[libFuzzer]Add a test for defeating a hash sum.

Summary:
Add a test for a data followed by 4-byte hash value.
I use a slightly modified Jenkins hash function,
as described in https://en.wikipedia.org/wiki/Jenkins_hash_function

The modification is to ensure that hash(zeros) != 0.

Reviewers: kcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D12648

llvm-svn: 247076

1 files changed, 36 insertions, 0 deletions

diff --git a/llvm/lib/Fuzzer/test/SimpleHashTest.cpp b/llvm/lib/Fuzzer/test/SimpleHashTest.cpp
new file mode 100644
index 00000000000..a541d6813b5
--- /dev/null
+++ b/llvm/lib/Fuzzer/test/SimpleHashTest.cpp
@@ -0,0 +1,36 @@
+// This test computes a checksum of the data (all but the last 4 bytes),
+// and then compares the last 4 bytes with the computed value.
+// A fuzzer with cmp traces is expected to defeat this check.
+#include <cstdint>
+#include <cstdlib>
+#include <cstring>
+#include <cstdio>
+
+// A modified jenkins_one_at_a_time_hash initialized by non-zero,
+// so that simple_hash(0) != 0. See also
+// https://en.wikipedia.org/wiki/Jenkins_hash_function
+static uint32_t simple_hash(const uint8_t *Data, size_t Size) {
+  uint32_t Hash = 0x12039854;
+  for (uint32_t i = 0; i < Size; i++) {
+    Hash += Data[i];
+    Hash += (Hash << 10);
+    Hash ^= (Hash >> 6);
+  }
+  Hash += (Hash << 3);
+  Hash ^= (Hash >> 11);
+  Hash += (Hash << 15);
+  return Hash;
+}
+
+extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size < 14)
+    return;
+
+  uint32_t Hash = simple_hash(&Data[0], Size - 4);
+  uint32_t Want = reinterpret_cast<const uint32_t *>(&Data[Size - 4])[0];
+  if (Hash != Want)
+    return;
+  fprintf(stderr, "BINGO; simple_hash defeated: %x == %x\n", (unsigned int)Hash,
+          (unsigned int)Want);
+  exit(1);
+}