| Devin Jeanpierre | c5bace2 | 2017-09-06 11:15:35 -0700 | [diff] [blame] | 1 | /* A fuzz test for CPython. |
| 2 | |
| 3 | The only exposed function is LLVMFuzzerTestOneInput, which is called by |
| 4 | fuzzers and by the _fuzz module for smoke tests. |
| 5 | |
| 6 | To build exactly one fuzz test, as when running in oss-fuzz etc., |
| 7 | build with -D _Py_FUZZ_ONE and -D _Py_FUZZ_<test_name>. e.g. to build |
| 8 | LLVMFuzzerTestOneInput to only run "fuzz_builtin_float", build this file with |
| 9 | -D _Py_FUZZ_ONE -D _Py_FUZZ_fuzz_builtin_float. |
| 10 | |
| 11 | See the source code for LLVMFuzzerTestOneInput for details. */ |
| 12 | |
| 13 | #include <Python.h> |
| 14 | #include <stdlib.h> |
| 15 | #include <inttypes.h> |
| 16 | |
| 17 | /* Fuzz PyFloat_FromString as a proxy for float(str). */ |
| 18 | static int fuzz_builtin_float(const char* data, size_t size) { |
| 19 | PyObject* s = PyBytes_FromStringAndSize(data, size); |
| 20 | if (s == NULL) return 0; |
| 21 | PyObject* f = PyFloat_FromString(s); |
| 22 | if (PyErr_Occurred() && PyErr_ExceptionMatches(PyExc_ValueError)) { |
| 23 | PyErr_Clear(); |
| 24 | } |
| 25 | |
| 26 | Py_XDECREF(f); |
| 27 | Py_DECREF(s); |
| 28 | return 0; |
| 29 | } |
| 30 | |
| 31 | /* Fuzz PyLong_FromUnicodeObject as a proxy for int(str). */ |
| 32 | static int fuzz_builtin_int(const char* data, size_t size) { |
| 33 | /* Pick a random valid base. (When the fuzzed function takes extra |
| 34 | parameters, it's somewhat normal to hash the input to generate those |
| 35 | parameters. We want to exercise all code paths, so we do so here.) */ |
| 36 | int base = _Py_HashBytes(data, size) % 37; |
| 37 | if (base == 1) { |
| 38 | // 1 is the only number between 0 and 36 that is not a valid base. |
| 39 | base = 0; |
| 40 | } |
| 41 | if (base == -1) { |
| 42 | return 0; // An error occurred, bail early. |
| 43 | } |
| 44 | if (base < 0) { |
| 45 | base = -base; |
| 46 | } |
| 47 | |
| 48 | PyObject* s = PyUnicode_FromStringAndSize(data, size); |
| 49 | if (s == NULL) { |
| 50 | if (PyErr_ExceptionMatches(PyExc_UnicodeDecodeError)) { |
| 51 | PyErr_Clear(); |
| 52 | } |
| 53 | return 0; |
| 54 | } |
| 55 | PyObject* l = PyLong_FromUnicodeObject(s, base); |
| 56 | if (l == NULL && PyErr_ExceptionMatches(PyExc_ValueError)) { |
| 57 | PyErr_Clear(); |
| 58 | } |
| 59 | PyErr_Clear(); |
| 60 | Py_XDECREF(l); |
| 61 | Py_DECREF(s); |
| 62 | return 0; |
| 63 | } |
| 64 | |
| 65 | /* Fuzz PyUnicode_FromStringAndSize as a proxy for unicode(str). */ |
| 66 | static int fuzz_builtin_unicode(const char* data, size_t size) { |
| 67 | PyObject* s = PyUnicode_FromStringAndSize(data, size); |
| 68 | if (s == NULL && PyErr_ExceptionMatches(PyExc_UnicodeDecodeError)) { |
| 69 | PyErr_Clear(); |
| 70 | } |
| 71 | Py_XDECREF(s); |
| 72 | return 0; |
| 73 | } |
| 74 | |
| 75 | /* Run fuzzer and abort on failure. */ |
| 76 | static int _run_fuzz(const uint8_t *data, size_t size, int(*fuzzer)(const char* , size_t)) { |
| 77 | int rv = fuzzer((const char*) data, size); |
| 78 | if (PyErr_Occurred()) { |
| 79 | /* Fuzz tests should handle expected errors for themselves. |
| 80 | This is last-ditch check in case they didn't. */ |
| 81 | PyErr_Print(); |
| 82 | abort(); |
| 83 | } |
| 84 | /* Someday the return value might mean something, propagate it. */ |
| 85 | return rv; |
| 86 | } |
| 87 | |
| 88 | /* CPython generates a lot of leak warnings for whatever reason. */ |
| 89 | int __lsan_is_turned_off(void) { return 1; } |
| 90 | |
| Ammar Askar | a15a7bc | 2019-06-08 07:43:16 -0700 | [diff] [blame] | 91 | wchar_t wide_program_name[NAME_MAX]; |
| 92 | |
| 93 | int LLVMFuzzerInitialize(int *argc, char ***argv) { |
| 94 | wchar_t* wide_program_name = Py_DecodeLocale(*argv[0], NULL); |
| 95 | Py_SetProgramName(wide_program_name); |
| 96 | return 0; |
| 97 | } |
| 98 | |
| Devin Jeanpierre | c5bace2 | 2017-09-06 11:15:35 -0700 | [diff] [blame] | 99 | /* Fuzz test interface. |
| 100 | This returns the bitwise or of all fuzz test's return values. |
| 101 | |
| 102 | All fuzz tests must return 0, as all nonzero return codes are reserved for |
| 103 | future use -- we propagate the return values for that future case. |
| 104 | (And we bitwise or when running multiple tests to verify that normally we |
| 105 | only return 0.) */ |
| 106 | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
| 107 | if (!Py_IsInitialized()) { |
| 108 | /* LLVMFuzzerTestOneInput is called repeatedly from the same process, |
| 109 | with no separate initialization phase, sadly, so we need to |
| 110 | initialize CPython ourselves on the first run. */ |
| 111 | Py_InitializeEx(0); |
| 112 | } |
| 113 | |
| 114 | int rv = 0; |
| 115 | |
| Devin Jeanpierre | 78ebc73 | 2017-09-06 18:00:47 -0700 | [diff] [blame] | 116 | #if !defined(_Py_FUZZ_ONE) || defined(_Py_FUZZ_fuzz_builtin_float) |
| Devin Jeanpierre | c5bace2 | 2017-09-06 11:15:35 -0700 | [diff] [blame] | 117 | rv |= _run_fuzz(data, size, fuzz_builtin_float); |
| 118 | #endif |
| Devin Jeanpierre | 78ebc73 | 2017-09-06 18:00:47 -0700 | [diff] [blame] | 119 | #if !defined(_Py_FUZZ_ONE) || defined(_Py_FUZZ_fuzz_builtin_int) |
| Devin Jeanpierre | c5bace2 | 2017-09-06 11:15:35 -0700 | [diff] [blame] | 120 | rv |= _run_fuzz(data, size, fuzz_builtin_int); |
| 121 | #endif |
| Devin Jeanpierre | 78ebc73 | 2017-09-06 18:00:47 -0700 | [diff] [blame] | 122 | #if !defined(_Py_FUZZ_ONE) || defined(_Py_FUZZ_fuzz_builtin_unicode) |
| Devin Jeanpierre | c5bace2 | 2017-09-06 11:15:35 -0700 | [diff] [blame] | 123 | rv |= _run_fuzz(data, size, fuzz_builtin_unicode); |
| 124 | #endif |
| Devin Jeanpierre | c5bace2 | 2017-09-06 11:15:35 -0700 | [diff] [blame] | 125 | return rv; |
| 126 | } |