fuzzer fixes

Author: abenso

CMakeLists.txt

@@ -41,7 +41,7 @@ set(HUNTER_TLS_VERIFY OFF)
 enable_testing()
 
 option(ENABLE_FUZZING "Build with fuzzing instrumentation and build fuzz targets" OFF)
-option(ENABLE_COVERAGE "Build with source code coverage instrumentation" OFF)
+option(ENABLE_COVERAGE "Build with source code coverage instrumentation" ON)
 option(ENABLE_SANITIZERS "Build with ASAN and UBSAN" OFF)
 
 string(APPEND CMAKE_C_FLAGS " -fno-omit-frame-pointer -g")

app/src/schema_helper.c

@@ -61,6 +61,15 @@ parser_error_t schema_move_leaf_offset(merkle_leaves_data_t *leaves, uint64_t in
     uint32_t data_length = 0;
     for (uint64_t i = 0; i < index; i++) {
         CHECK_ERROR(read_u32(&leaves->data, &data_length));
+        
+        if (data_length > UINT16_MAX) {
+            return parser_unexpected_buffer_end;
+        }
+        
+        if (leaves->data.offset > UINT16_MAX - data_length) {
+            return parser_unexpected_buffer_end;
+        }
+        
         if (leaves->data.offset + data_length > leaves->data.buffer.len) {
             return parser_unexpected_buffer_end;
         }

app/src/schema_reader.c

@@ -17,6 +17,7 @@
 #include "schema_reader.h"
 
 #include <stdint.h>
+
 #include "borsh.h"
 #include "crypto_helper.h"
 #include "schema_helper.h"

fuzz/parser_parse.cpp

@@ -5,6 +5,8 @@
 #include "parser.h"
 #include "parser_common.h"
 #include "parser_txdef.h"
+#include "schema_reader.h"
+#include "schema_txn_parser.h"
 #include "zxmacros_x64.h"
 
 #ifdef NDEBUG
@@ -16,36 +18,101 @@ using std::size_t;
 namespace {
 char PARSER_KEY[16384];
 char PARSER_VALUE[16384];
-}  // namespace
 
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-    parser_tx_t txObj;
-    MEMZERO(&txObj, sizeof(txObj));
-    parser_context_t ctx;
-    parser_error_t rc;
+// Helper function to test individual parsing functions with fresh contexts
+void test_individual_functions(const parser_context_t &base_ctx, const parser_tx_t &base_txObj) {
+    // Test merkle proofs reading independently
+    {
+        parser_context_t ctx = base_ctx;
+        parser_tx_t txObj = base_txObj;
+        schema_merkle_proofs_read(&ctx, &txObj);
+    }
 
-    rc = parser_parse(&ctx, data, size, &txObj);
-    if (rc != parser_ok) {
-        return 0;
+    // Test extra data reading independently
+    {
+        parser_context_t ctx = base_ctx;
+        parser_tx_t txObj = base_txObj;
+        schema_extra_data_read(&ctx, &txObj);
     }
 
-    rc = parser_validate(&txObj);
-    if (rc != parser_ok) {
-        return 0;
+    // Test transaction parsing independently
+    {
+        parser_context_t ctx = base_ctx;
+        parser_tx_t txObj = base_txObj;
+        schema_parser_transaction(&ctx, &txObj);
+    }
+
+    // Test chain hash reading independently
+    {
+        parser_context_t ctx = base_ctx;
+        parser_tx_t txObj = base_txObj;
+        schema_chain_hash_read(&ctx, &txObj);
+    }
+}
+
+// Helper function to test partial pipelines and return successful result
+bool test_partial_pipelines(const parser_context_t &base_ctx, const parser_tx_t &base_txObj, parser_tx_t &result_txObj) {
+    // Test pipeline starting from merkle proofs
+    {
+        parser_context_t ctx = base_ctx;
+        parser_tx_t txObj = base_txObj;
+
+        if (schema_merkle_proofs_read(&ctx, &txObj) == parser_ok) {
+            schema_extra_data_read(&ctx, &txObj);
+            if (schema_parser_transaction(&ctx, &txObj) == parser_ok) {
+                schema_chain_hash_read(&ctx, &txObj);
+                result_txObj = txObj;
+                return true;
+            }
+        }
+    }
+
+    // Test pipeline starting from extra data (skip merkle)
+    {
+        parser_context_t ctx = base_ctx;
+        parser_tx_t txObj = base_txObj;
+
+        schema_extra_data_read(&ctx, &txObj);
+        if (schema_parser_transaction(&ctx, &txObj) == parser_ok) {
+            schema_chain_hash_read(&ctx, &txObj);
+            result_txObj = txObj;
+            return true;
+        }
+    }
+
+    // Test pipeline starting from transaction parsing (skip merkle and extra)
+    {
+        parser_context_t ctx = base_ctx;
+        parser_tx_t txObj = base_txObj;
+
+        if (schema_parser_transaction(&ctx, &txObj) == parser_ok) {
+            schema_chain_hash_read(&ctx, &txObj);
+            result_txObj = txObj;
+            return true;
+        }
+    }
+
+    return false;
+}
+
+// Helper function to test and iterate through parsed items
+void test_parser_output(parser_tx_t &txObj) {
+    if (parser_validate(&txObj) != parser_ok) {
+        return;
     }
 
     uint8_t num_items;
-    rc = parser_getNumItems(&txObj, &num_items);
-    if (rc != parser_ok) {
+    if (parser_getNumItems(&txObj, &num_items) != parser_ok) {
         assert(false);
     }
 
     for (uint8_t i = 0; i < num_items; i += 1) {
         uint8_t page_idx = 0;
         uint8_t page_count = 1;
+
         while (page_idx < page_count) {
-            rc = parser_getItem(&txObj, i, PARSER_KEY, sizeof(PARSER_KEY), PARSER_VALUE, sizeof(PARSER_VALUE), page_idx,
-                                &page_count);
+            const parser_error_t rc = parser_getItem(&txObj, i, PARSER_KEY, sizeof(PARSER_KEY), PARSER_VALUE, sizeof(PARSER_VALUE),
+                                               page_idx, &page_count);
 
             if (rc != parser_ok) {
                 (void)fprintf(stderr, "error getting item %u at page index %u: %s\n", (unsigned)i, (unsigned)page_idx,
@@ -56,6 +123,30 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
             page_idx += 1;
         }
     }
+}
+
+}  // namespace
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    parser_tx_t txObj;
+    MEMZERO(&txObj, sizeof(txObj));
+    parser_context_t ctx;
+
+    const parser_error_t rc = parser_init_context(&ctx, data, size);
+    if (rc != parser_ok) {
+        return 0;
+    }
+
+    // Test individual parsing functions independently to maximize coverage
+    // This prevents early validation failures from blocking coverage of later stages
+    test_individual_functions(ctx, txObj);
+
+    // Test partial pipelines with different entry points
+    parser_tx_t result_txObj;
+    if (test_partial_pipelines(ctx, txObj, result_txObj)) {
+        // Test parser output with the successful result (no redundant parsing)
+        test_parser_output(result_txObj);
+    }
 
     return 0;
 }

fuzz/run-fuzzers.py

@@ -5,7 +5,7 @@
 import shlex
 import subprocess
 
-MAX_SECONDS_PER_RUN = 600
+MAX_SECONDS_PER_RUN = 6
 MUTATE_DEPTH = random.randint(1, 20)
 
 # Create coverage directory specifically in fuzz/coverage
@@ -69,7 +69,7 @@
     cmd = [fuzz_path, f'-max_total_time={max_time}',
            f'-timeout=20',
            f'-rss_limit_mb=2048',
-           f'-jobs=16',
+           f'-jobs=8',
            f'-max_len={max_len}',
            f'-mutate_depth={MUTATE_DEPTH}',
            f'-artifact_prefix={artifact_dir}/',

tests/parser_impl.cpp

@@ -286,7 +286,8 @@ TEST(SCALE, MultiProofTest) {
 //     parser_tx_t tx_obj = {0};
 //     parser_error_t err;
 //     uint8_t buffer[12000];
-//     auto bufferLen = parseHexString(buffer, sizeof(buffer), "000000000000000002000000000000000000000000008181818181818181818581818181818181818181818183818181818a8181816c5f02007060000081818181e70000ff00818181818181818100000000000000000093939393939393939393939393939393939393939393939393939393939393939393939393939393939393139393939393939393939393939300000d8181");
+//     auto bufferLen = parseHexString(buffer, sizeof(buffer),
+//     "000000000000000002000000000000000000000000008181818181818181818581818181818181818181818183818181818a8181816c5f02007060000081818181e70000ff00818181818181818100000000000000000093939393939393939393939393939393939393939393939393939393939393939393939393939393939393139393939393939393939393939300000d8181");
 
 //     ctx.buffer.ptr = buffer;
 //     ctx.buffer.len = bufferLen;