From 62e7bdd22a95b92d04e61f93b6aea4d95a5030fd Mon Sep 17 00:00:00 2001
From: Michael Jones <michaelrj@google.com>
Date: Thu, 16 Feb 2023 11:23:44 -0800
Subject: [PATCH] [libc] use vars in string to num fuzz targets

The string to integer and string to float standalone fuzz targets just
ran the functions and didn't do anything with the output. This was
intentional, since they are intended to be used with sanitizers to
detect buffer overflow bugs. Not using the variables was causing compile
warnings, so this patch adds trivial checks to use the variables.

Reviewed By: sivachandra, lntue

Differential Revision: https://reviews.llvm.org/D144208
---
 libc/fuzzing/stdlib/strtofloat_fuzz.cpp   | 18 +++++++++++++++---
 libc/fuzzing/stdlib/strtointeger_fuzz.cpp | 10 ++++++++++
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/libc/fuzzing/stdlib/strtofloat_fuzz.cpp b/libc/fuzzing/stdlib/strtofloat_fuzz.cpp
index 209d3ee..3366c5c 100644
--- a/libc/fuzzing/stdlib/strtofloat_fuzz.cpp
+++ b/libc/fuzzing/stdlib/strtofloat_fuzz.cpp
@@ -13,6 +13,7 @@
 #include "src/stdlib/strtod.h"
 #include "src/stdlib/strtof.h"
 #include "src/stdlib/strtold.h"
+#include <math.h>
 #include <stddef.h>
 #include <stdint.h>
 
@@ -30,10 +31,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
   char *out_ptr = nullptr;
 
-  // This fuzzer only checks that the alrogithms didn't read beyond the end of
+  // This fuzzer only checks that the algorithms didn't read beyond the end of
   // the string in container. Combined with sanitizers, this will check that the
-  // code is not reading memory beyond what's expected. This test does not make
-  // any attempt to check correctness of the result.
+  // code is not reading memory beyond what's expected. This test does not
+  // effectively check the correctness of the result.
   auto volatile atof_output = __llvm_libc::atof(str_ptr);
   auto volatile strtof_output = __llvm_libc::strtof(str_ptr, &out_ptr);
   if (str_ptr + size < out_ptr)
@@ -45,6 +46,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   if (str_ptr + size < out_ptr)
     __builtin_trap();
 
+  // If any of the outputs are NaN
+  if (isnan(atof_output) || isnan(strtof_output) || isnan(strtod_output) ||
+      isnan(strtold_output)) {
+    // Then all the outputs should be NaN.
+    // This is a trivial check meant to silence the "unused variable" warnings.
+    if (!isnan(atof_output) || !isnan(strtof_output) || !isnan(strtod_output) ||
+        !isnan(strtold_output)) {
+      __builtin_trap();
+    }
+  }
+
   delete[] container;
   return 0;
 }
diff --git a/libc/fuzzing/stdlib/strtointeger_fuzz.cpp b/libc/fuzzing/stdlib/strtointeger_fuzz.cpp
index 3880d7b..197bee0 100644
--- a/libc/fuzzing/stdlib/strtointeger_fuzz.cpp
+++ b/libc/fuzzing/stdlib/strtointeger_fuzz.cpp
@@ -65,6 +65,16 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   if (str_ptr + container_size - 1 < out_ptr)
     __builtin_trap();
 
+  // If atoi is non-zero and the base is at least 10
+  if (atoi_output != 0 && base >= 10) {
+    // Then all of the other functions should output non-zero values as well.
+    // This is a trivial check meant to silence the "unused variable" warnings.
+    if (atol_output == 0 || atoll_output == 0 || strtol_output == 0 ||
+        strtoll_output == 0 || strtoul_output == 0 || strtoull_output == 0) {
+      __builtin_trap();
+    }
+  }
+
   delete[] container;
   return 0;
 }
-- 
2.7.4