/* A fuzz test for CPython. The only exposed function is LLVMFuzzerTestOneInput, which is called by fuzzers and by the _fuzz module for smoke tests. To build exactly one fuzz test, as when running in oss-fuzz etc., build with -D _Py_FUZZ_ONE and -D _Py_FUZZ_<test_name>. e.g. to build LLVMFuzzerTestOneInput to only run "fuzz_builtin_float", build this file with -D _Py_FUZZ_ONE -D _Py_FUZZ_fuzz_builtin_float. See the source code for LLVMFuzzerTestOneInput for details. */ #ifndef Py_BUILD_CORE #define Py_BUILD_CORE … #endif #include <Python.h> #include <stdlib.h> #include <inttypes.h> /* Fuzz PyFloat_FromString as a proxy for float(str). */ static int fuzz_builtin_float(const char* data, size_t size) { … } #define MAX_INT_TEST_SIZE … /* Fuzz PyLong_FromUnicodeObject as a proxy for int(str). */ static int fuzz_builtin_int(const char* data, size_t size) { … } /* Fuzz PyUnicode_FromStringAndSize as a proxy for unicode(str). */ static int fuzz_builtin_unicode(const char* data, size_t size) { … } PyObject* struct_unpack_method = …; PyObject* struct_error = …; /* Called by LLVMFuzzerTestOneInput for initialization */ static int init_struct_unpack(void) { … } /* Fuzz struct.unpack(x, y) */ static int fuzz_struct_unpack(const char* data, size_t size) { … } #define MAX_JSON_TEST_SIZE … PyObject* json_loads_method = …; /* Called by LLVMFuzzerTestOneInput for initialization */ static int init_json_loads(void) { … } /* Fuzz json.loads(x) */ static int fuzz_json_loads(const char* data, size_t size) { … } #define MAX_RE_TEST_SIZE … PyObject* re_compile_method = …; PyObject* re_error_exception = …; int RE_FLAG_DEBUG = …; /* Called by LLVMFuzzerTestOneInput for initialization */ static int init_sre_compile(void) { … } /* Fuzz re.compile(x) */ static int fuzz_sre_compile(const char* data, size_t size) { … } /* Some random patterns used to test re.match. Be careful not to add catostraphically slow regexes here, we want to exercise the matching code without causing timeouts.*/ static const char* regex_patterns[] = …; const size_t NUM_PATTERNS = …; PyObject** compiled_patterns = …; /* Called by LLVMFuzzerTestOneInput for initialization */ static int init_sre_match(void) { … } /* Fuzz re.match(x) */ static int fuzz_sre_match(const char* data, size_t size) { … } #define MAX_CSV_TEST_SIZE … PyObject* csv_module = …; PyObject* csv_error = …; /* Called by LLVMFuzzerTestOneInput for initialization */ static int init_csv_reader(void) { … } /* Fuzz csv.reader([x]) */ static int fuzz_csv_reader(const char* data, size_t size) { … } #define MAX_AST_LITERAL_EVAL_TEST_SIZE … PyObject* ast_literal_eval_method = …; /* Called by LLVMFuzzerTestOneInput for initialization */ static int init_ast_literal_eval(void) { … } /* Fuzz ast.literal_eval(x) */ static int fuzz_ast_literal_eval(const char* data, size_t size) { … } #define MAX_ELEMENTTREE_PARSEWHOLE_TEST_SIZE … PyObject* xmlparser_type = …; PyObject* bytesio_type = …; /* Called by LLVMFuzzerTestOneInput for initialization */ static int init_elementtree_parsewhole(void) { … } /* Fuzz _elementtree.XMLParser._parse_whole(x) */ static int fuzz_elementtree_parsewhole(const char* data, size_t size) { … } #define MAX_PYCOMPILE_TEST_SIZE … static const int start_vals[] = …; const size_t NUM_START_VALS = …; static const int optimize_vals[] = …; const size_t NUM_OPTIMIZE_VALS = …; /* Fuzz `PyCompileStringExFlags` using a variety of input parameters. * That function is essentially behind the `compile` builtin */ static int fuzz_pycompile(const char* data, size_t size) { … } /* Run fuzzer and abort on failure. */ static int _run_fuzz(const uint8_t *data, size_t size, int(*fuzzer)(const char* , size_t)) { … } /* CPython generates a lot of leak warnings for whatever reason. */ int __lsan_is_turned_off(void) { … } int LLVMFuzzerInitialize(int *argc, char ***argv) { … } /* Fuzz test interface. This returns the bitwise or of all fuzz test's return values. All fuzz tests must return 0, as all nonzero return codes are reserved for future use -- we propagate the return values for that future case. (And we bitwise or when running multiple tests to verify that normally we only return 0.) */ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { … }
Codebase Browser
cpython