero and the base is at least 10 + if (atoi_output != 0 && base >= 10) { + // Then all of the other functions should output non-zero values as well. + // This is a trivial check meant to silence the "unused variable" warnings. + if (atol_output == 0 || atoll_output == 0 || strtol_output == 0 || + strtoll_output == 0 || strtoul_output == 0 || strtoull_output == 0) { + __builtin_trap(); + } + } + delete[] container; return 0; } |