changed the custom mutator example to do something meaningful

Author: PBetzler

README.md

@@ -32,7 +32,7 @@ Execute with:
 cifuzz run structured_input_checks_fuzz_test
 ```
 * [Custom Mutator Example](src/advanced_examples/custom_mutator_example_checks_test.cpp#L37):
-An example that is build on top of the [Structure Aware Inputs Example](src/advanced_examples/explore_me.cpp#L8) and shows how to utilize custom mutators to change how the inputs are mutated.
+An example that shows how to utilize custom mutators to make sure the fuzzer only creates valid inputs.
 Execute with:
 ```sh
 cifuzz run custom_mutator_example_checks_fuzz_test

src/advanced_examples/CMakeLists.txt

@@ -14,6 +14,7 @@ target_include_directories(explore_me_advanced PRIVATE
 
 target_link_libraries(explore_me_advanced
     OpenSSL::Crypto
+    -lz
 )
 
 foreach(TestType IN ITEMS

src/advanced_examples/custom_mutator_example_checks_test.cpp

@@ -1,36 +1,46 @@
 #include <cifuzz/cifuzz.h>
+#include <cstdlib>
 #include <fuzzer/FuzzedDataProvider.h>
 #include <iostream>
+#include <zlib.h>
 
 #include "explore_me.h"
 
 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 #include <gtest/gtest.h>
 
-TEST(ExploreStructuredInputChecks, DeveloperTest) {
-    InputStruct inputStruct = (InputStrut) {.a=0, .b= 10, .c="Developer"};
-    EXPECT_NO_THROW(ExploreStructuredInputChecks(inputStruct));
+TEST(ExploreCompressedInputChecks, HI) {
+    uint8_t uncompressed[3];
+    size_t uncompressedLen = sizeof(uncompressed);
+    uncompressed[0] = 'H';
+    uncompressed[1] = 'I';
+    uncompressed[2] = '\0';
+    uint8_t compressed[3];
+    size_t compressedLen = sizeof(compressed);
+    if (Z_OK != compress(compressed, &compressedLen, uncompressed, uncompressedLen)) {
+        abort();
+    }
+    EXPECT_NO_THROW(ExploreCompressedInputChecks(compressed, compressedLen));
 }
 
-TEST(ExploreStructuredInputChecks, MaintainerTest) {
-    InputStruct inputStruct = (InputStruct) {.a=20, .b= -10, .c="Maintainer"};
-    EXPECT_NO_THROW(ExploreStructuredInputChecks(inputStruct));
+TEST(ExploreCompressedInputChecks, HO) {
+    uint8_t uncompressed[3];
+    size_t uncompressedLen = sizeof(uncompressed);
+    uncompressed[0] = 'H';
+    uncompressed[1] = 'O';
+    uncompressed[2] = '\0';
+    uint8_t compressed[3];
+    size_t compressedLen = sizeof(compressed);
+    if (Z_OK != compress(compressed, &compressedLen, uncompressed, uncompressedLen)) {
+        abort();
+    }
+    EXPECT_NO_THROW(ExploreCompressedInputChecks(compressed, compressedLen));
 }
 
 #endif
 
 FUZZ_TEST(const uint8_t *data, size_t size) {
-    FuzzedDataProvider fdp(data, size);
-    long a = fdp.ConsumeIntegral<long>();
-    long b = fdp.ConsumeIntegral<long>();
-    std::string c = fdp.ConsumeRemainingBytesAsString();
-
-    InputStruct inputStruct = (InputStruct) {
-            .a = a,
-            .b = b,
-            .c = c,
-    };
-    ExploreStructuredInputChecks(inputStruct);
+    ExploreCompressedInputChecks(data, size);
 }
 
 extern "C" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
@@ -39,15 +49,36 @@ extern "C" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
 Custom mutator example. In this case we only print out once that we are in a custom mutator and then use te regular one,
 but you can also change the Data how you like. Make sure to return the new length.
 */
-extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
-                                          size_t MaxSize, unsigned int Seed) {
+extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size,
+                                          size_t maxSize, unsigned int seed) {
 
-    static bool Printed;
-    if (!Printed) {
+    static bool printed;
+    if (!printed) {
         std::cerr << "In custom mutator.\n";
-        Printed = true;
+        printed = true;
     }
 
+    uint8_t uncompressed[100];
+    size_t uncompressedLen = sizeof(uncompressed);
+    size_t compressedLen = maxSize;
+    if (Z_OK != uncompress(uncompressed, &uncompressedLen, data, size)) {
+        // The data didn't uncompress.
+        // So, it's either a broken input and we want to ignore it,
+        // or we've started fuzzing from an empty corpus and we need to supply
+        // out first properly compressed input.
+        uint8_t dummy[] = {'H', 'i'};
+        if (Z_OK != compress(data, &compressedLen, dummy, sizeof(dummy))) {
+            return 0;
+        } else {
+            // fprintf(stderr, "Dummy: max %zd res %zd\n", MaxSize, CompressedLen);
+            return compressedLen;
+        }
+    }
+
+    uncompressedLen = LLVMFuzzerMutate(uncompressed, uncompressedLen, sizeof(uncompressed));
+    if (Z_OK != compress(data, &compressedLen, uncompressed, uncompressedLen)) {
+        return 0;
+    }
     // make sure to return the new Size (that needs to be <= MaxSize) as return value!
-    return LLVMFuzzerMutate(Data, Size, MaxSize);
+    return compressedLen;
 }

src/advanced_examples/explore_me.cpp

@@ -1,5 +1,5 @@
 #include <cstring>
-
+#include <zlib.h>
 #include "explore_me.h"
 
 static long insecureEncrypt(long input);
@@ -17,6 +17,21 @@ void ExploreStructuredInputChecks(InputStruct inputStruct){
     return;
 }
 
+void ExploreCompressedInputChecks(const uint8_t *Data, size_t Size){
+    uint8_t Uncompressed[100];
+      size_t UncompressedLen = sizeof(Uncompressed);
+      // Check if uncompression was successful
+      if (Z_OK != uncompress(Uncompressed, &UncompressedLen, Data, Size)) {
+          // Uncompression was not successfull
+          // Just return and throw input away
+          return;
+      }
+      if (UncompressedLen < 2) return;
+      if (Uncompressed[0] == 'C' && Uncompressed[1] == 'I') {
+          trigger_double_free();
+      }
+}
+
 static long insecureEncrypt(long input) {
   long key = 0xefe4eb93215cb6b0L;
   return input ^ key;

src/advanced_examples/explore_me.h

@@ -14,3 +14,4 @@ struct InputStruct {
 };
 
 void ExploreStructuredInputChecks(InputStruct inputStruct);
+void ExploreCompressedInputChecks(const uint8_t *Data, size_t Size);