source: zzuf/trunk/src/fuzz.c @ 1719

Last change on this file since 1719 was 1719, checked in by Sam Hocevar, 13 years ago
  • Better ungetc() implementation. Now we don't need to care about the fuzzing method.
  • Property svn:keywords set to Id
File size: 6.1 KB
Line 
1/*
2 *  zzuf - general purpose fuzzer
3 *  Copyright (c) 2006 Sam Hocevar <sam@zoy.org>
4 *                All Rights Reserved
5 *
6 *  $Id: fuzz.c 1719 2007-01-27 15:13:34Z sam $
7 *
8 *  This program is free software. It comes without any warranty, to
9 *  the extent permitted by applicable law. You can redistribute it
10 *  and/or modify it under the terms of the Do What The Fuck You Want
11 *  To Public License, Version 2, as published by Sam Hocevar. See
12 *  http://sam.zoy.org/wtfpl/COPYING for more details.
13 */
14
15/*
16 *  fuzz.c: fuzz functions
17 */
18
19#include "config.h"
20
21#if defined HAVE_STDINT_H
22#   include <stdint.h>
23#elif defined HAVE_INTTYPES_H
24#   include <inttypes.h>
25#endif
26#include <stdio.h>
27#include <stdlib.h>
28#include <string.h>
29
30#include "libzzuf.h"
31#include "debug.h"
32#include "random.h"
33#include "fuzz.h"
34#include "fd.h"
35
36#define MAGIC1 0x33ea84f7
37#define MAGIC2 0x783bc31f
38
39/* Per-offset byte protection */
40static unsigned int *ranges = NULL;
41static unsigned int ranges_static[512];
42
43/* Per-value byte protection */
44static int protect[256];
45static int refuse[256];
46
47/* Local prototypes */
48static void readchars(int *, char const *);
49
50void _zz_bytes(char const *list)
51{
52    char const *parser;
53    unsigned int i, chunks;
54
55    /* Count commas */
56    for(parser = list, chunks = 1; *parser; parser++)
57        if(*parser == ',')
58            chunks++;
59
60    /* TODO: free(ranges) if ranges != ranges_static */
61    if(chunks >= 256)
62        ranges = malloc((chunks + 1) * 2 * sizeof(unsigned int));
63    else
64        ranges = ranges_static;
65
66    /* Fill ranges list */
67    for(parser = list, i = 0; i < chunks; i++)
68    {
69        char const *comma = strchr(parser, ',');
70        char const *dash = strchr(parser, '-');
71
72        ranges[i * 2] = (dash == parser) ? 0 : atoi(parser);
73        if(dash && (dash + 1 == comma || dash[1] == '\0'))
74            ranges[i * 2 + 1] = ranges[i * 2]; /* special case */
75        else if(dash && (!comma || dash < comma))
76            ranges[i * 2 + 1] = atoi(dash + 1) + 1;
77        else
78            ranges[i * 2 + 1] = ranges[i * 2] + 1;
79        parser = comma + 1;
80    }
81
82    ranges[i * 2] = ranges[i * 2 + 1] = 0;
83}
84
85void _zz_protect(char const *list)
86{
87    readchars(protect, list);
88}
89
90void _zz_refuse(char const *list)
91{
92    readchars(refuse, list);
93}
94
95void _zz_fuzz(int fd, volatile uint8_t *buf, uint64_t len)
96{
97    uint64_t start, stop;
98    struct fuzz *fuzz;
99    volatile uint8_t *aligned_buf;
100    unsigned long int pos = _zz_getpos(fd);
101    unsigned int i, j, todo;
102
103#if 0
104    debug("fuzz(%i, %lli@%li)", fd, (unsigned long long int)len,
105          (unsigned long int)pos);
106#endif
107
108    aligned_buf = buf - pos;
109    fuzz = _zz_getfuzz(fd);
110
111    for(i = pos / CHUNKBYTES;
112        i < (pos + len + CHUNKBYTES - 1) / CHUNKBYTES;
113        i++)
114    {
115        /* Cache bitmask array */
116        if(fuzz->cur != (int)i)
117        {
118            uint32_t chunkseed = (i + (int)(fuzz->ratio * MAGIC1)) ^ MAGIC2;
119            _zz_srand(fuzz->seed ^ chunkseed);
120
121            memset(fuzz->data, 0, CHUNKBYTES);
122
123            /* Add some random dithering to handle ratio < 1.0/CHUNKBYTES */
124            todo = (int)((fuzz->ratio * (8 * CHUNKBYTES * 1000)
125                                             + _zz_rand(1000)) / 1000.0);
126            while(todo--)
127            {
128                unsigned int idx = _zz_rand(CHUNKBYTES);
129                uint8_t bit = (1 << _zz_rand(8));
130
131                fuzz->data[idx] ^= bit;
132            }
133
134            fuzz->cur = i;
135        }
136
137        /* Apply our bitmask array to the buffer */
138        start = (i * CHUNKBYTES > pos) ? i * CHUNKBYTES : pos;
139
140        stop = ((i + 1) * CHUNKBYTES < pos + len)
141              ? (i + 1) * CHUNKBYTES : pos + len;
142
143        for(j = start; j < stop; j++)
144        {
145            unsigned int *r;
146            uint8_t byte;
147
148            if(!ranges)
149                goto range_ok;
150
151            for(r = ranges; r[1]; r += 2)
152                if(j >= r[0] && (r[0] == r[1] || j < r[1]))
153                    goto range_ok;
154
155            continue; /* Not in one of the ranges, skip byte */
156
157        range_ok:
158            byte = aligned_buf[j];
159
160            if(protect[byte])
161                continue;
162
163            byte ^= fuzz->data[j % CHUNKBYTES];
164
165            if(refuse[byte])
166                continue;
167
168            aligned_buf[j] = byte;
169        }
170    }
171
172    /* Handle ungetc() */
173    if(fuzz->uflag)
174    {
175        fuzz->uflag = 0;
176        if(fuzz->upos == pos)
177            buf[0] = fuzz->uchar;
178    }
179}
180
181static void readchars(int *table, char const *list)
182{
183    static char const hex[] = "0123456789abcdef0123456789ABCDEF";
184    char const *tmp;
185    int a, b;
186
187    memset(table, 0, 256 * sizeof(int));
188
189    for(tmp = list, a = b = -1; *tmp; tmp++)
190    {
191        int new;
192
193        if(*tmp == '\\' && tmp[1] == '\0')
194            new = '\\';
195        else if(*tmp == '\\')
196        {
197            tmp++;
198            if(*tmp == 'n')
199                new = '\n';
200            else if(*tmp == 'r')
201                new = '\r';
202            else if(*tmp == 't')
203                new = '\t';
204            else if(tmp[0] >= '0' && tmp[0] <= '7' && tmp[1] >= '0'
205                     && tmp[1] <= '7' && tmp[2] >= '0' && tmp[2] <= '7')
206            {
207                new = tmp[2] - '0';
208                new |= (int)(tmp[1] - '0') << 3;
209                new |= (int)(tmp[0] - '0') << 6;
210                tmp += 2;
211            }
212            else if((*tmp == 'x' || *tmp == 'X')
213                     && tmp[1] && strchr(hex, tmp[1])
214                     && tmp[2] && strchr(hex, tmp[2]))
215            {
216                new = ((strchr(hex, tmp[1]) - hex) & 0xf) << 4;
217                new |= (strchr(hex, tmp[2]) - hex) & 0xf;
218                tmp += 2;
219            }
220            else
221                new = (unsigned char)*tmp; /* XXX: OK for \\, but what else? */
222        }
223        else
224            new = (unsigned char)*tmp;
225
226        if(a != -1 && b == '-' && a <= new)
227        {
228            while(a <= new)
229                table[a++] = 1;
230            a = b = -1;
231        }
232        else
233        {
234            if(a != -1)
235                table[a] = 1;
236            a = b;
237            b = new;
238        }
239    }
240
241    if(a != -1)
242        table[a] = 1;
243    if(b != -1)
244        table[b] = 1;
245}
246
Note: See TracBrowser for help on using the repository browser.