97 lines
2.4 KiB
C
97 lines
2.4 KiB
C
/*
|
|
* zzuf - general purpose fuzzer
|
|
* Copyright (c) 2006 Sam Hocevar <sam@zoy.org>
|
|
* All Rights Reserved
|
|
*
|
|
* $Id$
|
|
*
|
|
* This program is free software. It comes without any warranty, to
|
|
* the extent permitted by applicable law. You can redistribute it
|
|
* and/or modify it under the terms of the Do What The Fuck You Want
|
|
* To Public License, Version 2, as published by Sam Hocevar. See
|
|
* http://sam.zoy.org/wtfpl/COPYING for more details.
|
|
*/
|
|
|
|
/*
|
|
* fuzz.c: fuzz functions
|
|
*/
|
|
|
|
#include "config.h"
|
|
|
|
#if defined HAVE_STDINT_H
|
|
# include <stdint.h>
|
|
#elif defined HAVE_INTTYPES_H
|
|
# include <inttypes.h>
|
|
#endif
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
#include "libzzuf.h"
|
|
#include "debug.h"
|
|
#include "random.h"
|
|
#include "fuzz.h"
|
|
|
|
#define MAGIC1 0x33ea84f7
|
|
#define MAGIC2 0x783bc31f
|
|
|
|
void _zz_fuzz(int fd, uint8_t *buf, uint64_t len)
|
|
{
|
|
uint64_t start, stop;
|
|
struct fuzz *fuzz;
|
|
uint8_t *aligned_buf;
|
|
unsigned long int pos = _zz_getpos(fd);
|
|
unsigned int i, j, todo;
|
|
|
|
/*
|
|
debug("fuzz(%i, %lli@%li)", fd, (unsigned long long int)len,
|
|
(unsigned long int)pos);
|
|
*/
|
|
|
|
fuzz = _zz_getfuzz(fd);
|
|
aligned_buf = buf - pos;
|
|
|
|
for(i = pos / CHUNKBYTES;
|
|
i < (pos + len + CHUNKBYTES - 1) / CHUNKBYTES;
|
|
i++)
|
|
{
|
|
/* Cache bitmask array */
|
|
if(fuzz->cur != (int)i)
|
|
{
|
|
uint32_t chunkseed = i * MAGIC1;
|
|
|
|
memset(fuzz->data, 0, CHUNKBYTES);
|
|
|
|
/* Add some random dithering to handle ratio < 1.0/CHUNKBYTES */
|
|
_zz_srand(_zz_seed ^ chunkseed);
|
|
todo = (int)((_zz_ratio * (8 * CHUNKBYTES * 1000)
|
|
+ _zz_rand(1000)) / 1000.0);
|
|
_zz_srand(_zz_seed ^ chunkseed ^ (todo * MAGIC2));
|
|
|
|
while(todo--)
|
|
{
|
|
unsigned int idx = _zz_rand(CHUNKBYTES);
|
|
uint8_t bit = (1 << _zz_rand(8));
|
|
|
|
fuzz->data[idx] ^= bit;
|
|
}
|
|
|
|
fuzz->cur = i;
|
|
}
|
|
|
|
/* Apply our bitmask array to the buffer */
|
|
start = (i * CHUNKBYTES > pos) ? i * CHUNKBYTES : pos;
|
|
|
|
stop = ((i + 1) * CHUNKBYTES < pos + len)
|
|
? (i + 1) * CHUNKBYTES : pos + len;
|
|
|
|
for(j = start; j < stop; j++)
|
|
{
|
|
if(_zz_protect[aligned_buf[j]])
|
|
continue;
|
|
|
|
aligned_buf[j] ^= fuzz->data[j % CHUNKBYTES];
|
|
}
|
|
}
|
|
}
|
|
|