fuzz: add custom cross-over functions

These can be used in custom mutators for libFuzzer targets.
epiccurious · Oct 24, 2023 · 38e31d6 · 38e31d6
1 parent 58f16c2
commit 38e31d6
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 0 deletions.
diff --git a/tests/fuzz/libfuzz.c b/tests/fuzz/libfuzz.c
@@ -3,6 +3,8 @@
 #include <assert.h>
 #include <ccan/isaac/isaac64.h>
 #include <common/pseudorand.h>
+#include <stdlib.h>
+#include <string.h>
 #include <tests/fuzz/libfuzz.h>
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
@@ -53,3 +55,66 @@ char *to_string(const tal_t *ctx, const u8 *data, size_t data_size)
 
 	return string;
 }
+
+static size_t insert_part(const u8 *in1, size_t in1_size, const u8 *in2,
+			  size_t in2_size, u8 *out, size_t max_out_size)
+{
+	size_t max_insert_size;
+	size_t insert_begin;
+	size_t insert_size;
+	size_t in2_begin;
+
+	if (in1_size >= max_out_size)
+		return 0;
+	if (in1_size == 0 || in2_size == 0)
+		return 0;
+
+	max_insert_size = max_out_size - in1_size;
+	if (max_insert_size > in2_size)
+		max_insert_size = in2_size;
+	insert_begin = rand() % in1_size;
+	insert_size = (rand() % max_insert_size) + 1;
+
+	in2_begin = rand() % (in2_size - insert_size + 1);
+
+	memcpy(out, in1, insert_begin);
+	memcpy(out + insert_begin, in2 + in2_begin, insert_size);
+	memcpy(out + insert_begin + insert_size, in1 + insert_begin,
+	       in1_size - insert_begin);
+
+	return in1_size + insert_size;
+}
+
+static size_t overwrite_part(const u8 *in1, size_t in1_size, const u8 *in2,
+			     size_t in2_size, u8 *out, size_t max_out_size)
+{
+	size_t overwrite_begin;
+	size_t overwrite_size;
+	size_t in2_begin;
+
+	if (in1_size > max_out_size)
+		return 0;
+	if (in1_size == 0)
+		return 0;
+
+	overwrite_begin = rand() % in1_size;
+	overwrite_size = (rand() % (in1_size - overwrite_begin)) + 1;
+	if (overwrite_size > in2_size)
+		overwrite_size = in2_size;
+	in2_begin = rand() % (in2_size - overwrite_size + 1);
+
+	memcpy(out, in1, in1_size);
+	memcpy(out + overwrite_begin, in2 + in2_begin, overwrite_size);
+
+	return in1_size;
+}
+
+size_t cross_over(const u8 *in1, size_t in1_size, const u8 *in2,
+		  size_t in2_size, u8 *out, size_t max_out_size, unsigned seed)
+{
+	srand(seed);
+	if (rand() % 2)
+		return insert_part(in1, in1_size, in2, in2_size, out,
+				   max_out_size);
+	return overwrite_part(in1, in1_size, in2, in2_size, out, max_out_size);
+}
diff --git a/tests/fuzz/libfuzz.h b/tests/fuzz/libfuzz.h
@@ -21,4 +21,8 @@ const uint8_t **get_chunks(const void *ctx, const uint8_t *data,
 /* Copy the data as a string. */
 char *to_string(const tal_t *ctx, const u8 *data, size_t data_size);
 
+/* Combine parts of in1 and in2 to generate a new output in out. */
+size_t cross_over(const u8 *in1, size_t in1_size, const u8 *in2,
+		  size_t in2_size, u8 *out, size_t max_out_size, unsigned seed);
+
 #endif /* LIGHTNING_TESTS_FUZZ_LIBFUZZ_H */