fuzzed binary annotator (#7188)

2026-06-10 15:16:28 +00:00 · 2022-03-25 22:58:15 -07:00
parent e2be0c0b06
commit ae4ce72651
20 changed files with 2241 additions and 2094 deletions
--- a/tests/fuzzer/.gitignore
+++ b/tests/fuzzer/.gitignore
@@ -0,0 +1,18 @@
+# The generated fuzzers
+*_fuzzer
+
+# Findings from the fuzzers
+oom-*
+slow-unit-*
+crash-*
+
+# Individual fuzzer logs if job=N
+fuzz-*.log
+
+.clangd/
+
+# These are copied from tests/annotated_binary/ and should use the latest ones.
+annotated_binary.bfbs
+annotated_binary.bin
+
+monster_test.bfbs
--- a/tests/fuzzer/CMakeLists.txt
+++ b/tests/fuzzer/CMakeLists.txt
@@ -112,12 +112,15 @@ set(FlatBuffers_Library_SRCS
    ${FLATBUFFERS_DIR}/src/idl_parser.cpp
    ${FLATBUFFERS_DIR}/src/idl_gen_text.cpp
    ${FLATBUFFERS_DIR}/src/reflection.cpp
+    ${FLATBUFFERS_DIR}/src/binary_annotator.h
+    ${FLATBUFFERS_DIR}/src/binary_annotator.cpp
    ${FLATBUFFERS_DIR}/src/util.cpp
    ${FLATBUFFERS_DIR}/tests/test_assert.cpp
 )

 include_directories(${FLATBUFFERS_DIR}/include)
 include_directories(${FLATBUFFERS_DIR}/tests)
+include_directories(${FLATBUFFERS_DIR}/src)

 add_library(flatbuffers_fuzzed STATIC ${FlatBuffers_Library_SRCS})
 # Use PUBLIC to force 'fuzzer_config' for all dependent targets
@@ -156,7 +159,20 @@ add_custom_command(
  COMMAND ${CMAKE_COMMAND} -E copy
  ${CMAKE_SOURCE_DIR}/../monster_test.bfbs
  ${CMAKE_CURRENT_BINARY_DIR}/monster_test.bfbs)
-  
+
+add_executable(annotator_fuzzer flatbuffers_annotator_fuzzer.cc)
+target_link_libraries(annotator_fuzzer PRIVATE flatbuffers_fuzzed)
+add_custom_command(
+  TARGET annotator_fuzzer PRE_BUILD
+
+  COMMAND ${CMAKE_COMMAND} -E copy
+  ${CMAKE_SOURCE_DIR}/../annotated_binary/annotated_binary.bfbs
+  ${CMAKE_CURRENT_BINARY_DIR}/annotated_binary.bfbs
+
+  COMMAND ${CMAKE_COMMAND} -E copy
+  ${CMAKE_SOURCE_DIR}/../annotated_binary/annotated_binary.bin
+  ${CMAKE_CURRENT_BINARY_DIR}/seed_annotator/annotated_binary.bin
+)

 # Build debugger for weird cases found with fuzzer.
 if(BUILD_DEBUGGER)
--- a/tests/fuzzer/flatbuffers_annotator_fuzzer.cc
+++ b/tests/fuzzer/flatbuffers_annotator_fuzzer.cc
@@ -0,0 +1,53 @@
+
+#include <filesystem>
+#include <string>
+
+#include "binary_annotator.h"
+#include "test_init.h"
+
+static std::filesystem::path exe_path_;
+static const uint8_t *schema_bfbs_;
+static size_t schema_bfbs_length_;
+
+bool TestFileExists(std::filesystem::path file_path) {
+  if (file_path.has_filename() && std::filesystem::exists(file_path))
+    return true;
+
+  TEST_OUTPUT_LINE("@DEBUG: file '%s' not found", file_path.string().c_str());
+  for (const auto &entry :
+       std::filesystem::directory_iterator(file_path.parent_path())) {
+    TEST_OUTPUT_LINE("@DEBUG: parent path entry: '%s'",
+                     entry.path().string().c_str());
+  }
+  return false;
+}
+
+std::string LoadBinarySchema(const char *file_name) {
+  const auto file_path = exe_path_.parent_path() / file_name;
+  TEST_EQ(true, TestFileExists(file_path));
+  std::string schemafile;
+  TEST_EQ(true,
+          flatbuffers::LoadFile(file_path.string().c_str(), true, &schemafile));
+
+  flatbuffers::Verifier verifier(
+      reinterpret_cast<const uint8_t *>(schemafile.c_str()), schemafile.size());
+  TEST_EQ(true, reflection::VerifySchemaBuffer(verifier));
+  return schemafile;
+}
+
+extern "C" int LLVMFuzzerInitialize(int *, char ***argv) {
+  exe_path_ = (*argv)[0];
+  static const std::string schema_file =
+      LoadBinarySchema("annotated_binary.bfbs");
+  schema_bfbs_ = reinterpret_cast<const uint8_t *>(schema_file.c_str());
+  schema_bfbs_length_ = schema_file.size();
+  return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  flatbuffers::BinaryAnnotator annotator(schema_bfbs_, schema_bfbs_length_,
+                                         data, size);
+
+  annotator.Annotate();
+  return 0;
+}