[llvm] [llvm-special-case-list-fuzzer] fix off-by-one read (PR #73888)

Wed Nov 29 18:01:57 PST 2023

https://github.com/DavidKorczynski created https://github.com/llvm/llvm-project/pull/73888

The current fuzzer relies on MemoryBuffer to hold the fuzz data. However, the fuzzer runs into an OOB instantly because the MemoryBuffer interface guarantees that "In addition to basic access to the characters in the file, this interface guarantees you can read one character past the end of the file, and that this character will read as '\0'.", which the fuzzer fails to satisfy. As such, it runs into an OOB on [this line](https://github.com/llvm/llvm-project/blob/c57ef2c69846a3f69c9d1db61055ea3b7b5100c3/llvm/lib/Support/LineIterator.cpp#L48).

Consequently, the OSS-Fuzz set up is not running since the build is declared failing as the fuzzer fails on the first run. See here for links to build logs https://introspector.oss-fuzz.com/project-profile?project=llvm and specifically at the bottom of [this build log](https://oss-fuzz-build-logs.storage.googleapis.com/log-aecaad16-9581-48fe-af4a-a7be4dd947db.txt).

This change fixes the fuzzer and should solve the OSS-Fuzz build as well.

CC @mmdriley

>From dd6fd48e5ce06374bc66a5c9efececbdd69d3e81 Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Thu, 30 Nov 2023 01:47:10 +0000
Subject: [PATCH] [llvm-special-case-list-fuzzer] fix off-by-one read

The current fuzzer relies on MemoryBuffer to hold the fuzz data.
However, the fuzzer currently runs into an OOB instantly because
the MemoryBuffer interface guarantees that "In addition to basic access
to the characters in the file, this interface guarantees you can read
one character past the end of the file, and that this character will
read as '\0'."
The fuzzer as written atm is currently not supporting this, and,
consequently the current OSS-Fuzz set up is not running since the builds
is declared failing as the fuzzer fails on the first run. See here for
links to build logs
https://introspector.oss-fuzz.com/project-profile?project=llvm

This change fixes the fuzzer and should solve the OSS-Fuzz build as
well.

Signed-off-by: David Korczynski <david at adalogics.com>
---
 .../special-case-list-fuzzer.cpp                             | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/llvm/tools/llvm-special-case-list-fuzzer/special-case-list-fuzzer.cpp b/llvm/tools/llvm-special-case-list-fuzzer/special-case-list-fuzzer.cpp
index aaab5f8470c9d07..0691f294fa0ea6d 100644
--- a/llvm/tools/llvm-special-case-list-fuzzer/special-case-list-fuzzer.cpp
+++ b/llvm/tools/llvm-special-case-list-fuzzer/special-case-list-fuzzer.cpp
@@ -12,8 +12,9 @@
 #include <cstdlib>
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  std::unique_ptr<llvm::MemoryBuffer> Buf = llvm::MemoryBuffer::getMemBuffer(
-      llvm::StringRef(reinterpret_cast<const char *>(Data), Size), "", false);
+  std::string Payload(reinterpret_cast<const char *>(Data), Size);
+  std::unique_ptr<llvm::MemoryBuffer> Buf =
+      llvm::MemoryBuffer::getMemBuffer(Payload);
 
   if (!Buf)
     return 0;

