ossfuzz: don't write out to stdout

Don't make the fuzzer write out to stdout - instead write some of the contents to a memory block so we exercise the data output code but quietly. Closes #1885
2024-08-13 17:03:50 -04:00 · 2017-09-11 20:00:27 +01:00 · 2017-09-11 20:00:27 +01:00 · e239eda39e
commit e239eda39e
parent 2bc230de63
2 changed files with 40 additions and 0 deletions
--- a/tests/fuzz/curl_fuzzer.cc
+++ b/tests/fuzz/curl_fuzzer.cc
@ -136,6 +136,12 @@ int fuzz_initialize_fuzz_data(FUZZ_DATA *fuzz,
                        fuzz_read_callback));
  FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_READDATA, fuzz));

+  /* Set the standard write function callback. */
+  FTRY(curl_easy_setopt(fuzz->easy,
+                        CURLOPT_WRITEFUNCTION,
+                        fuzz_write_callback));
+  FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_WRITEDATA, fuzz));
+
  /* Can enable verbose mode by changing 0L to 1L */
  FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_VERBOSE, 0L));

@ -269,6 +275,30 @@ static size_t fuzz_read_callback(char *buffer,
  return fuzz->upload1_data_len;
 }

+/**
+ * Callback function for handling data output quietly.
+ */
+static size_t fuzz_write_callback(void *contents,
+                                  size_t size,
+                                  size_t nmemb,
+                                  void *ptr)
+{
+  size_t total = size * nmemb;
+  FUZZ_DATA *fuzz = (FUZZ_DATA *)ptr;
+  size_t copy_len = total;
+
+  /* Restrict copy_len to at most TEMP_WRITE_ARRAY_SIZE. */
+  if(copy_len > TEMP_WRITE_ARRAY_SIZE) {
+    copy_len = TEMP_WRITE_ARRAY_SIZE;
+  }
+
+  /* Copy bytes to the temp store just to ensure the parameters are
+     exercised. */
+  memcpy(fuzz->write_array, contents, copy_len);
+
+  return total;
+}
+
 /**
 * TLV access function - gets the first TLV from a data stream.
 */
--- a/tests/fuzz/curl_fuzzer.h
+++ b/tests/fuzz/curl_fuzzer.h
@ -46,6 +46,9 @@
 #define TLV_RC_NO_MORE_TLVS             1
 #define TLV_RC_SIZE_ERROR               2

+/* Temporary write array size */
+#define TEMP_WRITE_ARRAY_SIZE           10
+
 /**
 * Byte stream representation of the TLV header. Casting the byte stream
 * to a TLV_RAW allows us to examine the type and length.
@ -98,6 +101,9 @@ typedef struct fuzz_data
  /* Parser state */
  FUZZ_PARSE_STATE state;

+  /* Temporary writefunction state */
+  char write_array[TEMP_WRITE_ARRAY_SIZE];
+
  /* Response data and length */
  const uint8_t *rsp1_data;
  size_t rsp1_data_len;
@ -142,6 +148,10 @@ static size_t fuzz_read_callback(char *buffer,
                                 size_t size,
                                 size_t nitems,
                                 void *ptr);
+static size_t fuzz_write_callback(void *contents,
+                                  size_t size,
+                                  size_t nmemb,
+                                  void *ptr);
 int fuzz_get_first_tlv(FUZZ_DATA *fuzz, TLV *tlv);
 int fuzz_get_next_tlv(FUZZ_DATA *fuzz, TLV *tlv);
 int fuzz_get_tlv_comn(FUZZ_DATA *fuzz, TLV *tlv);