1 // Simple test for a fuzzer. 2 // The fuzzer must find the string "Hi!" preceded by a magic value. 3 // Uses UserSuppliedFuzzer which ensures that the magic is present. 4 #include <cstdint> 5 #include <cassert> 6 #include <cstdlib> 7 #include <cstddef> 8 #include <cstring> 9 #include <iostream> 10 11 #include "FuzzerInterface.h" 12 13 static const uint64_t kMagic = 8860221463604ULL; 14 15 class MyFuzzer : public fuzzer::UserSuppliedFuzzer { 16 public: 17 MyFuzzer(fuzzer::FuzzerRandomBase *Rand) 18 : fuzzer::UserSuppliedFuzzer(Rand) {} 19 int TargetFunction(const uint8_t *Data, size_t Size) { 20 if (Size <= 10) return 0; 21 if (memcmp(Data, &kMagic, sizeof(kMagic))) return 0; 22 // It's hard to get here w/o advanced fuzzing techniques (e.g. cmp tracing). 23 // So, we simply 'fix' the data in the custom mutator. 24 if (Data[8] == 'H') { 25 if (Data[9] == 'i') { 26 if (Data[10] == '!') { 27 std::cout << "BINGO; Found the target, exiting\n"; 28 exit(1); 29 } 30 } 31 } 32 return 0; 33 } 34 // Custom mutator. 35 virtual size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize) { 36 assert(MaxSize > sizeof(kMagic)); 37 if (Size < sizeof(kMagic)) 38 Size = sizeof(kMagic); 39 // "Fix" the data, then mutate. 40 memcpy(Data, &kMagic, std::min(MaxSize, sizeof(kMagic))); 41 return fuzzer::UserSuppliedFuzzer::Mutate( 42 Data + sizeof(kMagic), Size - sizeof(kMagic), MaxSize - sizeof(kMagic)); 43 } 44 // No need to redefine CrossOver() here. 45 }; 46 47 int main(int argc, char **argv) { 48 fuzzer::FuzzerRandomLibc Rand(0); 49 MyFuzzer F(&Rand); 50 fuzzer::FuzzerDriver(argc, argv, F); 51 } 52
