[PATCH] D110920: [libFuzzer] Use octal instead of hex escape sequences in PrintASCII

Hans Wennborg via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Fri Oct 1 04:53:36 PDT 2021 

hans created this revision.
hans added reviewers: kcc, morehouse.
hans requested review of this revision.
Herald added a project: Sanitizers.
Herald added a subscriber: Sanitizers.

Previously, PrintASCII would print the string "\ta" as "\x09a". However, in C/C++ those strings are not the same: the trailing 'a' is part of the escape sequence, which means it's equivalent to "\x9a". This is an annoying quirk of the standard. (See https://eel.is/c++draft/lex.ccon#nt:hexadecimal-escape-sequence)

To fix this, output three-digit octal escape sequences instead. Since octal escapes are limited to max three digits, this avoids the problem of subsequent characters unintentionally becoming part of the escape sequence.

Dictionary files still use the non-C-compatible hex escapes, but I believe we can't change the format since it comes from AFL, and libfuzzer never writes such files, it only has to read them, so they're not affected by this change.

(One alternative, which might be nice since hex sequences are more readable, would be to use hex sequences when the following character is not a valid hex digit. It would add some complexity though, and we'd still need the octals as a fallback, so not sure if it would be worth it.)


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D110920

Files:
  compiler-rt/lib/fuzzer/FuzzerIO.cpp
  compiler-rt/lib/fuzzer/FuzzerIO.h
  compiler-rt/lib/fuzzer/FuzzerUtil.cpp
  compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp


Index: compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp
===================================================================
--- compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp
+++ compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp
@@ -591,6 +591,42 @@
   EXPECT_EQ("YWJjeHl6", Base64({'a', 'b', 'c', 'x', 'y', 'z'}));
 }
 
+#ifdef __GLIBC__
+class PrintfCapture {
+ public:
+  PrintfCapture() {
+    OldOutputFile = GetOutputFile();
+    SetOutputFile(open_memstream(&Buffer, &Size));
+  }
+  ~PrintfCapture() {
+    fclose(GetOutputFile());
+    SetOutputFile(OldOutputFile);
+    free(Buffer);
+  }
+  std::string str() { return std::string(Buffer, Size); }
+
+ private:
+  char *Buffer;
+  size_t Size;
+  FILE *OldOutputFile;
+};
+
+TEST(FuzzerUtil, PrintASCII) {
+  auto f = [](const char *Str, const char *PrintAfter = "") {
+    PrintfCapture Capture;
+    PrintASCII(reinterpret_cast<const uint8_t*>(Str), strlen(Str), PrintAfter);
+    return Capture.str();
+  };
+  EXPECT_EQ("hello", f("hello"));
+  EXPECT_EQ("c:\\\\", f("c:\\"));
+  EXPECT_EQ("\\\"hi\\\"", f("\"hi\""));
+  EXPECT_EQ("\\011a", f("\ta"));
+  EXPECT_EQ("\\0111", f("\t1"));
+  EXPECT_EQ("hello\\012", f("hello\n"));
+  EXPECT_EQ("hello\n", f("hello", "\n"));
+}
+#endif
+
 TEST(Corpus, Distribution) {
   DataFlowTrace DFT;
   Random Rand(0);
Index: compiler-rt/lib/fuzzer/FuzzerUtil.cpp
===================================================================
--- compiler-rt/lib/fuzzer/FuzzerUtil.cpp
+++ compiler-rt/lib/fuzzer/FuzzerUtil.cpp
@@ -43,7 +43,7 @@
   else if (Byte >= 32 && Byte < 127)
     Printf("%c", Byte);
   else
-    Printf("\\x%02x", Byte);
+    Printf("\\%03o", Byte);
 }
 
 void PrintASCII(const uint8_t *Data, size_t Size, const char *PrintAfter) {
Index: compiler-rt/lib/fuzzer/FuzzerIO.h
===================================================================
--- compiler-rt/lib/fuzzer/FuzzerIO.h
+++ compiler-rt/lib/fuzzer/FuzzerIO.h
@@ -54,6 +54,10 @@
 
 void CloseStdout();
 
+// For testing.
+FILE *GetOutputFile();
+void SetOutputFile(FILE *NewOutputFile);
+
 void Printf(const char *Fmt, ...);
 void VPrintf(bool Verbose, const char *Fmt, ...);
 
Index: compiler-rt/lib/fuzzer/FuzzerIO.cpp
===================================================================
--- compiler-rt/lib/fuzzer/FuzzerIO.cpp
+++ compiler-rt/lib/fuzzer/FuzzerIO.cpp
@@ -23,6 +23,14 @@
 
 static FILE *OutputFile = stderr;
 
+FILE *GetOutputFile() {
+  return OutputFile;
+}
+
+void SetOutputFile(FILE *NewOutputFile) {
+  OutputFile = NewOutputFile;
+}
+
 long GetEpoch(const std::string &Path) {
   struct stat St;
   if (stat(Path.c_str(), &St))


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D110920.376476.patch
Type: text/x-patch
Size: 2620 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20211001/a273ef3a/attachment.bin>

More information about the llvm-commits mailing list