fuzzing/fuzz_string.c - third_party/github.com/GNOME/glib - Git at Google

 /*
  * Copyright 2024 GNOME Foundation, Inc.
  *
  * SPDX-License-Identifier: LGPL-2.1-or-later
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
  * License as published by the Free Software Foundation; either
  * version 2.1 of the License, or (at your option) any later version.
  *
  * This library is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public
  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  */

 #include "fuzz.h"

 int
 LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
 {
   unsigned char *nul_terminated_data = NULL;
   char **args = NULL;
   size_t n_args;
   const char *init, *find, *replace;
   GString *string = NULL;

   fuzz_set_logging_func ();

   /* ignore @size (none of the functions support it); ensure @data is nul-terminated */
   nul_terminated_data = (unsigned char *) g_strndup ((const gchar *) data, size);

   /* Split the data into three arguments. */
   args = g_strsplit ((char *) nul_terminated_data, "|", 3);
   n_args = g_strv_length (args);
   init = (n_args > 0) ? args[0] : "";
   find = (n_args > 1) ? args[1] : "";
   replace = (n_args > 2) ? args[2] : "";

   /* Limit the input size. With a short @find, and a long @init and @replace
    * it’s quite possible to hit OOM. We’re not interested in testing that — it’s
    * up to the caller of g_string_replace() to handle that. 1KB on each of the
    * inputs should be plenty to find any string parsing or pointer arithmetic
    * bugs in g_string_replace(). */
   if (strlen (init) > 1000 ||
       strlen (find) > 1000 ||
       strlen (replace) > 1000)
     {
       g_strfreev (args);
       g_free (nul_terminated_data);
       return 0;
     }

   /* Test g_string_replace() and see if it crashes. */
   string = g_string_new (init);
   g_string_replace (string, find, replace, 0);
   g_string_free (string, TRUE);

   g_strfreev (args);
   g_free (nul_terminated_data);

   return 0;
 }
	/*
	* Copyright 2024 GNOME Foundation, Inc.
	*
	* SPDX-License-Identifier: LGPL-2.1-or-later
	*
	* This library is free software; you can redistribute it and/or
	* modify it under the terms of the GNU Lesser General Public
	* License as published by the Free Software Foundation; either
	* version 2.1 of the License, or (at your option) any later version.
	*
	* This library is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	* Lesser General Public License for more details.
	*
	* You should have received a copy of the GNU Lesser General Public
	* License along with this library; if not, see <http://www.gnu.org/licenses/>.
	*/

	#include "fuzz.h"

	int
	LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
	{
	unsigned char *nul_terminated_data = NULL;
	char **args = NULL;
	size_t n_args;
	const char init, find, *replace;
	GString *string = NULL;

	fuzz_set_logging_func ();

	/* ignore @size (none of the functions support it); ensure @data is nul-terminated */
	nul_terminated_data = (unsigned char ) g_strndup ((const gchar ) data, size);

	/* Split the data into three arguments. */
	args = g_strsplit ((char *) nul_terminated_data, "\|", 3);
	n_args = g_strv_length (args);
	init = (n_args > 0) ? args[0] : "";
	find = (n_args > 1) ? args[1] : "";
	replace = (n_args > 2) ? args[2] : "";

	/* Limit the input size. With a short @find, and a long @init and @replace
	* it’s quite possible to hit OOM. We’re not interested in testing that — it’s
	* up to the caller of g_string_replace() to handle that. 1KB on each of the
	* inputs should be plenty to find any string parsing or pointer arithmetic
	* bugs in g_string_replace(). */
	if (strlen (init) > 1000 \|\|
	strlen (find) > 1000 \|\|
	strlen (replace) > 1000)
	{
	g_strfreev (args);
	g_free (nul_terminated_data);
	return 0;
	}

	/* Test g_string_replace() and see if it crashes. */
	string = g_string_new (init);
	g_string_replace (string, find, replace, 0);
	g_string_free (string, TRUE);

	g_strfreev (args);
	g_free (nul_terminated_data);

	return 0;
	}