From e489ba4ccb92af53ea823223481005384fad5e14 Mon Sep 17 00:00:00 2001 From: Phil Turnbull Date: Fri, 16 Feb 2018 13:25:56 -0500 Subject: Check for empty buffer when rendering For empty documents, `->size` is zero so `renderer.buffer->ptr[renderer.buffer->size - 1]` will cause an out-of-bounds read. Empty buffers always point to the global `cmark_strbuf__initbuf` buffer so we read `cmark_strbuf__initbuf[-1]`. --- src/render.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/render.c b/src/render.c index 20dca5f..5abd52e 100644 --- a/src/render.c +++ b/src/render.c @@ -171,7 +171,7 @@ char *cmark_render(cmark_node *root, int options, int width, } // ensure final newline - if (renderer.buffer->ptr[renderer.buffer->size - 1] != '\n') { + if (renderer.buffer->size == 0 || renderer.buffer->ptr[renderer.buffer->size - 1] != '\n') { cmark_strbuf_putc(renderer.buffer, '\n'); } -- cgit v1.2.3 From b04ab579a37d6645eafccfb594ed7dc64993f9da Mon Sep 17 00:00:00 2001 From: Phil Turnbull Date: Fri, 16 Feb 2018 13:26:26 -0500 Subject: Don't discard empty fuzz test-cases We currently discard fuzz test-cases that are empty but empty inputs are valid markdown. This improves the fuzzing coverage slightly. --- test/cmark-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/cmark-fuzz.c b/test/cmark-fuzz.c index f09db52..f4f082a 100644 --- a/test/cmark-fuzz.c +++ b/test/cmark-fuzz.c @@ -4,7 +4,7 @@ int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { int options = 0; - if (size > sizeof(options)) { + if (size >= sizeof(options)) { /* First 4 bytes of input are treated as options */ int options = *(const int *)data; -- cgit v1.2.3 From c24c432517c721b8cb8022b98d8cf734c68d2aee Mon Sep 17 00:00:00 2001 From: Phil Turnbull Date: Fri, 16 Feb 2018 13:31:29 -0500 Subject: Fuzz width parameter too Allow the `width` parameter to be generated too so we get better fuzz-coverage. --- test/cmark-fuzz.c | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/test/cmark-fuzz.c b/test/cmark-fuzz.c index f4f082a..9bdd3a5 100644 --- a/test/cmark-fuzz.c +++ b/test/cmark-fuzz.c @@ -3,24 +3,28 @@ #include "cmark.h" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - int options = 0; - if (size >= sizeof(options)) { - /* First 4 bytes of input are treated as options */ - int options = *(const int *)data; + struct __attribute__((packed)) { + int options; + int width; + } fuzz_config; + + if (size >= sizeof(fuzz_config)) { + /* The beginning of `data` is treated as fuzzer configuration */ + memcpy(&fuzz_config, data, sizeof(fuzz_config)); /* Mask off valid option bits */ - options = options & (CMARK_OPT_SOURCEPOS | CMARK_OPT_HARDBREAKS | CMARK_OPT_SAFE | CMARK_OPT_NOBREAKS | CMARK_OPT_NORMALIZE | CMARK_OPT_VALIDATE_UTF8 | CMARK_OPT_SMART); + fuzz_config.options &= (CMARK_OPT_SOURCEPOS | CMARK_OPT_HARDBREAKS | CMARK_OPT_SAFE | CMARK_OPT_NOBREAKS | CMARK_OPT_NORMALIZE | CMARK_OPT_VALIDATE_UTF8 | CMARK_OPT_SMART); /* Remainder of input is the markdown */ - const char *markdown = (const char *)(data + sizeof(options)); - const size_t markdown_size = size - sizeof(options); - cmark_node *doc = cmark_parse_document(markdown, markdown_size, options); + const char *markdown = (const char *)(data + sizeof(fuzz_config)); + const size_t markdown_size = size - sizeof(fuzz_config); + cmark_node *doc = cmark_parse_document(markdown, markdown_size, fuzz_config.options); - free(cmark_render_commonmark(doc, options, 80)); - free(cmark_render_html(doc, options)); - free(cmark_render_latex(doc, options, 80)); - free(cmark_render_man(doc, options, 80)); - free(cmark_render_xml(doc, options)); + free(cmark_render_commonmark(doc, fuzz_config.options, fuzz_config.width)); + free(cmark_render_html(doc, fuzz_config.options)); + free(cmark_render_latex(doc, fuzz_config.options, fuzz_config.width)); + free(cmark_render_man(doc, fuzz_config.options, fuzz_config.width)); + free(cmark_render_xml(doc, fuzz_config.options)); cmark_node_free(doc); } -- cgit v1.2.3