Merge pull request #33 from eth-hca/test/new-fuzz-targets

test: add fuzz_rlp_decode and fuzz_evm_opcode targets

Author: zacksfF

Makefile

@@ -5,6 +5,7 @@ CARGO_NIGHTLY := $(shell which cargo 2>/dev/null || echo $(HOME)/.cargo/bin/carg
         test test-unit test-property test-vector test-doc test-all test-no-default test-one \
         bench bench-hash bench-merkle bench-address bench-flow \
         fuzz fuzz-merkle fuzz-proof fuzz-witness fuzz-rlp \
+        fuzz-rlp-decode fuzz-evm-opcode fuzz-smoke \
         example-create example-spend example-verify examples \
         cli cli-help cli-demo \
         cli-create cli-derive cli-proof cli-verify cli-signing \
@@ -79,7 +80,7 @@ bench-flow:
 # Fuzz (requires nightly)
 # ─────────────────────────────────────────────
 
-fuzz: fuzz-merkle fuzz-proof fuzz-witness fuzz-rlp
+fuzz: fuzz-merkle fuzz-proof fuzz-witness fuzz-rlp fuzz-rlp-decode fuzz-evm-opcode
 
 fuzz-merkle:
 	$(CARGO_NIGHTLY) fuzz run fuzz_merkle
@@ -93,6 +94,20 @@ fuzz-witness:
 fuzz-rlp:
 	$(CARGO_NIGHTLY) fuzz run fuzz_rlp
 
+fuzz-rlp-decode:
+	$(CARGO_NIGHTLY) fuzz run fuzz_rlp_decode
+
+fuzz-evm-opcode:
+	$(CARGO_NIGHTLY) fuzz run fuzz_evm_opcode
+
+fuzz-smoke:
+	$(CARGO_NIGHTLY) fuzz run fuzz_merkle -- -max_total_time=30
+	$(CARGO_NIGHTLY) fuzz run fuzz_proof -- -max_total_time=30
+	$(CARGO_NIGHTLY) fuzz run fuzz_witness -- -max_total_time=30
+	$(CARGO_NIGHTLY) fuzz run fuzz_rlp -- -max_total_time=30
+	$(CARGO_NIGHTLY) fuzz run fuzz_rlp_decode -- -max_total_time=30
+	$(CARGO_NIGHTLY) fuzz run fuzz_evm_opcode -- -max_total_time=30
+
 # ─────────────────────────────────────────────
 # Examples
 # ─────────────────────────────────────────────

fuzz/Cargo.toml

@@ -40,3 +40,17 @@ path = "fuzz_targets/fuzz_rlp.rs"
 test = false
 doc = false
 bench = false
+
+[[bin]]
+name = "fuzz_rlp_decode"
+path = "fuzz_targets/fuzz_rlp_decode.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "fuzz_evm_opcode"
+path = "fuzz_targets/fuzz_evm_opcode.rs"
+test = false
+doc = false
+bench = false

fuzz/fuzz_targets/fuzz_evm_opcode.rs

@@ -0,0 +1,11 @@
+#![no_main]
+
+use hca_rs::evm::opcode::validate_leaf_script;
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    // Feed arbitrary bytecode — including PUSH data, truncated PUSH at EOF,
+    // banned opcodes, and random sequences — into the validator.
+    // Must never panic — only return Ok or Err.
+    let _ = validate_leaf_script(data);
+});

fuzz/fuzz_targets/fuzz_rlp_decode.rs

@@ -0,0 +1,35 @@
+#![no_main]
+
+use hca_rs::rlp::{decode_bytes, decode_hca_tx, decode_list, decode_uint};
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    if data.is_empty() {
+        return;
+    }
+
+    // Use first byte to select which decoder to fuzz
+    let test_type = data[0] % 4;
+    let input = &data[1..];
+
+    match test_type {
+        0 => {
+            // Fuzz decode_bytes: malformed inputs, truncated data, oversized lengths
+            let _ = decode_bytes(input);
+        }
+        1 => {
+            // Fuzz decode_uint: should never return a value wider than u128
+            let _ = decode_uint(input);
+        }
+        2 => {
+            // Fuzz decode_list: random list prefixes, truncated payloads
+            let _ = decode_list(input);
+        }
+        3 => {
+            // Fuzz decode_hca_tx: full transaction decoding with arbitrary bytes
+            // Must never panic — only return Ok or Err
+            let _ = decode_hca_tx(input);
+        }
+        _ => unreachable!(),
+    }
+});

src/rlp.rs

@@ -253,16 +253,17 @@ pub fn decode_bytes(input: &[u8]) -> HcaResult<(Vec<u8>, usize)> {
                 len
             )));
         }
-        if input.len() < 1 + len_of_len + len {
+        let total = (1usize)
+            .checked_add(len_of_len)
+            .and_then(|n| n.checked_add(len))
+            .ok_or_else(|| HcaError::RlpDecodeError("length overflow".to_string()))?;
+        if input.len() < total {
             return Err(HcaError::RlpDecodeError(format!(
                 "long string payload truncated: need {} bytes",
                 len
             )));
         }
-        return Ok((
-            input[1 + len_of_len..1 + len_of_len + len].to_vec(),
-            1 + len_of_len + len,
-        ));
+        return Ok((input[1 + len_of_len..total].to_vec(), total));
     }
 
     Err(HcaError::RlpDecodeError(format!(
@@ -334,16 +335,17 @@ pub fn decode_list(input: &[u8]) -> HcaResult<(Vec<u8>, usize)> {
         ));
     }
     let len = decode_usize_be(&input[1..1 + len_of_len])?;
-    if input.len() < 1 + len_of_len + len {
+    let total = (1usize)
+        .checked_add(len_of_len)
+        .and_then(|n| n.checked_add(len))
+        .ok_or_else(|| HcaError::RlpDecodeError("length overflow".to_string()))?;
+    if input.len() < total {
         return Err(HcaError::RlpDecodeError(format!(
             "long list payload truncated: need {} bytes",
             len
         )));
     }
-    Ok((
-        input[1 + len_of_len..1 + len_of_len + len].to_vec(),
-        1 + len_of_len + len,
-    ))
+    Ok((input[1 + len_of_len..total].to_vec(), total))
 }
 
 /// Decode a raw HCA typed transaction.