1 /*
2  * Copyright 2016 Google Inc.
3  *
4  * Use of this source code is governed by a BSD-style license that can be
5  * found in the LICENSE file.
6  */
7 
8 #ifndef Fuzz_DEFINED
9 #define Fuzz_DEFINED
10 
11 #include "SkData.h"
12 #include "../tools/Registry.h"
13 #include "SkMalloc.h"
14 #include "SkTypes.h"
15 
16 #include <cmath>
17 
18 class Fuzz : SkNoncopyable {
19 public:
20     explicit Fuzz(sk_sp<SkData>);
21 
22     // Returns the total number of "random" bytes available.
23     size_t size();
24     // Returns if there are no bytes remaining for fuzzing.
25     bool exhausted();
26 
27     // next() loads fuzzed bytes into the variable passed in by pointer.
28     // We use this approach instead of T next() because different compilers
29     // evaluate function parameters in different orders. If fuzz->next()
30     // returned 5 and then 7, foo(fuzz->next(), fuzz->next()) would be
31     // foo(5, 7) when compiled on GCC and foo(7, 5) when compiled on Clang.
32     // By requiring params to be passed in, we avoid the temptation to call
33     // next() in a way that does not consume fuzzed bytes in a single
34     // uplatform-independent order.
35     template <typename T>
36     void next(T* t);
37 
38     // This is a convenient way to initialize more than one argument at a time.
39     template <typename Arg, typename... Args>
40     void next(Arg* first, Args... rest);
41 
42     // nextRange returns values only in [min, max].
43     template <typename T, typename Min, typename Max>
44     void nextRange(T*, Min, Max);
45 
46     // nextN loads n * sizeof(T) bytes into ptr
47     template <typename T>
48     void nextN(T* ptr, int n);
49 
50     void signalBug();  // Tell afl-fuzz these inputs found a bug.
51 
52 private:
53     template <typename T>
54     T nextT();
55 
56     sk_sp<SkData> fBytes;
57     size_t fNextByte;
58 };
59 
60 // UBSAN reminds us that bool can only legally hold 0 or 1.
61 template <>
next(bool * b)62 inline void Fuzz::next(bool* b) {
63   uint8_t n;
64   this->next(&n);
65   *b = (n & 1) == 1;
66 }
67 
68 template <typename T>
next(T * n)69 inline void Fuzz::next(T* n) {
70     if ((fNextByte + sizeof(T)) > fBytes->size()) {
71         sk_bzero(n, sizeof(T));
72         memcpy(n, fBytes->bytes() + fNextByte, fBytes->size() - fNextByte);
73         fNextByte = fBytes->size();
74         return;
75     }
76     memcpy(n, fBytes->bytes() + fNextByte, sizeof(T));
77     fNextByte += sizeof(T);
78 }
79 
80 template <typename Arg, typename... Args>
next(Arg * first,Args...rest)81 inline void Fuzz::next(Arg* first, Args... rest) {
82    this->next(first);
83    this->next(rest...);
84 }
85 
86 template <>
nextRange(float * f,float min,float max)87 inline void Fuzz::nextRange(float* f, float min, float max) {
88     this->next(f);
89     if (!std::isnormal(*f) && *f != 0.0f) {
90         // Don't deal with infinity or other strange floats.
91         *f = max;
92     }
93     *f = min + std::fmod(std::abs(*f), (max - min + 1));
94 }
95 
96 template <typename T, typename Min, typename Max>
nextRange(T * n,Min min,Max max)97 inline void Fuzz::nextRange(T* n, Min min, Max max) {
98     this->next<T>(n);
99     if (min == max) {
100         *n = min;
101         return;
102     }
103     if (min > max) {
104         // Avoid misuse of nextRange
105         this->signalBug();
106     }
107     if (*n < 0) { // Handle negatives
108         if (*n != std::numeric_limits<T>::lowest()) {
109             *n *= -1;
110         }
111         else {
112             *n = std::numeric_limits<T>::max();
113         }
114     }
115     *n = min + (*n % ((size_t)max - min + 1));
116 }
117 
118 template <typename T>
nextN(T * ptr,int n)119 inline void Fuzz::nextN(T* ptr, int n) {
120    for (int i = 0; i < n; i++) {
121        this->next(ptr+i);
122    }
123 }
124 
125 struct Fuzzable {
126     const char* name;
127     void (*fn)(Fuzz*);
128 };
129 
130 #define DEF_FUZZ(name, f)                                               \
131     static void fuzz_##name(Fuzz*);                                     \
132     sk_tools::Registry<Fuzzable> register_##name({#name, fuzz_##name}); \
133     static void fuzz_##name(Fuzz* f)
134 
135 #endif//Fuzz_DEFINED
136