[libc-commits] [libc] 62e7bdd - [libc] use vars in string to num fuzz targets

Mon Feb 27 13:21:41 PST 2023

Author: Michael Jones
Date: 2023-02-27T13:21:35-08:00
New Revision: 62e7bdd22a95b92d04e61f93b6aea4d95a5030fd

URL: https://github.com/llvm/llvm-project/commit/62e7bdd22a95b92d04e61f93b6aea4d95a5030fd
DIFF: https://github.com/llvm/llvm-project/commit/62e7bdd22a95b92d04e61f93b6aea4d95a5030fd.diff

LOG: [libc] use vars in string to num fuzz targets

The string to integer and string to float standalone fuzz targets just
ran the functions and didn't do anything with the output. This was
intentional, since they are intended to be used with sanitizers to
detect buffer overflow bugs. Not using the variables was causing compile
warnings, so this patch adds trivial checks to use the variables.

Reviewed By: sivachandra, lntue

Differential Revision: https://reviews.llvm.org/D144208

Added: 
    

Modified: 
    libc/fuzzing/stdlib/strtofloat_fuzz.cpp
    libc/fuzzing/stdlib/strtointeger_fuzz.cpp

Removed: 
    


################################################################################
diff  --git a/libc/fuzzing/stdlib/strtofloat_fuzz.cpp b/libc/fuzzing/stdlib/strtofloat_fuzz.cpp
index 209d3ee9b3e78..3366c5c64dda6 100644

--- a/libc/fuzzing/stdlib/strtofloat_fuzz.cpp
+++ b/libc/fuzzing/stdlib/strtofloat_fuzz.cpp
@@ -13,6 +13,7 @@
 #include "src/stdlib/strtod.h"
 #include "src/stdlib/strtof.h"
 #include "src/stdlib/strtold.h"
+#include <math.h>
 #include <stddef.h>
 #include <stdint.h>
 
@@ -30,10 +31,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
   char *out_ptr = nullptr;
 
-  // This fuzzer only checks that the alrogithms didn't read beyond the end of
+  // This fuzzer only checks that the algorithms didn't read beyond the end of
   // the string in container. Combined with sanitizers, this will check that the
-  // code is not reading memory beyond what's expected. This test does not make
-  // any attempt to check correctness of the result.
+  // code is not reading memory beyond what's expected. This test does not
+  // effectively check the correctness of the result.
   auto volatile atof_output = __llvm_libc::atof(str_ptr);
   auto volatile strtof_output = __llvm_libc::strtof(str_ptr, &out_ptr);
   if (str_ptr + size < out_ptr)
@@ -45,6 +46,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   if (str_ptr + size < out_ptr)
     __builtin_trap();
 
+  // If any of the outputs are NaN
+  if (isnan(atof_output) || isnan(strtof_output) || isnan(strtod_output) ||
+      isnan(strtold_output)) {
+    // Then all the outputs should be NaN.
+    // This is a trivial check meant to silence the "unused variable" warnings.
+    if (!isnan(atof_output) || !isnan(strtof_output) || !isnan(strtod_output) ||
+        !isnan(strtold_output)) {
+      __builtin_trap();
+    }
+  }
+
   delete[] container;
   return 0;
 }

diff  --git a/libc/fuzzing/stdlib/strtointeger_fuzz.cpp b/libc/fuzzing/stdlib/strtointeger_fuzz.cpp
index 3880d7b5f9c76..197bee01d3a3a 100644
--- a/libc/fuzzing/stdlib/strtointeger_fuzz.cpp
+++ b/libc/fuzzing/stdlib/strtointeger_fuzz.cpp
@@ -65,6 +65,16 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   if (str_ptr + container_size - 1 < out_ptr)
     __builtin_trap();
 
+  // If atoi is non-zero and the base is at least 10
+  if (atoi_output != 0 && base >= 10) {
+    // Then all of the other functions should output non-zero values as well.
+    // This is a trivial check meant to silence the "unused variable" warnings.
+    if (atol_output == 0 || atoll_output == 0 || strtol_output == 0 ||
+        strtoll_output == 0 || strtoul_output == 0 || strtoull_output == 0) {
+      __builtin_trap();
+    }
+  }
+
   delete[] container;
   return 0;
 }


        
