[llvm] r280098 - [libFuzzer] fix a bug when running a single unit of N bytes with -max_len=M, M<N, caused a buffer overflow

Kostya Serebryany via llvm-commits llvm-commits at lists.llvm.org
Tue Aug 30 07:52:05 PDT 2016


Author: kcc
Date: Tue Aug 30 09:52:05 2016
New Revision: 280098

URL: http://llvm.org/viewvc/llvm-project?rev=280098&view=rev
Log:
[libFuzzer] fix a bug when running a single unit of N bytes with -max_len=M, M<N, caused a buffer overflow

Modified:
    llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
    llvm/trunk/lib/Fuzzer/test/fuzzer-singleinputs.test

Modified: llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp?rev=280098&r1=280097&r2=280098&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp Tue Aug 30 09:52:05 2016
@@ -250,11 +250,11 @@ static void StartRssThread(Fuzzer *F, si
   T.detach();
 }
 
-int RunOneTest(Fuzzer *F, const char *InputFilePath) {
+int RunOneTest(Fuzzer *F, const char *InputFilePath, size_t MaxLen) {
   Unit U = FileToVector(InputFilePath);
-  Unit PreciseSizedU(U);
-  assert(PreciseSizedU.size() == PreciseSizedU.capacity());
-  F->RunOne(PreciseSizedU.data(), PreciseSizedU.size());
+  if (MaxLen && MaxLen < U.size())
+    U.resize(MaxLen);
+  F->RunOne(U.data(), U.size());
   return 0;
 }
 
@@ -380,7 +380,7 @@ int FuzzerDriver(int *argc, char ***argv
       auto StartTime = system_clock::now();
       Printf("Running: %s\n", Path.c_str());
       for (int Iter = 0; Iter < Runs; Iter++)
-        RunOneTest(&F, Path.c_str());
+        RunOneTest(&F, Path.c_str(), Options.MaxLen);
       auto StopTime = system_clock::now();
       auto MS = duration_cast<milliseconds>(StopTime - StartTime).count();
       Printf("Executed %s in %zd ms\n", Path.c_str(), (long)MS);

Modified: llvm/trunk/lib/Fuzzer/test/fuzzer-singleinputs.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer-singleinputs.test?rev=280098&r1=280097&r2=280098&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer-singleinputs.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer-singleinputs.test Tue Aug 30 09:52:05 2016
@@ -5,7 +5,8 @@ RUN: rm -rf  %tmp/SINGLE_INPUTS
 RUN: mkdir -p  %tmp/SINGLE_INPUTS
 RUN: echo aaa > %tmp/SINGLE_INPUTS/aaa
 RUN: echo bbb > %tmp/SINGLE_INPUTS/bbb
-RUN: LLVMFuzzer-SimpleTest %tmp/SINGLE_INPUTS/aaa %tmp/SINGLE_INPUTS/bbb 2>&1 | FileCheck %s --check-prefix=SINGLE_INPUTS
+RUN: LLVMFuzzer-SimpleTest            %tmp/SINGLE_INPUTS/aaa %tmp/SINGLE_INPUTS/bbb 2>&1 | FileCheck %s --check-prefix=SINGLE_INPUTS
+RUN: LLVMFuzzer-SimpleTest -max_len=2 %tmp/SINGLE_INPUTS/aaa %tmp/SINGLE_INPUTS/bbb 2>&1 | FileCheck %s --check-prefix=SINGLE_INPUTS
 RUN: rm -rf  %tmp/SINGLE_INPUTS
 SINGLE_INPUTS: LLVMFuzzer-SimpleTest: Running 2 inputs 1 time(s) each.
 SINGLE_INPUTS: aaa in




More information about the llvm-commits mailing list