struct fuzz *
fuzz_begin(u_int strategies, const void *p, size_t l)
{
struct fuzz *ret = calloc(sizeof(*ret), 1);
assert(p != NULL);
assert(ret != NULL);
ret->seed = malloc(l);
assert(ret->seed != NULL);
memcpy(ret->seed, p, l);
ret->slen = l;
ret->strategies = strategies;
assert(ret->slen < SIZE_MAX / 8);
assert(ret->strategies <= (FUZZ_MAX|(FUZZ_MAX-1)));
FUZZ_DBG(("begin, ret = %p", ret));
fuzz_next(ret);
#ifdef SIGINFO
last_fuzz = ret;
signal(SIGINFO, siginfo);
#endif
return ret;
}
int
fuzz_done(struct fuzz *fuzz)
{
FUZZ_DBG(("fuzz = %p, strategies = 0x%lx", fuzz,
(u_long)fuzz->strategies));
return fuzz_strategy_done(fuzz) && fuzz->strategies == 0;
}
void
fuzz_cleanup(struct fuzz *fuzz)
{
FUZZ_DBG(("cleanup, fuzz = %p", fuzz));
assert(fuzz != NULL);
assert(fuzz->seed != NULL);
assert(fuzz->fuzzed != NULL);
free(fuzz->seed);
free(fuzz->fuzzed);
free(fuzz);
}
void
fuzz_cleanup(struct fuzz *fuzz)
{
FUZZ_DBG(("cleanup, fuzz = %p", fuzz));
#ifdef SIGINFO
last_fuzz = NULL;
signal(SIGINFO, SIG_DFL);
#endif
assert(fuzz != NULL);
assert(fuzz->seed != NULL);
assert(fuzz->fuzzed != NULL);
free(fuzz->seed);
free(fuzz->fuzzed);
free(fuzz);
}
struct fuzz *
fuzz_begin(u_int strategies, void *p, size_t l)
{
struct fuzz *ret = calloc(sizeof(*ret), 1);
assert(p != NULL);
assert(ret != NULL);
ret->seed = malloc(l);
assert(ret->seed != NULL);
memcpy(ret->seed, p, l);
ret->slen = l;
ret->strategies = strategies;
assert(ret->slen < SIZE_MAX / 8);
assert(ret->strategies <= (FUZZ_MAX|(FUZZ_MAX-1)));
FUZZ_DBG(("begin, ret = %p", ret));
fuzz_next(ret);
return ret;
}
static int
fuzz_strategy_done(struct fuzz *fuzz)
{
FUZZ_DBG(("fuzz = %p, strategy = %s, o1 = %zu, o2 = %zu, slen = %zu",
fuzz, fuzz_ntop(fuzz->strategy), fuzz->o1, fuzz->o2, fuzz->slen));
switch (fuzz->strategy) {
case FUZZ_1_BIT_FLIP:
return fuzz->o1 >= fuzz->slen * 8;
case FUZZ_2_BIT_FLIP:
return fuzz->o2 >= fuzz->slen * 8;
case FUZZ_2_BYTE_FLIP:
return fuzz->o2 >= fuzz->slen;
case FUZZ_1_BYTE_FLIP:
case FUZZ_TRUNCATE_START:
case FUZZ_TRUNCATE_END:
case FUZZ_BASE64:
return fuzz->o1 >= fuzz->slen;
default:
abort();
}
}
void
fuzz_next(struct fuzz *fuzz)
{
u_int i;
FUZZ_DBG(("start, fuzz = %p, strategy = %s, strategies = 0x%lx, "
"o1 = %zu, o2 = %zu, slen = %zu", fuzz, fuzz_ntop(fuzz->strategy),
(u_long)fuzz->strategies, fuzz->o1, fuzz->o2, fuzz->slen));
if (fuzz->strategy == 0 || fuzz_strategy_done(fuzz)) {
/* If we are just starting out, we need to allocate too */
if (fuzz->fuzzed == NULL) {
FUZZ_DBG(("alloc"));
fuzz->fuzzed = calloc(fuzz->slen, 1);
}
/* Pick next strategy */
FUZZ_DBG(("advance"));
for (i = 1; i <= FUZZ_MAX; i <<= 1) {
if ((fuzz->strategies & i) != 0) {
fuzz->strategy = i;
break;
}
}
FUZZ_DBG(("selected = %u", fuzz->strategy));
if (fuzz->strategy == 0) {
FUZZ_DBG(("done, no more strategies"));
return;
}
fuzz->strategies &= ~(fuzz->strategy);
fuzz->o1 = fuzz->o2 = 0;
}
assert(fuzz->fuzzed != NULL);
switch (fuzz->strategy) {
case FUZZ_1_BIT_FLIP:
assert(fuzz->o1 / 8 < fuzz->slen);
memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
fuzz->fuzzed[fuzz->o1 / 8] ^= 1 << (fuzz->o1 % 8);
fuzz->o1++;
break;
case FUZZ_2_BIT_FLIP:
assert(fuzz->o1 / 8 < fuzz->slen);
assert(fuzz->o2 / 8 < fuzz->slen);
memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
fuzz->fuzzed[fuzz->o1 / 8] ^= 1 << (fuzz->o1 % 8);
fuzz->fuzzed[fuzz->o2 / 8] ^= 1 << (fuzz->o2 % 8);
fuzz->o1++;
if (fuzz->o1 >= fuzz->slen * 8) {
fuzz->o1 = 0;
fuzz->o2++;
}
break;
case FUZZ_1_BYTE_FLIP:
assert(fuzz->o1 < fuzz->slen);
memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
fuzz->fuzzed[fuzz->o1] ^= 0xff;
fuzz->o1++;
break;
case FUZZ_2_BYTE_FLIP:
assert(fuzz->o1 < fuzz->slen);
assert(fuzz->o2 < fuzz->slen);
memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
fuzz->fuzzed[fuzz->o1] ^= 0xff;
fuzz->fuzzed[fuzz->o2] ^= 0xff;
fuzz->o1++;
if (fuzz->o1 >= fuzz->slen) {
fuzz->o1 = 0;
fuzz->o2++;
}
break;
case FUZZ_TRUNCATE_START:
case FUZZ_TRUNCATE_END:
assert(fuzz->o1 < fuzz->slen);
memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
fuzz->o1++;
break;
case FUZZ_BASE64:
assert(fuzz->o1 < fuzz->slen);
assert(fuzz->o2 < sizeof(fuzz_b64chars) - 1);
memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
fuzz->fuzzed[fuzz->o1] = fuzz_b64chars[fuzz->o2];
fuzz->o2++;
if (fuzz->o2 >= sizeof(fuzz_b64chars) - 1) {
fuzz->o2 = 0;
fuzz->o1++;
}
break;
default:
abort();
}
FUZZ_DBG(("done, fuzz = %p, strategy = %s, strategies = 0x%lx, "
"o1 = %zu, o2 = %zu, slen = %zu", fuzz, fuzz_ntop(fuzz->strategy),
(u_long)fuzz->strategies, fuzz->o1, fuzz->o2, fuzz->slen));
}
