From 62e7bdd22a95b92d04e61f93b6aea4d95a5030fd Mon Sep 17 00:00:00 2001 From: Michael Jones Date: Thu, 16 Feb 2023 11:23:44 -0800 Subject: [PATCH] [libc] use vars in string to num fuzz targets The string to integer and string to float standalone fuzz targets just ran the functions and didn't do anything with the output. This was intentional, since they are intended to be used with sanitizers to detect buffer overflow bugs. Not using the variables was causing compile warnings, so this patch adds trivial checks to use the variables. Reviewed By: sivachandra, lntue Differential Revision: https://reviews.llvm.org/D144208 --- libc/fuzzing/stdlib/strtofloat_fuzz.cpp | 18 +++++++++++++++--- libc/fuzzing/stdlib/strtointeger_fuzz.cpp | 10 ++++++++++ 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/libc/fuzzing/stdlib/strtofloat_fuzz.cpp b/libc/fuzzing/stdlib/strtofloat_fuzz.cpp index 209d3ee9b3e7..3366c5c64dda 100644 --- a/libc/fuzzing/stdlib/strtofloat_fuzz.cpp +++ b/libc/fuzzing/stdlib/strtofloat_fuzz.cpp @@ -13,6 +13,7 @@ #include "src/stdlib/strtod.h" #include "src/stdlib/strtof.h" #include "src/stdlib/strtold.h" +#include #include #include @@ -30,10 +31,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { char *out_ptr = nullptr; - // This fuzzer only checks that the alrogithms didn't read beyond the end of + // This fuzzer only checks that the algorithms didn't read beyond the end of // the string in container. Combined with sanitizers, this will check that the - // code is not reading memory beyond what's expected. This test does not make - // any attempt to check correctness of the result. + // code is not reading memory beyond what's expected. This test does not + // effectively check the correctness of the result. auto volatile atof_output = __llvm_libc::atof(str_ptr); auto volatile strtof_output = __llvm_libc::strtof(str_ptr, &out_ptr); if (str_ptr + size < out_ptr) @@ -45,6 +46,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (str_ptr + size < out_ptr) __builtin_trap(); + // If any of the outputs are NaN + if (isnan(atof_output) || isnan(strtof_output) || isnan(strtod_output) || + isnan(strtold_output)) { + // Then all the outputs should be NaN. + // This is a trivial check meant to silence the "unused variable" warnings. + if (!isnan(atof_output) || !isnan(strtof_output) || !isnan(strtod_output) || + !isnan(strtold_output)) { + __builtin_trap(); + } + } + delete[] container; return 0; } diff --git a/libc/fuzzing/stdlib/strtointeger_fuzz.cpp b/libc/fuzzing/stdlib/strtointeger_fuzz.cpp index 3880d7b5f9c7..197bee01d3a3 100644 --- a/libc/fuzzing/stdlib/strtointeger_fuzz.cpp +++ b/libc/fuzzing/stdlib/strtointeger_fuzz.cpp @@ -65,6 +65,16 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (str_ptr + container_size - 1 < out_ptr) __builtin_trap(); + // If atoi is non-zero and the base is at least 10 + if (atoi_output != 0 && base >= 10) { + // Then all of the other functions should output non-zero values as well. + // This is a trivial check meant to silence the "unused variable" warnings. + if (atol_output == 0 || atoll_output == 0 || strtol_output == 0 || + strtoll_output == 0 || strtoul_output == 0 || strtoull_output == 0) { + __builtin_trap(); + } + } + delete[] container; return 0; }