From a016a45d60ae5940b360b24880f8c271f03ae359 Mon Sep 17 00:00:00 2001
From: Kostya Serebryany <kcc@google.com>
Date: Tue, 30 Aug 2016 14:52:05 +0000
Subject: [libFuzzer] fix a bug when running a single unit of N bytes with
 -max_len=M, M<N, caused a buffer overflow

llvm-svn: 280098
---
 llvm/lib/Fuzzer/FuzzerDriver.cpp              | 10 +++++-----
 llvm/lib/Fuzzer/test/fuzzer-singleinputs.test |  3 ++-
 2 files changed, 7 insertions(+), 6 deletions(-)

(limited to 'llvm')

diff --git a/llvm/lib/Fuzzer/FuzzerDriver.cpp b/llvm/lib/Fuzzer/FuzzerDriver.cpp
index 592c88a319e..10db673eda8 100644
--- a/llvm/lib/Fuzzer/FuzzerDriver.cpp
+++ b/llvm/lib/Fuzzer/FuzzerDriver.cpp
@@ -250,11 +250,11 @@ static void StartRssThread(Fuzzer *F, size_t RssLimitMb) {
   T.detach();
 }
 
-int RunOneTest(Fuzzer *F, const char *InputFilePath) {
+int RunOneTest(Fuzzer *F, const char *InputFilePath, size_t MaxLen) {
   Unit U = FileToVector(InputFilePath);
-  Unit PreciseSizedU(U);
-  assert(PreciseSizedU.size() == PreciseSizedU.capacity());
-  F->RunOne(PreciseSizedU.data(), PreciseSizedU.size());
+  if (MaxLen && MaxLen < U.size())
+    U.resize(MaxLen);
+  F->RunOne(U.data(), U.size());
   return 0;
 }
 
@@ -380,7 +380,7 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
       auto StartTime = system_clock::now();
       Printf("Running: %s\n", Path.c_str());
       for (int Iter = 0; Iter < Runs; Iter++)
-        RunOneTest(&F, Path.c_str());
+        RunOneTest(&F, Path.c_str(), Options.MaxLen);
       auto StopTime = system_clock::now();
       auto MS = duration_cast<milliseconds>(StopTime - StartTime).count();
       Printf("Executed %s in %zd ms\n", Path.c_str(), (long)MS);
diff --git a/llvm/lib/Fuzzer/test/fuzzer-singleinputs.test b/llvm/lib/Fuzzer/test/fuzzer-singleinputs.test
index 3e34273b064..ca8403bff81 100644
--- a/llvm/lib/Fuzzer/test/fuzzer-singleinputs.test
+++ b/llvm/lib/Fuzzer/test/fuzzer-singleinputs.test
@@ -5,7 +5,8 @@ RUN: rm -rf  %tmp/SINGLE_INPUTS
 RUN: mkdir -p  %tmp/SINGLE_INPUTS
 RUN: echo aaa > %tmp/SINGLE_INPUTS/aaa
 RUN: echo bbb > %tmp/SINGLE_INPUTS/bbb
-RUN: LLVMFuzzer-SimpleTest %tmp/SINGLE_INPUTS/aaa %tmp/SINGLE_INPUTS/bbb 2>&1 | FileCheck %s --check-prefix=SINGLE_INPUTS
+RUN: LLVMFuzzer-SimpleTest            %tmp/SINGLE_INPUTS/aaa %tmp/SINGLE_INPUTS/bbb 2>&1 | FileCheck %s --check-prefix=SINGLE_INPUTS
+RUN: LLVMFuzzer-SimpleTest -max_len=2 %tmp/SINGLE_INPUTS/aaa %tmp/SINGLE_INPUTS/bbb 2>&1 | FileCheck %s --check-prefix=SINGLE_INPUTS
 RUN: rm -rf  %tmp/SINGLE_INPUTS
 SINGLE_INPUTS: LLVMFuzzer-SimpleTest: Running 2 inputs 1 time(s) each.
 SINGLE_INPUTS: aaa in
-- 
cgit v1.2.3