Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / honggfuzz / 623f4eb6ae6ea1791b0bac4207ba815a7eba2df0 / . / mangle.c
blob: 6399c8829f620be826ddb14f09923d07e16b4b1e [file] [log] [blame]
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]1/*
2 *
3 * honggfuzz - buffer mangling routines
4 * -----------------------------------------
5 *
6 * Author:
7 * Robert Swiecki <swiecki@google.com>
8 *
9 * Copyright 2010-2015 by Google Inc. All Rights Reserved.
10 *
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License. You may obtain
13 * a copy of the License at
14 *
15 * http://www.apache.org/licenses/LICENSE-2.0
16 *
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS,
19 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
20 * implied. See the License for the specific language governing
21 * permissions and limitations under the License.
22 *
23 */
24
25#include "common.h"
26#include "mangle.h"
27
28#include <inttypes.h>
robert.swiecki@gmail.com173f5192015-02-23 00:06:47 +0000[diff] [blame]29#include <math.h>
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]30#include <stdlib.h>
31#include <string.h>
robert.swiecki@gmail.come7680522015-02-22 22:22:37 +0000[diff] [blame]32#include <sys/mman.h>
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]33#include <unistd.h>
34
35#include "log.h"
36#include "util.h"
37
Robert Swieckie6389e22015-11-25 15:13:38 +0100[diff] [blame]38static inline void mangle_Overwrite(uint8_t * dst, const uint8_t * src, size_t dstSz, size_t off,
39 size_t sz)
robert.swiecki@gmail.com1c555c72015-02-22 16:25:54 +0000[diff] [blame]40{
41 size_t maxToCopy = dstSz - off;
42 if (sz > maxToCopy) {
43 sz = maxToCopy;
44 }
45
robert.swiecki@gmail.com50e1f3b2015-02-23 17:32:11 +0000[diff] [blame]46 memcpy(&dst[off], src, sz);
robert.swiecki@gmail.com1c555c72015-02-22 16:25:54 +0000[diff] [blame]47}
48
Anestis Bechtsoudis2ff92d12015-12-20 15:33:20 +0200[diff] [blame]49static void mangle_Byte(honggfuzz_t * hfuzz UNUSED, uint8_t * buf, size_t bufSz UNUSED, size_t off)
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]50{
51 buf[off] = (uint8_t) util_rndGet(0, UINT8_MAX);
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]52}
53
Anestis Bechtsoudis2ff92d12015-12-20 15:33:20 +0200[diff] [blame]54static void mangle_Bytes(honggfuzz_t * hfuzz UNUSED, uint8_t * buf, size_t bufSz, size_t off)
robert.swiecki@gmail.com457ca142015-02-22 14:59:34 +0000[diff] [blame]55{
56 uint32_t val = (uint32_t) util_rndGet(0, UINT32_MAX);
57
robert.swiecki@gmail.com12e75062015-02-22 15:01:21 +0000[diff] [blame]58 /* Overwrite with random 2,3,4-byte values */
59 size_t toCopy = util_rndGet(2, 4);
robert.swiecki@gmail.combcdeaea2015-02-23 17:36:54 +0000[diff] [blame]60 mangle_Overwrite(buf, (uint8_t *) & val, bufSz, off, toCopy);
robert.swiecki@gmail.com457ca142015-02-22 14:59:34 +0000[diff] [blame]61}
62
Anestis Bechtsoudis2ff92d12015-12-20 15:33:20 +0200[diff] [blame]63static void mangle_Bit(honggfuzz_t * hfuzz UNUSED, uint8_t * buf, size_t bufSz UNUSED, size_t off)
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]64{
Robert Swiecki61cbed82016-03-10 15:32:07 +0100[diff] [blame]65 buf[off] ^= (uint8_t) (1U << util_rndGet(0, 7));
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]66}
67
Robert Swiecki531438a2016-09-13 19:05:11 +0200[diff] [blame]68static void mangle_Dictionary(honggfuzz_t * hfuzz, uint8_t * buf, size_t bufSz, size_t off)
robert.swiecki@gmail.com4f1124f2015-04-21 17:12:22 +0000[diff] [blame]69{
70 if (hfuzz->dictionaryCnt == 0) {
tlogic@gmail.com7b6d7ee2015-04-23 21:30:12 +0000[diff] [blame]71 mangle_Bit(hfuzz, buf, bufSz, off);
72 return;
robert.swiecki@gmail.com4f1124f2015-04-21 17:12:22 +0000[diff] [blame]73 }
74
75 uint64_t choice = util_rndGet(0, hfuzz->dictionaryCnt - 1);
Robert Swiecki531438a2016-09-13 19:05:11 +0200[diff] [blame]76
Robert Swiecki3a572262016-10-04 01:48:34 +0200[diff] [blame]77 struct strings_t *str = TAILQ_FIRST(&hfuzz->dictq);
Robert Swiecki531438a2016-09-13 19:05:11 +0200[diff] [blame]78 for (uint64_t i = 0; i < choice; i++) {
79 str = TAILQ_NEXT(str, pointers);
80 }
81
Jaggerc64c9eb2016-09-22 04:04:34 +0200[diff] [blame]82 mangle_Overwrite(buf, (uint8_t *) str->s, bufSz, off, str->len);
robert.swiecki@gmail.com4f1124f2015-04-21 17:12:22 +0000[diff] [blame]83}
84
Anestis Bechtsoudis2ff92d12015-12-20 15:33:20 +0200[diff] [blame]85static void mangle_Magic(honggfuzz_t * hfuzz UNUSED, uint8_t * buf, size_t bufSz, size_t off)
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]86{
robert.swiecki@gmail.com4be26672015-03-05 03:36:50 +0000[diff] [blame]87 /* *INDENT-OFF* */
robert.swiecki@gmail.com3d928f12015-04-15 14:43:21 +0000[diff] [blame]88 static const struct {
Anestis Bechtsoudis4799a9d2015-12-20 15:44:26 +0200[diff] [blame]89 const uint8_t val[8];
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]90 const size_t size;
Anestis Bechtsoudis4799a9d2015-12-20 15:44:26 +0200[diff] [blame]91 } mangleMagicVals[] = {
Anestis Bechtsoudis51c9bb12015-08-26 14:46:21 +0300[diff] [blame]92 /* 1B - No endianness */
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]93 { "\x00\x00\x00\x00\x00\x00\x00\x00", 1},
94 { "\x01\x00\x00\x00\x00\x00\x00\x00", 1},
robert.swiecki@gmail.combe554fb2015-02-23 00:31:53 +0000[diff] [blame]95 { "\x02\x00\x00\x00\x00\x00\x00\x00", 1},
96 { "\x03\x00\x00\x00\x00\x00\x00\x00", 1},
97 { "\x04\x00\x00\x00\x00\x00\x00\x00", 1},
Robert Swiecki4cdf5d02016-07-26 16:09:02 +0200[diff] [blame]98 { "\x08\x00\x00\x00\x00\x00\x00\x00", 1},
99 { "\x0C\x00\x00\x00\x00\x00\x00\x00", 1},
100 { "\x10\x00\x00\x00\x00\x00\x00\x00", 1},
101 { "\x20\x00\x00\x00\x00\x00\x00\x00", 1},
102 { "\x40\x00\x00\x00\x00\x00\x00\x00", 1},
robert.swiecki@gmail.com03e70392015-03-01 03:53:11 +0000[diff] [blame]103 { "\x7E\x00\x00\x00\x00\x00\x00\x00", 1},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]104 { "\x7F\x00\x00\x00\x00\x00\x00\x00", 1},
105 { "\x80\x00\x00\x00\x00\x00\x00\x00", 1},
robert.swiecki@gmail.com395278b2015-02-28 22:48:53 +0000[diff] [blame]106 { "\x81\x00\x00\x00\x00\x00\x00\x00", 1},
Robert Swiecki4cdf5d02016-07-26 16:09:02 +0200[diff] [blame]107 { "\xC0\x00\x00\x00\x00\x00\x00\x00", 1},
Robert Swiecki61cbed82016-03-10 15:32:07 +0100[diff] [blame]108 { "\xFE\x00\x00\x00\x00\x00\x00\x00", 1},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]109 { "\xFF\x00\x00\x00\x00\x00\x00\x00", 1},
110 /* 2B - NE */
111 { "\x00\x00\x00\x00\x00\x00\x00\x00", 2},
robert.swiecki@gmail.com1ba76192015-02-22 15:45:49 +0000[diff] [blame]112 { "\x01\x01\x00\x00\x00\x00\x00\x00", 2},
113 { "\x80\x80\x00\x00\x00\x00\x00\x00", 2},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]114 { "\xFF\xFF\x00\x00\x00\x00\x00\x00", 2},
115 /* 2B - BE */
116 { "\x00\x01\x00\x00\x00\x00\x00\x00", 2},
robert.swiecki@gmail.combe554fb2015-02-23 00:31:53 +0000[diff] [blame]117 { "\x00\x02\x00\x00\x00\x00\x00\x00", 2},
118 { "\x00\x03\x00\x00\x00\x00\x00\x00", 2},
119 { "\x00\x04\x00\x00\x00\x00\x00\x00", 2},
robert.swiecki@gmail.com03e70392015-03-01 03:53:11 +0000[diff] [blame]120 { "\x7E\xFF\x00\x00\x00\x00\x00\x00", 2},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]121 { "\x7F\xFF\x00\x00\x00\x00\x00\x00", 2},
122 { "\x80\x00\x00\x00\x00\x00\x00\x00", 2},
robert.swiecki@gmail.com395278b2015-02-28 22:48:53 +0000[diff] [blame]123 { "\x80\x01\x00\x00\x00\x00\x00\x00", 2},
Robert Swiecki61cbed82016-03-10 15:32:07 +0100[diff] [blame]124 { "\xFF\xFE\x00\x00\x00\x00\x00\x00", 2},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]125 /* 2B - LE */
robert.swiecki@gmail.combe554fb2015-02-23 00:31:53 +0000[diff] [blame]126 { "\x01\x00\x00\x00\x00\x00\x00\x00", 2},
127 { "\x02\x00\x00\x00\x00\x00\x00\x00", 2},
128 { "\x03\x00\x00\x00\x00\x00\x00\x00", 2},
129 { "\x04\x00\x00\x00\x00\x00\x00\x00", 2},
robert.swiecki@gmail.com03e70392015-03-01 03:53:11 +0000[diff] [blame]130 { "\xFF\x7E\x00\x00\x00\x00\x00\x00", 2},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]131 { "\xFF\x7F\x00\x00\x00\x00\x00\x00", 2},
132 { "\x00\x80\x00\x00\x00\x00\x00\x00", 2},
robert.swiecki@gmail.com395278b2015-02-28 22:48:53 +0000[diff] [blame]133 { "\x01\x80\x00\x00\x00\x00\x00\x00", 2},
Robert Swiecki61cbed82016-03-10 15:32:07 +0100[diff] [blame]134 { "\xFE\xFF\x00\x00\x00\x00\x00\x00", 2},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]135 /* 4B - NE */
136 { "\x00\x00\x00\x00\x00\x00\x00\x00", 4},
robert.swiecki@gmail.com1ba76192015-02-22 15:45:49 +0000[diff] [blame]137 { "\x01\x01\x01\x01\x00\x00\x00\x00", 4},
138 { "\x80\x80\x80\x80\x00\x00\x00\x00", 4},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]139 { "\xFF\xFF\xFF\xFF\x00\x00\x00\x00", 4},
140 /* 4B - BE */
141 { "\x00\x00\x00\x01\x00\x00\x00\x00", 4},
robert.swiecki@gmail.combe554fb2015-02-23 00:31:53 +0000[diff] [blame]142 { "\x00\x00\x00\x02\x00\x00\x00\x00", 4},
143 { "\x00\x00\x00\x03\x00\x00\x00\x00", 4},
144 { "\x00\x00\x00\x04\x00\x00\x00\x00", 4},
robert.swiecki@gmail.com03e70392015-03-01 03:53:11 +0000[diff] [blame]145 { "\x7E\xFF\xFF\xFF\x00\x00\x00\x00", 4},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]146 { "\x7F\xFF\xFF\xFF\x00\x00\x00\x00", 4},
147 { "\x80\x00\x00\x00\x00\x00\x00\x00", 4},
robert.swiecki@gmail.com395278b2015-02-28 22:48:53 +0000[diff] [blame]148 { "\x80\x00\x00\x01\x00\x00\x00\x00", 4},
Robert Swiecki61cbed82016-03-10 15:32:07 +0100[diff] [blame]149 { "\xFF\xFF\xFF\xFE\x00\x00\x00\x00", 4},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]150 /* 4B - LE */
151 { "\x01\x00\x00\x00\x00\x00\x00\x00", 4},
robert.swiecki@gmail.combe554fb2015-02-23 00:31:53 +0000[diff] [blame]152 { "\x02\x00\x00\x00\x00\x00\x00\x00", 4},
153 { "\x03\x00\x00\x00\x00\x00\x00\x00", 4},
154 { "\x04\x00\x00\x00\x00\x00\x00\x00", 4},
robert.swiecki@gmail.com03e70392015-03-01 03:53:11 +0000[diff] [blame]155 { "\xFF\xFF\xFF\x7E\x00\x00\x00\x00", 4},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]156 { "\xFF\xFF\xFF\x7F\x00\x00\x00\x00", 4},
157 { "\x00\x00\x00\x80\x00\x00\x00\x00", 4},
robert.swiecki@gmail.com395278b2015-02-28 22:48:53 +0000[diff] [blame]158 { "\x01\x00\x00\x80\x00\x00\x00\x00", 4},
Robert Swiecki61cbed82016-03-10 15:32:07 +0100[diff] [blame]159 { "\xFE\xFF\xFF\xFF\x00\x00\x00\x00", 4},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]160 /* 8B - NE */
161 { "\x00\x00\x00\x00\x00\x00\x00\x00", 8},
robert.swiecki@gmail.com1ba76192015-02-22 15:45:49 +0000[diff] [blame]162 { "\x01\x01\x01\x01\x01\x01\x01\x01", 8},
163 { "\x80\x80\x80\x80\x80\x80\x80\x80", 8},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]164 { "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},
165 /* 8B - BE */
166 { "\x00\x00\x00\x00\x00\x00\x00\x01", 8},
robert.swiecki@gmail.combe554fb2015-02-23 00:31:53 +0000[diff] [blame]167 { "\x00\x00\x00\x00\x00\x00\x00\x02", 8},
168 { "\x00\x00\x00\x00\x00\x00\x00\x03", 8},
169 { "\x00\x00\x00\x00\x00\x00\x00\x04", 8},
robert.swiecki@gmail.com03e70392015-03-01 03:53:11 +0000[diff] [blame]170 { "\x7E\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]171 { "\x7F\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},
172 { "\x80\x00\x00\x00\x00\x00\x00\x00", 8},
robert.swiecki@gmail.com395278b2015-02-28 22:48:53 +0000[diff] [blame]173 { "\x80\x00\x00\x00\x00\x00\x00\x01", 8},
Robert Swiecki61cbed82016-03-10 15:32:07 +0100[diff] [blame]174 { "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFE", 8},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]175 /* 8B - LE */
176 { "\x01\x00\x00\x00\x00\x00\x00\x00", 8},
robert.swiecki@gmail.combe554fb2015-02-23 00:31:53 +0000[diff] [blame]177 { "\x02\x00\x00\x00\x00\x00\x00\x00", 8},
178 { "\x03\x00\x00\x00\x00\x00\x00\x00", 8},
179 { "\x04\x00\x00\x00\x00\x00\x00\x00", 8},
robert.swiecki@gmail.com03e70392015-03-01 03:53:11 +0000[diff] [blame]180 { "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x7E", 8},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]181 { "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x7F", 8},
182 { "\x00\x00\x00\x00\x00\x00\x00\x80", 8},
robert.swiecki@gmail.com395278b2015-02-28 22:48:53 +0000[diff] [blame]183 { "\x01\x00\x00\x00\x00\x00\x00\x80", 8},
Robert Swiecki61cbed82016-03-10 15:32:07 +0100[diff] [blame]184 { "\xFE\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]185 };
robert.swiecki@gmail.com4be26672015-03-05 03:36:50 +0000[diff] [blame]186 /* *INDENT-ON* */
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]187
188 uint64_t choice = util_rndGet(0, ARRAYSIZE(mangleMagicVals) - 1);
robert.swiecki@gmail.combcdeaea2015-02-23 17:36:54 +0000[diff] [blame]189 mangle_Overwrite(buf, mangleMagicVals[choice].val, bufSz, off, mangleMagicVals[choice].size);
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]190}
191
Anestis Bechtsoudis2ff92d12015-12-20 15:33:20 +0200[diff] [blame]192static void mangle_MemSet(honggfuzz_t * hfuzz UNUSED, uint8_t * buf, size_t bufSz, size_t off)
robert.swiecki@gmail.com89cc38c2015-02-23 02:52:08 +0000[diff] [blame]193{
194 uint64_t sz = util_rndGet(1, bufSz - off);
195 int val = (int)util_rndGet(0, UINT8_MAX);
196
197 memset(&buf[off], val, sz);
198}
199
Anestis Bechtsoudis2ff92d12015-12-20 15:33:20 +0200[diff] [blame]200static void mangle_MemMove(honggfuzz_t * hfuzz UNUSED, uint8_t * buf, size_t bufSz, size_t off)
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]201{
robert.swiecki@gmail.comb7779612015-02-22 14:51:17 +0000[diff] [blame]202 uint64_t mangleTo = util_rndGet(0, bufSz - 1);
robert.swiecki@gmail.com8c3e0f22015-02-22 16:32:16 +0000[diff] [blame]203 uint64_t mangleSzTo = bufSz - mangleTo;
robert.swiecki@gmail.com0a7eabe2015-02-22 14:47:45 +0000[diff] [blame]204
robert.swiecki@gmail.come8555c22015-02-22 14:49:22 +0000[diff] [blame]205 uint64_t mangleSzFrom = util_rndGet(1, bufSz - off);
robert.swiecki@gmail.com0a7eabe2015-02-22 14:47:45 +0000[diff] [blame]206 uint64_t mangleSz = mangleSzFrom < mangleSzTo ? mangleSzFrom : mangleSzTo;
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]207
208 memmove(&buf[mangleTo], &buf[off], mangleSz);
209}
210
Anestis Bechtsoudis2ff92d12015-12-20 15:33:20 +0200[diff] [blame]211static void mangle_Random(honggfuzz_t * hfuzz UNUSED, uint8_t * buf, size_t bufSz, size_t off)
robert.swiecki@gmail.com89cc38c2015-02-23 02:52:08 +0000[diff] [blame]212{
213 uint64_t sz = util_rndGet(1, bufSz - off);
214 util_rndBuf(&buf[off], sz);
215}
216
Anestis Bechtsoudis2ff92d12015-12-20 15:33:20 +0200[diff] [blame]217static void mangle_AddSub(honggfuzz_t * hfuzz UNUSED, uint8_t * buf, size_t bufSz, size_t off)
robert.swiecki@gmail.com549ff182015-02-28 22:38:00 +0000[diff] [blame]218{
219 /* 1,2,4 */
220 uint64_t varLen = 1ULL << util_rndGet(0, 2);
221 if ((bufSz - off) < varLen) {
robert.swiecki@gmail.com57197642015-03-01 15:39:30 +0000[diff] [blame]222 varLen = 1;
robert.swiecki@gmail.com549ff182015-02-28 22:38:00 +0000[diff] [blame]223 }
224
225 int delta = (int)util_rndGet(0, 64);
226 delta -= 32;
227
228 switch (varLen) {
229 case 1:
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]230 {
231 buf[off] += delta;
232 return;
233 break;
234 }
robert.swiecki@gmail.com549ff182015-02-28 22:38:00 +0000[diff] [blame]235 case 2:
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]236 {
237 uint16_t val = *((uint16_t *) & buf[off]);
238 if (util_rndGet(0, 1) == 0) {
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]239 val += delta;
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]240 } else {
Jaggerd0b147f2016-04-04 22:49:24 +0200[diff] [blame]241 /* Foreign endianess */
242 val = __builtin_bswap16(val);
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]243 val += delta;
Jaggerd0b147f2016-04-04 22:49:24 +0200[diff] [blame]244 val = __builtin_bswap16(val);
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]245 }
246 mangle_Overwrite(buf, (uint8_t *) & val, bufSz, off, varLen);
247 return;
248 break;
robert.swiecki@gmail.com549ff182015-02-28 22:38:00 +0000[diff] [blame]249 }
250 case 4:
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]251 {
252 uint32_t val = *((uint32_t *) & buf[off]);
253 if (util_rndGet(0, 1) == 0) {
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]254 val += delta;
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]255 } else {
Jaggerd0b147f2016-04-04 22:49:24 +0200[diff] [blame]256 /* Foreign endianess */
257 val = __builtin_bswap32(val);
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]258 val += delta;
Jaggerd0b147f2016-04-04 22:49:24 +0200[diff] [blame]259 val = __builtin_bswap32(val);
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]260 }
261 mangle_Overwrite(buf, (uint8_t *) & val, bufSz, off, varLen);
262 return;
263 break;
robert.swiecki@gmail.com549ff182015-02-28 22:38:00 +0000[diff] [blame]264 }
265 default:
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]266 {
Anestis Bechtsoudis07e14ce2015-12-30 14:15:42 +0200[diff] [blame]267 LOG_F("Unknown variable length size: %" PRIu64, varLen);
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame]268 break;
269 }
robert.swiecki@gmail.com549ff182015-02-28 22:38:00 +0000[diff] [blame]270 }
271}
272
Anestis Bechtsoudis2ff92d12015-12-20 15:33:20 +0200[diff] [blame]273static void mangle_IncByte(honggfuzz_t * hfuzz UNUSED, uint8_t * buf, size_t bufSz UNUSED,
274 size_t off)
robert.swiecki@gmail.com78973ed2015-03-01 03:57:18 +0000[diff] [blame]275{
276 buf[off] += (uint8_t) 1UL;
robert.swiecki@gmail.com78973ed2015-03-01 03:57:18 +0000[diff] [blame]277}
278
Anestis Bechtsoudis2ff92d12015-12-20 15:33:20 +0200[diff] [blame]279static void mangle_DecByte(honggfuzz_t * hfuzz UNUSED, uint8_t * buf, size_t bufSz UNUSED,
280 size_t off)
robert.swiecki@gmail.com78973ed2015-03-01 03:57:18 +0000[diff] [blame]281{
282 buf[off] -= (uint8_t) 1UL;
robert.swiecki@gmail.com78973ed2015-03-01 03:57:18 +0000[diff] [blame]283}
284
Jagger28a59772016-09-26 01:50:09 +0200[diff] [blame]285static void mangle_RepeatByte(honggfuzz_t * hfuzz UNUSED, uint8_t * buf, size_t bufSz UNUSED,
286 size_t off)
287{
288 if ((off + 1) < bufSz) {
289 buf[off + 1] = buf[off];
290 }
291}
292
Robert Swieckia96d78d2016-03-14 16:50:50 +0100[diff] [blame]293void mangle_mangleContent(honggfuzz_t * hfuzz, fuzzer_t * fuzzer)
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]294{
robert.swiecki@gmail.com4be26672015-03-05 03:36:50 +0000[diff] [blame]295 /* *INDENT-OFF* */
Robert Swieckie6389e22015-11-25 15:13:38 +0100[diff] [blame]296 static void (*const mangleFuncs[]) (honggfuzz_t * hfuzz, uint8_t * buf, size_t bufSz, size_t off) = {
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]297 mangle_Byte,
robert.swiecki@gmail.com17ee6762015-02-22 15:19:31 +0000[diff] [blame]298 mangle_Byte,
299 mangle_Byte,
300 mangle_Byte,
robert.swiecki@gmail.com17ee6762015-02-22 15:19:31 +0000[diff] [blame]301 mangle_Bit,
302 mangle_Bit,
Jagger68d4c362016-09-07 03:16:37 +0200[diff] [blame]303 mangle_Bit,
304 mangle_Bit,
robert.swiecki@gmail.com17ee6762015-02-22 15:19:31 +0000[diff] [blame]305 mangle_Bytes,
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]306 mangle_Magic,
robert.swiecki@gmail.com87e72752015-03-03 16:15:59 +0000[diff] [blame]307 mangle_IncByte,
robert.swiecki@gmail.com87e72752015-03-03 16:15:59 +0000[diff] [blame]308 mangle_DecByte,
309 mangle_AddSub,
robert.swiecki@gmail.com4f1124f2015-04-21 17:12:22 +0000[diff] [blame]310 mangle_Dictionary,
robert.swiecki@gmail.com89cc38c2015-02-23 02:52:08 +0000[diff] [blame]311 mangle_MemMove,
312 mangle_MemSet,
robert.swiecki@gmail.com50e1f3b2015-02-23 17:32:11 +0000[diff] [blame]313 mangle_Random,
Jagger28a59772016-09-26 01:50:09 +0200[diff] [blame]314 mangle_RepeatByte,
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]315 };
robert.swiecki@gmail.com4be26672015-03-05 03:36:50 +0000[diff] [blame]316 /* *INDENT-ON* */
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]317
318 /*
319 * Minimal number of changes is 1
320 */
Robert Swieckia96d78d2016-03-14 16:50:50 +0100[diff] [blame]321 uint64_t changesCnt = fuzzer->dynamicFileSz * fuzzer->flipRate;
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]322 if (changesCnt == 0ULL) {
323 changesCnt = 1;
324 }
325 changesCnt = util_rndGet(1, changesCnt);
326
327 for (uint64_t x = 0; x < changesCnt; x++) {
Robert Swieckia96d78d2016-03-14 16:50:50 +0100[diff] [blame]328 size_t offset = util_rndGet(0, fuzzer->dynamicFileSz - 1);
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]329 uint64_t choice = util_rndGet(0, ARRAYSIZE(mangleFuncs) - 1);
Robert Swieckia96d78d2016-03-14 16:50:50 +0100[diff] [blame]330 mangleFuncs[choice] (hfuzz, fuzzer->dynamicFile, fuzzer->dynamicFileSz, offset);
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]331 }
332}
333
robert.swiecki@gmail.comf891cad2015-02-25 12:21:04 +0000[diff] [blame]334static double mangle_ExpDist(void)
robert.swiecki@gmail.com61b02a52015-02-23 01:14:18 +0000[diff] [blame]335{
robert.swiecki@gmail.comf891cad2015-02-25 12:21:04 +0000[diff] [blame]336 double rnd = (double)util_rndGet(1, UINT32_MAX) / (double)(UINT32_MAX);
robert.swiecki@gmail.comedbca382015-02-26 14:21:19 +0000[diff] [blame]337 return pow(rnd, 4.0L);
robert.swiecki@gmail.com61b02a52015-02-23 01:14:18 +0000[diff] [blame]338}
339
robert.swiecki@gmail.com173f5192015-02-23 00:06:47 +0000[diff] [blame]340/* Gauss-like distribution */
robert.swiecki@gmail.comace40862015-03-08 07:09:56 +0000[diff] [blame]341bool mangle_Resize(honggfuzz_t * hfuzz, uint8_t * buf, size_t * bufSz)
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]342{
Jaggerf08d14c2016-03-15 22:36:55 +0100[diff] [blame]343 static const uint64_t chance_one_in_x = 5;
robert.swiecki@gmail.come7680522015-02-22 22:22:37 +0000[diff] [blame]344 if (util_rndGet(1, chance_one_in_x) != 1) {
345 return true;
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]346 }
robert.swiecki@gmail.comf891cad2015-02-25 12:21:04 +0000[diff] [blame]347 ssize_t newSz = *bufSz;
robert.swiecki@gmail.com1c246502015-02-25 13:47:27 +0000[diff] [blame]348 int delta = 0;
robert.swiecki@gmail.coma56173d2015-02-26 00:46:24 +0000[diff] [blame]349 unsigned int val = (unsigned int)util_rndGet(1, 64);
Anestis Bechtsoudisccdf28c2016-01-10 15:04:22 +0200[diff] [blame]350
351 /* *INDENT-OFF* */
robert.swiecki@gmail.com1c246502015-02-25 13:47:27 +0000[diff] [blame]352 switch (val) {
robert.swiecki@gmail.coma56173d2015-02-26 00:46:24 +0000[diff] [blame]353 case 1 ... 16:
robert.swiecki@gmail.com1c246502015-02-25 13:47:27 +0000[diff] [blame]354 delta = -val;
355 break;
robert.swiecki@gmail.coma56173d2015-02-26 00:46:24 +0000[diff] [blame]356 case 17 ... 32:
357 delta = val - 16;
robert.swiecki@gmail.com1c246502015-02-25 13:47:27 +0000[diff] [blame]358 break;
robert.swiecki@gmail.coma56173d2015-02-26 00:46:24 +0000[diff] [blame]359 case 33 ... 48:
robert.swiecki@gmail.com1c246502015-02-25 13:47:27 +0000[diff] [blame]360 delta += (int)(mangle_ExpDist() * (double)((hfuzz->maxFileSz - *bufSz)));
361 break;
robert.swiecki@gmail.coma56173d2015-02-26 00:46:24 +0000[diff] [blame]362 case 49 ... 64:
robert.swiecki@gmail.com1c246502015-02-25 13:47:27 +0000[diff] [blame]363 delta -= (int)(mangle_ExpDist() * (double)(*bufSz));
364 break;
365 default:
Robert Swieckic8c32db2015-10-09 18:06:22 +0200[diff] [blame]366 LOG_F("Random value out of scope %u", val);
robert.swiecki@gmail.com1c246502015-02-25 13:47:27 +0000[diff] [blame]367 break;
368 }
Anestis Bechtsoudisccdf28c2016-01-10 15:04:22 +0200[diff] [blame]369 /* *INDENT-ON* */
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]370
robert.swiecki@gmail.com1c246502015-02-25 13:47:27 +0000[diff] [blame]371 newSz += delta;
robert.swiecki@gmail.com173f5192015-02-23 00:06:47 +0000[diff] [blame]372
robert.swiecki@gmail.com59526032015-02-23 17:10:29 +0000[diff] [blame]373 if (newSz < 1) {
374 newSz = 1;
robert.swiecki@gmail.com173f5192015-02-23 00:06:47 +0000[diff] [blame]375 }
robert.swiecki@gmail.com1c246502015-02-25 13:47:27 +0000[diff] [blame]376 if (newSz > (ssize_t) hfuzz->maxFileSz) {
377 newSz = (ssize_t) hfuzz->maxFileSz;
robert.swiecki@gmail.com173f5192015-02-23 00:06:47 +0000[diff] [blame]378 }
379
robert.swiecki@gmail.comace40862015-03-08 07:09:56 +0000[diff] [blame]380 if ((size_t) newSz > *bufSz) {
381 util_rndBuf(&buf[*bufSz], newSz - *bufSz);
382 }
383
Robert Swieckic8c32db2015-10-09 18:06:22 +0200[diff] [blame]384 LOG_D("Current size: %zu, Maximal size: %zu, New Size: %zu, Delta: %d", *bufSz,
385 hfuzz->maxFileSz, newSz, delta);
robert.swiecki@gmail.com173f5192015-02-23 00:06:47 +0000[diff] [blame]386
robert.swiecki@gmail.com173f5192015-02-23 00:06:47 +0000[diff] [blame]387 *bufSz = (size_t) newSz;
robert.swiecki@gmail.come7680522015-02-22 22:22:37 +0000[diff] [blame]388 return true;
robert.swiecki@gmail.coma3e014e2015-02-22 14:33:46 +0000[diff] [blame]389}