kc3-lang/harfbuzz/test/fuzzing/hb-repacker-fuzzer.cc
Branch
-
Show log
Commit
-
Hash : bdb50f1c
Author :
Date : 2025-01-07T20:32:05
[repacker] Also rename api method from hb_subset_repack_or_fail -> hb_subset_serialize_or_fail.
-
test/fuzzing/hb-repacker-fuzzer.cc
-
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145
#include "hb-fuzzer.hh" #include <stdlib.h> #include <stdio.h> #include <string.h> #include <assert.h> #include "hb-subset-serialize.h" typedef struct { uint16_t parent; uint16_t child; uint16_t position; uint8_t width; } link_t; /* The fuzzer seed contains a serialized representation of a object graph which forms * the input graph to the repacker call. The binary format is: * * table tag: 4 bytes * number of objects: 2 bytes * objects[number of objects]: * blob size: 2 bytes * blob: blob size bytes * num of real links: 2 bytes * links[number of real links]: link_t struct * * TODO(garretrieger): add optional virtual links */ template <typename T> bool read(const uint8_t** data, size_t* size, T* out) { if (*size < sizeof (T)) return false; memcpy(out, *data, sizeof (T)); *data += sizeof (T); *size -= sizeof (T); return true; } void cleanup (hb_subset_serialize_object_t* objects, uint16_t num_objects) { for (uint32_t i = 0; i < num_objects; i++) { free (objects[i].head); free (objects[i].real_links); } } void add_links_to_objects (hb_subset_serialize_object_t* objects, uint16_t num_objects, link_t* links, uint16_t num_links) { unsigned* link_count = (unsigned*) calloc (num_objects, sizeof (unsigned)); for (uint32_t i = 0; i < num_links; i++) { uint16_t parent_idx = links[i].parent; link_count[parent_idx]++; } for (uint32_t i = 0; i < num_objects; i++) { objects[i].num_real_links = link_count[i]; objects[i].real_links = (hb_subset_serialize_link_t*) calloc (link_count[i], sizeof (hb_subset_serialize_link_t)); objects[i].num_virtual_links = 0; objects[i].virtual_links = nullptr; } for (uint32_t i = 0; i < num_links; i++) { uint16_t parent_idx = links[i].parent; uint16_t child_idx = links[i].child + 1; // All indices are shifted by 1 by the null object. hb_subset_serialize_link_t* link = &(objects[parent_idx].real_links[link_count[parent_idx] - 1]); link->width = links[i].width; link->position = links[i].position; link->objidx = child_idx; link_count[parent_idx]--; } free (link_count); } extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size) { // TODO(garretrieger): move graph validity checks into repacker graph creation. alloc_state = _fuzzing_alloc_state (data, size); uint16_t num_objects = 0; hb_subset_serialize_object_t* objects = nullptr; uint16_t num_real_links = 0; link_t* links = nullptr; hb_tag_t table_tag; if (!read<hb_tag_t> (&data, &size, &table_tag)) goto end; if (!read<uint16_t> (&data, &size, &num_objects)) goto end; objects = (hb_subset_serialize_object_t*) calloc (num_objects, sizeof (hb_subset_serialize_object_t)); for (uint32_t i = 0; i < num_objects; i++) { uint16_t blob_size; if (!read<uint16_t> (&data, &size, &blob_size)) goto end; if (size < blob_size) goto end; char* copy = (char*) calloc (1, blob_size); memcpy (copy, data, blob_size); objects[i].head = (char*) copy; objects[i].tail = (char*) (copy + blob_size); size -= blob_size; data += blob_size; } if (!read<uint16_t> (&data, &size, &num_real_links)) goto end; links = (link_t*) calloc (num_real_links, sizeof (link_t)); for (uint32_t i = 0; i < num_real_links; i++) { if (!read<link_t> (&data, &size, &links[i])) goto end; if (links[i].parent >= num_objects) goto end; } add_links_to_objects (objects, num_objects, links, num_real_links); hb_blob_destroy (hb_subset_serialize_or_fail (table_tag, objects, num_objects)); end: if (objects) { cleanup (objects, num_objects); free (objects); } free (links); return 0; }