lib-test: FUZZ_BEGIN_STR() - Replace NULs('\0') with backslashes '\\'

This is done so that the strings generated from fuzzer data always contain a
maximal length string. The presence of NULs creates aliases in the fuzz space
and makes less likely to generate very long NUL terminated strings.
The backslash is chosen instead of space as replacement because it is usually
a more troublesome character to handle.

diff --git a/src/lib-test/fuzzer.c b/src/lib-test/fuzzer.c
index c15fee7c650657c2d565db0a969bdb09186b1b88..3ce5b527fab35bae116c47d45720a5f5be18039c 100644 (file)
--- a/src/lib-test/fuzzer.c
+++ b/src/lib-test/fuzzer.c
@@ -85,3 +85,15 @@ int fuzzer_io_as_fd(struct fuzzer_context *fuzz_ctx,
        iostream_pump_start(fuzz_ctx->pump);
        return sfd[1];
 }
+
+
+const char *fuzzer_t_strndup_replace_zero(
+       const uint8_t *data, size_t size, char subst)
+{
+       char *out = t_malloc_no0(size + 1);
+       for (size_t index = 0; index < size; ++index) {
+               uint8_t ch = data[index];
+               out[index] = ch == 0 ? subst : (char)ch;
+       }
+       return out;
+}
\ No newline at end of file

diff --git a/src/lib-test/fuzzer.h b/src/lib-test/fuzzer.h
index e20ba1368b996caf6b79e42a3b11d59e9c0efb88..8150b583e0872d5ab2a81b263e75470d588ab0c1 100644 (file)
--- a/src/lib-test/fuzzer.h
+++ b/src/lib-test/fuzzer.h
@@ -16,9 +16,12 @@ struct fuzzer_context {
                struct fuzzer_context fuzz_ctx; \
                fuzzer_init(&fuzz_ctx); T_BEGIN {
 
+const char *fuzzer_t_strndup_replace_zero(
+       const uint8_t *_param_data, size_t _param_size, char subst);
+
 #define FUZZ_BEGIN_STR(str_arg) \
        FUZZ_BEGIN_DATA(const uint8_t *_param_data, size_t _param_size) \
-       str_arg = t_strndup(_param_data, _param_size);
+       str_arg = fuzzer_t_strndup_replace_zero(_param_data, _param_size, '\\');
 
 #define FUZZ_BEGIN_FD \
        FUZZ_BEGIN_DATA(const uint8_t *_param_data, size_t _param_size) \