1 // Simple test for a fuzzer.
2 // The fuzzer must find the string "Hi!" preceded by a magic value.
3 // Uses UserSuppliedFuzzer which ensures that the magic is present.
4 #include <cstdint>
5 #include <cassert>
6 #include <cstdlib>
7 #include <cstddef>
8 #include <cstring>
9 #include <iostream>
10
11 #include "FuzzerInterface.h"
12
13 static const uint64_t kMagic = 8860221463604ULL;
14
15 class MyFuzzer : public fuzzer::UserSuppliedFuzzer {
16 public:
MyFuzzer(fuzzer::FuzzerRandomBase * Rand)17 MyFuzzer(fuzzer::FuzzerRandomBase *Rand)
18 : fuzzer::UserSuppliedFuzzer(Rand) {}
TargetFunction(const uint8_t * Data,size_t Size)19 int TargetFunction(const uint8_t *Data, size_t Size) {
20 if (Size <= 10) return 0;
21 if (memcmp(Data, &kMagic, sizeof(kMagic))) return 0;
22 // It's hard to get here w/o advanced fuzzing techniques (e.g. cmp tracing).
23 // So, we simply 'fix' the data in the custom mutator.
24 if (Data[8] == 'H') {
25 if (Data[9] == 'i') {
26 if (Data[10] == '!') {
27 std::cout << "BINGO; Found the target, exiting\n";
28 exit(1);
29 }
30 }
31 }
32 return 0;
33 }
34 // Custom mutator.
Mutate(uint8_t * Data,size_t Size,size_t MaxSize)35 virtual size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize) {
36 assert(MaxSize > sizeof(kMagic));
37 if (Size < sizeof(kMagic))
38 Size = sizeof(kMagic);
39 // "Fix" the data, then mutate.
40 memcpy(Data, &kMagic, std::min(MaxSize, sizeof(kMagic)));
41 return fuzzer::UserSuppliedFuzzer::Mutate(
42 Data + sizeof(kMagic), Size - sizeof(kMagic), MaxSize - sizeof(kMagic));
43 }
44 // No need to redefine CrossOver() here.
45 };
46
main(int argc,char ** argv)47 int main(int argc, char **argv) {
48 fuzzer::FuzzerRandomLibc Rand(0);
49 MyFuzzer F(&Rand);
50 fuzzer::FuzzerDriver(argc, argv, F);
51 }
52