| 1 | /* |
|---|
| 2 | * zzuf - general purpose fuzzer |
|---|
| 3 | * Copyright (c) 2006 Sam Hocevar <sam@zoy.org> |
|---|
| 4 | * All Rights Reserved |
|---|
| 5 | * |
|---|
| 6 | * $Id$ |
|---|
| 7 | * |
|---|
| 8 | * This program is free software. It comes without any warranty, to |
|---|
| 9 | * the extent permitted by applicable law. You can redistribute it |
|---|
| 10 | * and/or modify it under the terms of the Do What The Fuck You Want |
|---|
| 11 | * To Public License, Version 2, as published by Sam Hocevar. See |
|---|
| 12 | * http://sam.zoy.org/wtfpl/COPYING for more details. |
|---|
| 13 | */ |
|---|
| 14 | |
|---|
| 15 | /* |
|---|
| 16 | * fuzz.c: fuzz functions |
|---|
| 17 | */ |
|---|
| 18 | |
|---|
| 19 | #include "config.h" |
|---|
| 20 | |
|---|
| 21 | #if defined HAVE_STDINT_H |
|---|
| 22 | # include <stdint.h> |
|---|
| 23 | #elif defined HAVE_INTTYPES_H |
|---|
| 24 | # include <inttypes.h> |
|---|
| 25 | #endif |
|---|
| 26 | #include <stdio.h> |
|---|
| 27 | #include <string.h> |
|---|
| 28 | |
|---|
| 29 | #include "libzzuf.h" |
|---|
| 30 | #include "debug.h" |
|---|
| 31 | #include "random.h" |
|---|
| 32 | #include "fuzz.h" |
|---|
| 33 | |
|---|
| 34 | #define MAGIC1 0x33ea84f7 |
|---|
| 35 | #define MAGIC2 0x783bc31f |
|---|
| 36 | |
|---|
| 37 | void _zz_fuzz(int fd, uint8_t *buf, uint64_t len) |
|---|
| 38 | { |
|---|
| 39 | uint64_t start, stop; |
|---|
| 40 | struct fuzz *fuzz; |
|---|
| 41 | uint8_t *aligned_buf; |
|---|
| 42 | unsigned long int pos = _zz_getpos(fd); |
|---|
| 43 | unsigned int i, j, todo; |
|---|
| 44 | |
|---|
| 45 | #if 0 |
|---|
| 46 | debug("fuzz(%i, %lli@%li)", fd, (unsigned long long int)len, |
|---|
| 47 | (unsigned long int)pos); |
|---|
| 48 | #endif |
|---|
| 49 | |
|---|
| 50 | fuzz = _zz_getfuzz(fd); |
|---|
| 51 | aligned_buf = buf - pos; |
|---|
| 52 | |
|---|
| 53 | for(i = pos / CHUNKBYTES; |
|---|
| 54 | i < (pos + len + CHUNKBYTES - 1) / CHUNKBYTES; |
|---|
| 55 | i++) |
|---|
| 56 | { |
|---|
| 57 | /* Cache bitmask array */ |
|---|
| 58 | if(fuzz->cur != (int)i) |
|---|
| 59 | { |
|---|
| 60 | uint32_t chunkseed = i * MAGIC1; |
|---|
| 61 | |
|---|
| 62 | memset(fuzz->data, 0, CHUNKBYTES); |
|---|
| 63 | |
|---|
| 64 | /* Add some random dithering to handle ratio < 1.0/CHUNKBYTES */ |
|---|
| 65 | _zz_srand(_zz_seed ^ chunkseed); |
|---|
| 66 | todo = (int)((_zz_ratio * (8 * CHUNKBYTES * 1000) |
|---|
| 67 | + _zz_rand(1000)) / 1000.0); |
|---|
| 68 | _zz_srand(_zz_seed ^ chunkseed ^ (todo * MAGIC2)); |
|---|
| 69 | |
|---|
| 70 | while(todo--) |
|---|
| 71 | { |
|---|
| 72 | unsigned int idx = _zz_rand(CHUNKBYTES); |
|---|
| 73 | uint8_t bit = (1 << _zz_rand(8)); |
|---|
| 74 | |
|---|
| 75 | fuzz->data[idx] ^= bit; |
|---|
| 76 | } |
|---|
| 77 | |
|---|
| 78 | fuzz->cur = i; |
|---|
| 79 | } |
|---|
| 80 | |
|---|
| 81 | /* Apply our bitmask array to the buffer */ |
|---|
| 82 | start = (i * CHUNKBYTES > pos) ? i * CHUNKBYTES : pos; |
|---|
| 83 | |
|---|
| 84 | stop = ((i + 1) * CHUNKBYTES < pos + len) |
|---|
| 85 | ? (i + 1) * CHUNKBYTES : pos + len; |
|---|
| 86 | |
|---|
| 87 | for(j = start; j < stop; j++) |
|---|
| 88 | { |
|---|
| 89 | uint8_t byte = aligned_buf[j]; |
|---|
| 90 | |
|---|
| 91 | if(_zz_protect[byte]) |
|---|
| 92 | continue; |
|---|
| 93 | |
|---|
| 94 | byte ^= fuzz->data[j % CHUNKBYTES]; |
|---|
| 95 | |
|---|
| 96 | if(_zz_refuse[byte]) |
|---|
| 97 | continue; |
|---|
| 98 | |
|---|
| 99 | aligned_buf[j] = byte; |
|---|
| 100 | } |
|---|
| 101 | } |
|---|
| 102 | } |
|---|
| 103 | |
|---|
