Fuzz

src/database.c

@@ -175,12 +175,14 @@ hs_error_t db_decode_header(const char **bytes, const size_t length,
 // Check the CRC on a database
 static
 hs_error_t db_check_crc(const hs_database_t *db) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
     const char *bytecode = hs_get_bytecode(db);
     u32 crc = Crc32c_ComputeBuf(0, bytecode, db->length);
     if (crc != db->crc32) {
         DEBUG_PRINTF("crc mismatch! 0x%x != 0x%x\n", crc, db->crc32);
         return HS_INVALID;
     }
+#endif
     return HS_SUCCESS;
 }
 

tools/fuzz/CMakeLists.txt

@@ -0,0 +1,14 @@
+if(NOT DEFINED ENV{LIB_FUZZING_ENGINE})
+  set(FUZZ_DRIVER_SRC onefile.c)
+endif()
+
+add_executable(fuzz_simplegrep fuzz_simplegrep.c ${FUZZ_DRIVER_SRC})
+target_link_libraries(fuzz_simplegrep hs)
+
+add_executable(fuzz_deserialize_database fuzz_deserialize_database.c ${FUZZ_DRIVER_SRC})
+target_link_libraries(fuzz_deserialize_database hs)
+
+if(DEFINED ENV{LIB_FUZZING_ENGINE})
+  target_link_libraries(fuzz_simplegrep $ENV{LIB_FUZZING_ENGINE})
+  target_link_libraries(fuzz_deserialize_database $ENV{LIB_FUZZING_ENGINE})
+endif()

tools/fuzz/fuzz_deserialize_database.c

@@ -0,0 +1,23 @@
+#include "hs.h"
+
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+FILE * logfile = NULL;
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+    if (logfile == NULL) {
+        logfile = fopen("/dev/null", "wb");
+    }
+
+    hs_database_t *database;
+    hs_error_t err = hs_deserialize_database(Data, Size, &database);
+    if (err != HS_SUCCESS) {
+        fprintf(logfile, "ERROR\n");
+        return 0;
+    }
+    hs_free_database(database);
+    return 0;
+}

tools/fuzz/fuzz_simplegrep.c

@@ -0,0 +1,71 @@
+#include "hs.h"
+
+#include <stdint.h>
+#include <string.h>
+#include <stdio.h>
+
+FILE * logfile = NULL;
+hs_scratch_t *scratch = NULL;
+void * scrachAllocArea = NULL;
+size_t scrachAllocSize = 0;
+
+static int eventHandler(unsigned int id, unsigned long long from,
+                        unsigned long long to, unsigned int flags, void *ctx) {
+    fprintf(logfile, "Match for pattern \"%s\" at offset %llu\n", (char *)ctx, to);
+    return 0;
+}
+
+static void * fuzz_scratch_alloc(size_t size) {
+    if (size > scrachAllocSize) {
+        scrachAllocArea = realloc(scrachAllocArea, size);
+        scrachAllocSize = size;
+    }
+    return scrachAllocArea;
+}
+
+static void fuzz_nofree(void * area) {
+    fprintf(logfile, "free\n");
+    return;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+
+    if (logfile == NULL) {
+        //use custom allocator to avoir reallocating at each run
+        //hs_set_scratch_allocator(fuzz_scratch_alloc, fuzz_nofree);
+        logfile = fopen("/dev/null", "wb");
+    }
+    //decompose into needle and haystack
+    const uint8_t * haystack = memchr(Data, 0, Size);
+    if (haystack == NULL) {
+        return 0;
+    }
+    haystack++;
+    Size -= (haystack - Data);
+
+    hs_database_t *database;
+    hs_compile_error_t *compile_err;
+    if (hs_compile(Data, HS_FLAG_DOTALL, HS_MODE_BLOCK, NULL, &database,
+                   &compile_err) != HS_SUCCESS) {
+        fprintf(logfile, "ERROR: Unable to compile pattern \"%s\": %s\n",
+                Data, compile_err->message);
+        hs_free_compile_error(compile_err);
+        return 0;
+    }
+
+    if (hs_alloc_scratch(database, &scratch) != HS_SUCCESS) {
+        fprintf(logfile, "ERROR: Unable to allocate scratch space. Exiting.\n");
+        hs_free_database(database);
+        return 0;
+    }
+
+    if (hs_scan(database, haystack, Size, 0, scratch, eventHandler,
+                Data) != HS_SUCCESS) {
+        fprintf(logfile, "ERROR: Unable to scan input buffer. Exiting.\n");
+        hs_free_database(database);
+        return 0;
+    }
+
+    hs_free_database(database);
+    return 0;
+}

tools/fuzz/onefile.c

@@ -0,0 +1,52 @@
+#include <stdint.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+
+//simple fuzz driver running one file
+int main(int argc, char** argv)
+{
+    FILE * fp;
+    uint8_t *Data;
+    size_t Size;
+
+    if (argc != 2) {
+        return 1;
+    }
+    //opens the file, get its size, and reads it into a buffer
+    fp = fopen(argv[1], "rb");
+    if (fp == NULL) {
+        return 2;
+    }
+    if (fseek(fp, 0L, SEEK_END) != 0) {
+        fclose(fp);
+        return 2;
+    }
+    Size = ftell(fp);
+    if (Size == (size_t) -1) {
+        fclose(fp);
+        return 2;
+    }
+    if (fseek(fp, 0L, SEEK_SET) != 0) {
+        fclose(fp);
+        return 2;
+    }
+    Data = malloc(Size);
+    if (Data == NULL) {
+        fclose(fp);
+        return 2;
+    }
+    if (fread(Data, Size, 1, fp) != 1) {
+        fclose(fp);
+        free(Data);
+        return 2;
+    }
+
+    //lauch fuzzer
+    LLVMFuzzerTestOneInput(Data, Size);
+    free(Data);
+    fclose(fp);
+    return 0;
+}
+