From 0123fb3f7d59bc145defd14438fbcaabb9fdbced Mon Sep 17 00:00:00 2001
From: Guido Vranken <guidovranken@gmail.com>
Date: Wed, 9 Aug 2017 15:59:53 +0200
Subject: [PATCH] Base64 fuzzer: add comments, split code into separate
 functions, use helper functions from fuzzing.c

---
 src/openvpn/fuzzer-base64.c | 58 +++++++++++++++++++++++++++----------
 1 file changed, 42 insertions(+), 16 deletions(-)

diff --git a/src/openvpn/fuzzer-base64.c b/src/openvpn/fuzzer-base64.c
index 0d37b649f..1cf85068f 100644
--- a/src/openvpn/fuzzer-base64.c
+++ b/src/openvpn/fuzzer-base64.c
@@ -7,19 +7,12 @@ int LLVMFuzzerInitialize(int *argc, char ***argv)
 {
     return 1;
 }
-int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+
+void test_base64_encode(const uint8_t* data, size_t size)
 {
     char* str = NULL;
-    unsigned char* outbuf;
-    uint16_t* outsize;
-    int ret;
-    if ( size < sizeof(*outsize) )
-    {
-        return 0;
-    }
-    outsize = (uint16_t*)data;
-    data += sizeof(*outsize);
-    size -= sizeof(*outsize);
+
+    /* Base64-encode the entire input, store result in str */
     if ( openvpn_base64_encode(data, size, &str) > 0 )
     {
 #ifdef MSAN
@@ -27,17 +20,50 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 #endif
     }
     free(str);
-    str = malloc(size+1);
-    memcpy(str, (char*)data, size);
-    str[size] = 0;
-    outbuf = malloc(*outsize);
-    if ( (ret = openvpn_base64_decode(str, outbuf, *outsize)) > 0 )
+}
+
+void test_base64_decode(const uint8_t *data, size_t size)
+{
+    int ret;
+    char* str = NULL;
+    unsigned char* outbuf = NULL;
+    uint16_t outsize;
+
+    fuzzer_set_input((unsigned char*)data, size);
+
+    /* Extract a number 0-65535 from the input stream, and allocate
+     * a buffer that size. This will serve as the output buffer of the
+     * base64 decoding function.
+     *
+     * This will test whether openvpn_base64_decode adheres to this
+     * output buffer size. If not, OOB access will transpire via
+     * AddressSanitizer */
+    FUZZER_GET_INTEGER(outsize, 65535);
+    outbuf = malloc(outsize);
+
+    /* The remainder of the input buffer is used to create a
+     * null-terminated string. This will serve as the input buffer
+     * to openvpn_base64_decode(). */
+    str = malloc(fuzzer_get_current_size()+1);
+    memcpy(str, (char*)data, fuzzer_get_current_size());
+    str[fuzzer_get_current_size()] = 0;
+
+    if ( (ret = openvpn_base64_decode(str, outbuf, outsize)) > 0 )
     {
 #ifdef MSAN
         test_undefined_memory(outbuf, ret);
 #endif
     }
+
+cleanup:
     free(str);
     free(outbuf);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    test_base64_encode(data, size);
+    test_base64_decode(data, size);
+
     return 0;
 }
-- 
2.47.2