tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

snappy_uncompress_fuzzer.cc (2475B)

      1 // Copyright 2019 Google Inc. All Rights Reserved.
      2 //
      3 // Redistribution and use in source and binary forms, with or without
      4 // modification, are permitted provided that the following conditions are
      5 // met:
      6 //
      7 //     * Redistributions of source code must retain the above copyright
      8 // notice, this list of conditions and the following disclaimer.
      9 //     * Redistributions in binary form must reproduce the above
     10 // copyright notice, this list of conditions and the following disclaimer
     11 // in the documentation and/or other materials provided with the
     12 // distribution.
     13 //     * Neither the name of Google Inc. nor the names of its
     14 // contributors may be used to endorse or promote products derived from
     15 // this software without specific prior written permission.
     16 //
     17 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
     18 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
     19 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
     20 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
     21 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     22 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
     23 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
     24 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
     25 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     26 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
     27 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     28 //
     29 // libFuzzer harness for fuzzing snappy's decompression code.
     30 
     31 #include <stddef.h>
     32 #include <stdint.h>
     33 
     34 #include <cassert>
     35 #include <string>
     36 
     37 #include "snappy.h"
     38 
     39 // Entry point for LibFuzzer.
     40 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     41  std::string input(reinterpret_cast<const char*>(data), size);
     42 
     43  // Avoid self-crafted decompression bombs.
     44  size_t uncompressed_size;
     45  constexpr size_t kMaxUncompressedSize = 1 << 20;
     46  bool get_uncompressed_length_succeeded = snappy::GetUncompressedLength(
     47      input.data(), input.size(), &uncompressed_size);
     48  if (!get_uncompressed_length_succeeded ||
     49      (uncompressed_size > kMaxUncompressedSize)) {
     50    return 0;
     51  }
     52 
     53  std::string uncompressed;
     54  // The return value of snappy::Uncompress() is ignored because decompression
     55  // will fail on invalid inputs.
     56  snappy::Uncompress(input.data(), input.size(), &uncompressed);
     57  return 0;
     58 }