commit 8121f7e95c3040dbeb1b2726d2a53f8a157442a5
author Ed Tanous <etanous@nvidia.com> Thu Mar 06 14:39:07 2025 -0800
committer Ed Tanous <ed@tanous.net> Tue Mar 18 22:55:13 2025 +0000
tree 0f81619ac662feb011362a6ca93186c1df1c4e80
parent 596c59e92c4982ad325f60e8d0b3fc4f0cb24596

Add fuzz targets

Fuzzing is something that's good to do for a general purpose library and
can find bugs relatively quickly.

Enable fuzzing with libfuzzer (selected only because it was the easiest
to set up) and enable fuzz targets for 3 of our buffer-based interfaces.

Change-Id: I695a3a60ba09bea92cd462566bf2c46337eabd4b
Signed-off-by: Ed Tanous <etanous@nvidia.com>

cper-parse.c

diff --git a/cper-parse.c b/cper-parse.c
index 8898089..f293fd1 100644
--- a/cper-parse.c
+++ b/cper-parse.c
@@ -374,9 +374,27 @@
 
 	//If validation bits indicate it exists, add FRU text.
 	if ((section_descriptor->SecValidMask & 0x2) >> 1) {
-		json_object_object_add(
-			section_descriptor_ir, "fruText",
-			json_object_new_string(section_descriptor->FruString));
+		int fru_text_len = 0;
+		for (;
+		     fru_text_len < (int)sizeof(section_descriptor->FruString);
+		     fru_text_len++) {
+			char c = section_descriptor->FruString[fru_text_len];
+			if (c < 0) {
+				//printf("Fru text contains non-ASCII character\n");
+				fru_text_len = -1;
+				break;
+			}
+			if (c == '\0') {
+				break;
+			}
+		}
+		if (fru_text_len >= 0) {
+			json_object_object_add(
+				section_descriptor_ir, "fruText",
+				json_object_new_string_len(
+					section_descriptor->FruString,
+					fru_text_len));
+		}
 	}
 
 	//Section severity.
@@ -432,7 +450,7 @@
 					      descriptor->SectionLength,
 					      &encoded_len);
 		if (encoded == NULL) {
-			printf("Failed to allocate encode output buffer. \n");
+			//printf("Failed to allocate encode output buffer. \n");
 		} else {
 			section_ir = json_object_new_object();
 			json_object_object_add(section_ir, "data",
@@ -451,7 +469,11 @@
 json_object *cper_buf_single_section_to_ir(const unsigned char *cper_buf,
 					   size_t size)
 {
-	json_object *ir = json_object_new_object();
+	const unsigned char *cper_end;
+	const unsigned char *section_begin;
+	json_object *ir;
+
+	cper_end = cper_buf + size;
 
 	//Read the section descriptor out.
 	EFI_ERROR_SECTION_DESCRIPTOR *section_descriptor;
@@ -459,16 +481,18 @@
 		printf("Failed to read section descriptor for CPER single section\n");
 		return NULL;
 	}
+
+	ir = json_object_new_object();
 	section_descriptor = (EFI_ERROR_SECTION_DESCRIPTOR *)cper_buf;
 	//Convert the section descriptor to IR.
 	json_object *section_descriptor_ir =
 		cper_section_descriptor_to_ir(section_descriptor);
 	json_object_object_add(ir, "sectionDescriptor", section_descriptor_ir);
+	section_begin = cper_buf + section_descriptor->SectionOffset;
 
-	if (section_descriptor->SectionOffset +
-		    section_descriptor->SectionLength >
-	    size) {
-		printf("Invalid CPER file: Invalid section descriptor (section offset + length > size).\n");
+	if (section_begin + section_descriptor->SectionLength >= cper_end) {
+		json_object_put(ir);
+		//printf("Invalid CPER file: Invalid section descriptor (section offset + length > size).\n");
 		return NULL;
 	}
 
@@ -495,6 +519,7 @@
 	if (fread(&section_descriptor, sizeof(EFI_ERROR_SECTION_DESCRIPTOR), 1,
 		  cper_section_file) != 1) {
 		printf("Failed to read section descriptor for CPER single section (fread() returned an unexpected value).\n");
+		json_object_put(ir);
 		return NULL;
 	}
 
@@ -515,6 +540,7 @@
 		printf("Section read failed: Could not read %u bytes from global offset %d.\n",
 		       section_descriptor.SectionLength,
 		       section_descriptor.SectionOffset);
+		json_object_put(ir);
 		free(section);
 		return NULL;
 	}