From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 1 May 2024 05:16:38 +0000 (+1200)
Subject: lib/fuzzing: add fuzz_stable_sort_r_unstable
X-Git-Tag: tdb-1.4.11~811
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6c0bdf371878eb1a3a1c3b1663379a89bd0ec2c0;p=thirdparty%2Fsamba.git

lib/fuzzing: add fuzz_stable_sort_r_unstable

This should find out how well stable_sort copes with an unstable
non-transitive comparison function.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/lib/fuzzing/fuzz_stable_sort_r_unstable.c b/lib/fuzzing/fuzz_stable_sort_r_unstable.c
new file mode 100644
index 00000000000..cd4d7915ad3
--- /dev/null
+++ b/lib/fuzzing/fuzz_stable_sort_r_unstable.c
@@ -0,0 +1,94 @@
+/*
+   Fuzzing for stable_sort
+   Copyright © Catalyst IT 2024
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "fuzzing/fuzzing.h"
+#include "util/stable_sort.h"
+
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+	return 0;
+}
+
+/*
+ * This function tries to never be a proper comparison function,
+ * whatever the value of ctx.
+ *
+ * If ctx is an odd number, it will change on every comparison,
+ * otherwise it will consistently use the same bad comparison
+ * technique.
+ */
+static int cmp_int8(int8_t *_a, int8_t *_b, int8_t *ctx)
+{
+	int8_t a = *_a;
+	int8_t b = *_b;
+	int8_t c = *ctx;
+
+	if (c & 1) {
+		/* aim for sustained chaos. */
+		c += a;
+		c ^= b;
+		c ^= (c >> 5) + (c << 3);
+		*ctx = (c + 99) | 1;
+	}
+	switch((c >> 1) & 7) {
+	case 0:
+		return -1;
+	case 1:
+		return 1;
+	case 2:
+		return a + b;
+	case 3:
+		return c - b;
+	case 4:
+		return (a ^ b) > c;
+	case 5:
+		return -(a > c);
+	case 6:
+		return 2 * a - b;
+	case 7:
+		break;
+	}
+	return a - c;
+}
+
+
+#define MAX_SIZE (1024 * 1024)
+
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+	size_t i;
+	int8_t buf2[MAX_SIZE];
+	int8_t aux[MAX_SIZE];
+	int8_t context;
+
+	if (len < 3 || len > MAX_SIZE) {
+		return 0;
+	}
+	context = (int8_t)buf[0];
+	buf++;
+	len--;
+
+	memcpy(buf2, buf, len);
+
+	stable_sort_r(buf2, aux, len, 1,
+		      (samba_compare_with_context_fn_t)cmp_int8,
+		      &context);
+	return 0;
+}
diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build
index 5a9801321aa..897a114ca7e 100644
--- a/lib/fuzzing/wscript_build
+++ b/lib/fuzzing/wscript_build
@@ -153,6 +153,11 @@ bld.SAMBA_BINARY('fuzz_stable_sort_r',
                  deps='fuzzing stable_sort afl-fuzz-main',
                  fuzzer=True)
 
+bld.SAMBA_BINARY('fuzz_stable_sort_r_unstable',
+                 source='fuzz_stable_sort_r_unstable.c',
+                 deps='fuzzing stable_sort afl-fuzz-main',
+                 fuzzer=True)
+
 bld.SAMBA_BINARY('fuzz_security_token_vs_descriptor',
                  source='fuzz_security_token_vs_descriptor.c',
                  deps='fuzzing samba-security afl-fuzz-main',