From c58982d6fa279f041b37b5cc0432af9e1a9f9a83 Mon Sep 17 00:00:00 2001
From: Kostya Serebryany <kcc@google.com>
Date: Fri, 24 Mar 2017 22:19:52 +0000
Subject: [PATCH] [libFuzzer] be more careful when calling strlen of strcmp
 parameters, PR32357

llvm-svn: 298746
---
 llvm/lib/Fuzzer/FuzzerTraceState.cpp   | 12 +++++++++---
 llvm/lib/Fuzzer/test/BadStrcmpTest.cpp | 19 +++++++++++++++++++
 llvm/lib/Fuzzer/test/CMakeLists.txt    |  1 +
 llvm/lib/Fuzzer/test/bad-strcmp.test   |  1 +
 4 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 llvm/lib/Fuzzer/test/BadStrcmpTest.cpp
 create mode 100644 llvm/lib/Fuzzer/test/bad-strcmp.test

diff --git a/llvm/lib/Fuzzer/FuzzerTraceState.cpp b/llvm/lib/Fuzzer/FuzzerTraceState.cpp
index 2b8caa4..1b77f17 100644
--- a/llvm/lib/Fuzzer/FuzzerTraceState.cpp
+++ b/llvm/lib/Fuzzer/FuzzerTraceState.cpp
@@ -90,6 +90,14 @@ static size_t InternalStrnlen(const char *S, size_t MaxLen) {
   return Len;
 }
 
+// Finds min of (strlen(S1), strlen(S2)).
+// Needed bacause one of these strings may actually be non-zero terminated.
+static size_t InternalStrnlen2(const char *S1, const char *S2) {
+  size_t Len = 0;
+  for (; S1[Len] && S2[Len]; Len++)  {}
+  return Len;
+}
+
 }  // namespace fuzzer
 
 using fuzzer::TS;
@@ -128,9 +136,7 @@ ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
 void __sanitizer_weak_hook_strcmp(void *caller_pc, const char *s1,
                                    const char *s2, int result) {
   if (result == 0) return;  // No reason to mutate.
-  size_t Len1 = strlen(s1);
-  size_t Len2 = strlen(s2);
-  size_t N = std::min(Len1, Len2);
+  size_t N = fuzzer::InternalStrnlen2(s1, s2);
   if (N <= 1) return;  // Not interesting.
   fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, N, /*StopAtZero*/true);
 }
diff --git a/llvm/lib/Fuzzer/test/BadStrcmpTest.cpp b/llvm/lib/Fuzzer/test/BadStrcmpTest.cpp
new file mode 100644
index 0000000..159cd7e
--- /dev/null
+++ b/llvm/lib/Fuzzer/test/BadStrcmpTest.cpp
@@ -0,0 +1,19 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Test that we don't creash in case of bad strcmp params.
+#include <cstdint>
+#include <cstring>
+#include <cstddef>
+
+static volatile int Sink;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size != 10) return 0;
+  // Data is not zero-terminated, so this call is bad.
+  // Still, there are cases when such calles appear, see e.g.
+  // https://bugs.llvm.org/show_bug.cgi?id=32357
+  Sink = strcmp(reinterpret_cast<const char*>(Data), "123456789");
+  return 0;
+}
+
diff --git a/llvm/lib/Fuzzer/test/CMakeLists.txt b/llvm/lib/Fuzzer/test/CMakeLists.txt
index 1e68a1f..8d43505 100644
--- a/llvm/lib/Fuzzer/test/CMakeLists.txt
+++ b/llvm/lib/Fuzzer/test/CMakeLists.txt
@@ -76,6 +76,7 @@ set(Tests
   AbsNegAndConstantTest
   AbsNegAndConstant64Test
   AccumulateAllocationsTest
+  BadStrcmpTest
   BogusInitializeTest
   BufferOverflowOnInput
   CallerCalleeTest
diff --git a/llvm/lib/Fuzzer/test/bad-strcmp.test b/llvm/lib/Fuzzer/test/bad-strcmp.test
new file mode 100644
index 0000000..9a2f374
--- /dev/null
+++ b/llvm/lib/Fuzzer/test/bad-strcmp.test
@@ -0,0 +1 @@
+RUN: LLVMFuzzer-BadStrcmpTest -runs=100000
-- 
2.7.4