quickjs/fuzz.c at master · quickjs-ng/quickjs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
// clang -g -O1 -fsanitize=fuzzer -o fuzz fuzz.c
#include "quickjs.h"
#include "quickjs.c"
#include "cutils.h"
#include "libregexp.c"
#include "libunicode.c"
#include "dtoa.c"

#include <stdint.h>
#include <stdlib.h>
#include <string.h>

// note: LLVM output does not contain checksum, needs to be added
// manually (4 byte field at position 1) when adding to the corpus
//
// fill in UINT32_MAX to disable checksumming
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
{
    if (!len)
        return 0;
    JSRuntime *rt = JS_NewRuntime();
    if (!rt)
        exit(1);
    JSContext *ctx = JS_NewContext(rt);
    if (!ctx)
        exit(1);
    size_t newlen = len + 4;
    uint8_t *newbuf = malloc(newlen);
    if (!newbuf)
        exit(1);
    uint32_t csum = bc_csum(&buf[1], len-1);    // skip version field
    newbuf[0] = buf[0];                         // copy version field
    put_u32(&newbuf[1], csum);                  // insert checksum
    memcpy(&newbuf[5], &buf[1], len-1);         // copy rest of payload
    JSValue val = JS_ReadObject(ctx, newbuf, newlen, /*flags*/0);
    free(newbuf);
    if (JS_IsException(val)) {
        JSValue exc = JS_GetException(ctx);
        const char *str = JS_ToCString(ctx, exc);
        JS_FreeValue(ctx, exc);
        if (!str)
            exit(1);
        if (strstr(str, "checksum error"))
            exit(1);
        JS_FreeCString(ctx, str);
    }
    JS_FreeValue(ctx, val);
    JS_FreeContext(ctx);
    JS_FreeRuntime(rt);
    return 0;
}