Fixing null-terminated string parameters

author: Ceyhun Alp <ceyhunalp@google.com> 2020-10-30 00:41:41 +0000
committer: Albert Astals Cid <tsdgeos@yahoo.es> 2020-11-27 12:23:31 +0000
commit: 44af15369a974b2b26a10fa3f4f99ba8e7542bd9 (patch)
tree: b92fdd1306864bd44ecf7e7b4dfc635f6e414a9d /cpp
parent: 919a71e52110774f461cbe079a5ed65cf8f48c91 (diff)
5 files changed, 38 insertions, 40 deletions
diff --git a/cpp/tests/fuzzing/doc_fuzzer.cc b/cpp/tests/fuzzing/doc_fuzzer.cc
index 520649c7..1769ce40 100644
--- a/cpp/tests/fuzzing/doc_fuzzer.cc
+++ b/cpp/tests/fuzzing/doc_fuzzer.cc
@@ -1,16 +1,19 @@
 #include <cstdint>
-#include <poppler-global.h>
 #include <poppler-document.h>
-#include <poppler-page.h>
+#include <poppler-global.h>
 
 #include "FuzzedDataProvider.h"
 
 const size_t input_size = 32;
+const size_t count = 6;
 
 static void dummy_error_function(const std::string &, void *) { }
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
+    if (size < input_size * count) {
+        return 0;
+    }
     poppler::set_debug_error_function(dummy_error_function, nullptr);
     poppler::document *doc = poppler::document::load_from_raw_data((const char *)data, size);
     if (!doc || doc->is_locked()) {
@@ -34,12 +37,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     doc->set_subject(poppler::ustring::from_latin1(in_sub));
     doc->set_title(poppler::ustring::from_latin1(in_title));
 
-    doc->set_author(poppler::ustring::from_utf8((const char *)data, size));
-    doc->set_creator(poppler::ustring::from_utf8((const char *)data, size));
-    doc->set_keywords(poppler::ustring::from_utf8((const char *)data, size));
-    doc->set_producer(poppler::ustring::from_utf8((const char *)data, size));
-    doc->set_subject(poppler::ustring::from_utf8((const char *)data, size));
-    doc->set_title(poppler::ustring::from_utf8((const char *)data, size));
+    doc->set_author(poppler::ustring::from_utf8(in_auth.c_str(), -1));
+    doc->set_creator(poppler::ustring::from_utf8(in_creat.c_str(), -1));
+    doc->set_keywords(poppler::ustring::from_utf8(in_key.c_str(), -1));
+    doc->set_producer(poppler::ustring::from_utf8(in_prod.c_str(), -1));
+    doc->set_subject(poppler::ustring::from_utf8(in_sub.c_str(), -1));
+    doc->set_title(poppler::ustring::from_utf8(in_title.c_str(), -1));
 
     delete doc;
     return 0;
diff --git a/cpp/tests/fuzzing/page_label_fuzzer.cc b/cpp/tests/fuzzing/page_label_fuzzer.cc
index 19106036..467be74a 100644
--- a/cpp/tests/fuzzing/page_label_fuzzer.cc
+++ b/cpp/tests/fuzzing/page_label_fuzzer.cc
@@ -1,14 +1,20 @@
 #include <cstdint>
-
-#include <poppler-global.h>
 #include <poppler-document.h>
+#include <poppler-global.h>
 #include <poppler-page.h>
 #include <poppler-page-renderer.h>
 
+#include "FuzzedDataProvider.h"
+
+const size_t input_size = 32;
+
 static void dummy_error_function(const std::string &, void *) { }
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
+    if (size < input_size) {
+        return 0;
+    }
     poppler::set_debug_error_function(dummy_error_function, nullptr);
 
     poppler::document *doc = poppler::document::load_from_raw_data((const char *)data, size);
@@ -18,13 +24,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     }
 
     poppler::page_renderer r;
+    FuzzedDataProvider data_provider(data, size);
+    std::string in_label = data_provider.ConsumeBytesAsString(input_size);
     for (int i = 0; i < doc->pages(); i++) {
-        poppler::ustring label = poppler::ustring::from_utf8((const char *)data, size);
-        poppler::page *p = doc->create_page(label);
+        poppler::page *p = doc->create_page(poppler::ustring::from_utf8(in_label.c_str(), -1));
         if (!p) {
             continue;
         }
         r.render_page(p);
+        p->label();
         delete p;
     }
 
diff --git a/cpp/tests/fuzzing/page_search_fuzzer.cc b/cpp/tests/fuzzing/page_search_fuzzer.cc
index 6427976c..1c6977f2 100644
--- a/cpp/tests/fuzzing/page_search_fuzzer.cc
+++ b/cpp/tests/fuzzing/page_search_fuzzer.cc
@@ -1,14 +1,20 @@
 #include <cstdint>
-
-#include <poppler-global.h>
 #include <poppler-document.h>
+#include <poppler-global.h>
 #include <poppler-page.h>
 #include <poppler-page-renderer.h>
 
+#include "FuzzedDataProvider.h"
+
+const size_t input_size = 32;
+
 static void dummy_error_function(const std::string &, void *) { }
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
+    if (size < input_size) {
+        return 0;
+    }
     poppler::set_debug_error_function(dummy_error_function, nullptr);
 
     poppler::document *doc = poppler::document::load_from_raw_data((const char *)data, size);
@@ -18,13 +24,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     }
 
     poppler::page_renderer r;
+    FuzzedDataProvider data_provider(data, size);
+    std::string in_text = data_provider.ConsumeBytesAsString(input_size);
     for (int i = 0; i < doc->pages(); i++) {
         poppler::page *p = doc->create_page(i);
         if (!p) {
             continue;
         }
         poppler::rectf rect = p->page_rect();
-        poppler::ustring text = poppler::ustring::from_utf8((const char *)data, size);
+        poppler::ustring text = poppler::ustring::from_utf8(in_text.c_str(), -1);
         p->search(text, rect, poppler::page::search_from_top, poppler::case_insensitive, poppler::rotate_0);
         r.render_page(p);
         delete p;
diff --git a/cpp/tests/fuzzing/pdf_file_fuzzer.cc b/cpp/tests/fuzzing/pdf_file_fuzzer.cc
index 6a682a17..10374e8b 100644
--- a/cpp/tests/fuzzing/pdf_file_fuzzer.cc
+++ b/cpp/tests/fuzzing/pdf_file_fuzzer.cc
@@ -1,8 +1,6 @@
 #include <cstdint>
-#include <string>
-
-#include <poppler-global.h>
 #include <poppler-document.h>
+#include <poppler-global.h>
 #include <poppler-page.h>
 #include <poppler-page-renderer.h>
 
diff --git a/cpp/tests/fuzzing/pdf_fuzzer.cc b/cpp/tests/fuzzing/pdf_fuzzer.cc
index 71cc9ae6..90cad426 100644
--- a/cpp/tests/fuzzing/pdf_fuzzer.cc
+++ b/cpp/tests/fuzzing/pdf_fuzzer.cc
@@ -1,34 +1,15 @@
-/*
-# Copyright 2018 Google Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-################################################################################
-*/
-
 #include <cstdint>
-
 #include <poppler-destination.h>
-#include <poppler-global.h>
 #include <poppler-document.h>
+#include <poppler-global.h>
 #include <poppler-page.h>
 #include <poppler-page-renderer.h>
 
-static void nop_func(const std::string &msg, void *) {};
+static void dummy_error_function(const std::string &, void *) { }
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
-    poppler::set_debug_error_function(nop_func, nullptr);
+    poppler::set_debug_error_function(dummy_error_function, nullptr);
 
     poppler::document *doc = poppler::document::load_from_raw_data((const char *)data, size);
     if (!doc || doc->is_locked()) {
author	Ceyhun Alp <ceyhunalp@google.com>	2020-10-30 00:41:41 +0000
committer	Albert Astals Cid <tsdgeos@yahoo.es>	2020-11-27 12:23:31 +0000
commit	44af15369a974b2b26a10fa3f4f99ba8e7542bd9 (patch)
tree	b92fdd1306864bd44ecf7e7b4dfc635f6e414a9d /cpp
parent	919a71e52110774f461cbe079a5ed65cf8f48c91 (diff)