From 82ce5b8cc00c25dc54e78fc9dc919dafb4f241e9 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Wed, 26 Jun 2019 21:52:05 -0400
Subject: [PATCH] OSS-Fuzz fuzzer and build script

---
 oss-fuzz/build.sh            | 28 ++++++++++++++++++++++++++++
 oss-fuzz/cbor_load_fuzzer.cc | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100755 oss-fuzz/build.sh
 create mode 100644 oss-fuzz/cbor_load_fuzzer.cc

diff --git a/oss-fuzz/build.sh b/oss-fuzz/build.sh
new file mode 100755
index 00000000..4b19b720
--- /dev/null
+++ b/oss-fuzz/build.sh
@@ -0,0 +1,28 @@
+#!/bin/bash -eu
+# Copyright 2019 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+mkdir build
+cd build
+# We disable libcbor's default sanitizers since we'll be configuring them ourselves via CFLAGS.
+cmake -D CMAKE_BUILD_TYPE=Debug -D CMAKE_INSTALL_PREFIX="$WORK" -D CBOR_CUSTOM_ALLOC=ON -D SANITIZE=OFF ..
+make "-j$(nproc)"
+make install
+
+$CXX $CXXFLAGS -std=c++11 "-I$WORK/include" \
+    ../oss-fuzz/cbor_load_fuzzer.cc -o "$OUT/cbor_load_fuzzer" \
+    $LIB_FUZZING_ENGINE src/libcbor.a
+
diff --git a/oss-fuzz/cbor_load_fuzzer.cc b/oss-fuzz/cbor_load_fuzzer.cc
new file mode 100644
index 00000000..4f506675
--- /dev/null
+++ b/oss-fuzz/cbor_load_fuzzer.cc
@@ -0,0 +1,35 @@
+#include <cstdint>
+#include <cstdio>
+
+#include "cbor.h"
+
+void *limited_malloc(size_t size) {
+    if (size > 1 << 24) {
+        return nullptr;
+    }
+    return malloc(size);
+}
+
+struct State {
+    FILE* fout;
+
+    State() : fout(fopen("/dev/null", "r")) {
+        cbor_set_allocs(limited_malloc, realloc, free);
+    }
+};
+
+static State kState;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+    cbor_load_result result;
+    cbor_item_t *item = cbor_load(Data, Size, &result);
+    if (result.error.code == CBOR_ERR_NONE) {
+        cbor_describe(item, kState.fout);
+        unsigned char *buffer;
+        size_t buffer_size;
+        cbor_serialize_alloc(item, &buffer, &buffer_size);
+        free(buffer);
+        cbor_decref(&item);
+    }
+    return 0;
+}