Add instance_create_advanced_fuzzer runner

OSS-Fuzz added an 'advanced' fuzzer which creates multiple files by
parsing the fuzz input file into multiple separate files. To add the
fuzz test we needed to recreate the same logic that enables creating
files.

Author: charles-lunarg

tests/framework/data/fuzz_test_minimized_test_cases/clusterfuzz-testcase-minimized-instance_create_advanced_fuzzer-4788849181261824

@@ -63,6 +63,12 @@
 
 enum class GpuType { unspecified, integrated, discrete, external };
 
+struct TempFile {
+    explicit TempFile(std::filesystem::path filename) : filename(filename) {}
+    ~TempFile() { std::filesystem::remove(filename); }
+    std::filesystem::path filename;
+};
+
 #if defined(_WIN32)
 #define VK_VARIANT_REG_STR ""
 #define VK_VARIANT_REG_STR_W L""
@@ -231,6 +237,8 @@ struct PlatformShim {
     std::string bundle_contents;
 #endif
 #endif
+    std::vector<uint8_t> fuzz_data;
+    std::vector<TempFile> temp_fuzz_files;
     bool is_finished_setup = false;
     bool is_during_destruction = false;
 };

tests/framework/data/fuzz_test_minimized_test_cases/clusterfuzz-testcase-minimized-instance_create_advanced_fuzzer-5612556809207808

@@ -27,6 +27,8 @@
 
 #include "shim.h"
 
+#include <cstring>
+
 #include <algorithm>
 #include <iostream>
 
@@ -266,17 +268,32 @@ FRAMEWORK_EXPORT FILE* FOPEN_FUNC_NAME(const char* in_filename, const char* mode
     if (platform_shim.is_during_destruction || !platform_shim.is_finished_setup) {
         return real_fopen(in_filename, mode);
     }
-
+    FILE* out_file = nullptr;
     std::filesystem::path path{in_filename};
     if (!path.has_parent_path()) {
-        return real_fopen(in_filename, mode);
+        out_file = real_fopen(in_filename, mode);
     } else if (auto real_path = platform_shim.file_system_manager->get_real_path_of_redirected_path(path.parent_path());
                !real_path.empty()) {
         real_path /= path.filename();
-        return real_fopen(real_path.c_str(), mode);
+        out_file = real_fopen(real_path.c_str(), mode);
     } else {
-        return real_fopen(in_filename, mode);
+        out_file = real_fopen(in_filename, mode);
+    }
+
+    // Fuzz tests have sub files embedded in the input data file. This
+    if (!platform_shim.fuzz_data.empty() && out_file == NULL) {
+        fprintf(stderr, "create_callback_file: Creating file %s\n", in_filename);
+        FILE* fp = fopen(in_filename, "wb");
+        if (nullptr == fp) {
+            abort();
+        }
+        fwrite(platform_shim.fuzz_data.data(), platform_shim.fuzz_data.size(), 1, fp);
+        fclose(fp);
+        platform_shim.temp_fuzz_files.emplace_back(in_filename);
+
+        out_file = fopen(in_filename, "rb");
     }
+    return out_file;
 }
 
 FRAMEWORK_EXPORT void* DLOPEN_FUNC_NAME(const char* in_filename, int flags) {

tests/framework/shim/shim.h

@@ -25,7 +25,9 @@
  * Author: Charles Giessen <[email protected]>
  */
 
-#include "test_environment.h"
+#include "framework/test_environment.h"
+
+#include <fstream>
 
 extern "C" {
 #include "loader.h"
@@ -45,14 +47,10 @@ void execute_instance_enumerate_fuzzer(std::filesystem::path const& filename) {
 
     env.vulkan_functions.vkEnumerateInstanceExtensionProperties("test_auto", &pPropertyCount, &pProperties);
 }
-void execute_instance_create_fuzzer(std::filesystem::path const& filename) {
-    FrameworkEnvironment env{};
-    env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(),
-                               ManifestCategory::implicit_layer, ManifestLocation::implicit_layer, "complex_layer.json");
-    env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(),
-                               ManifestCategory::settings, ManifestLocation::settings_location, "vk_loader_settings.json");
-    env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(),
-                               ManifestCategory::icd, ManifestLocation::driver, "icd_test.json");
+// Common code for execute_instance_create_fuzzer and execute_instance_create_fuzzer_advanced
+void execute_instance_create_fuzzer_logic(FrameworkEnvironment& env) {
+    EnvVarWrapper enable_all_layers("VK_LOADER_LAYERS_ENABLE", "all");
+
     VkInstance inst = {0};
     const char* instance_layers[] = {"VK_LAYER_KHRONOS_validation", "VK_LAYER_test_layer_1", "VK_LAYER_test_layer_2"};
     VkApplicationInfo app{};
@@ -81,6 +79,53 @@ void execute_instance_create_fuzzer(std::filesystem::path const& filename) {
     env.vulkan_functions.vkDestroyInstance(inst, NULL);
 }
 
+void execute_instance_create_fuzzer(std::filesystem::path const& filename) {
+    FrameworkEnvironment env{};
+    env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(),
+                               ManifestCategory::implicit_layer, ManifestLocation::unsecured_implicit_layer, "complex_layer.json");
+    env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(),
+                               ManifestCategory::settings, ManifestLocation::unsecured_settings, "vk_loader_settings.json");
+    env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(),
+                               ManifestCategory::icd, ManifestLocation::unsecured_driver, "icd_test.json");
+
+    execute_instance_create_fuzzer_logic(env);
+}
+
+void execute_instance_create_advanced_fuzzer(std::filesystem::path const& filename) {
+    FrameworkEnvironment env{};
+
+    // The file actually contains three subfiles with their lengths specified in the first 12 bytes of the file.
+    auto source_file = std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename;
+    std::fstream file{source_file.string(), std::ios_base::in | std::ios_base::binary};
+    ASSERT_TRUE(file.is_open());
+    std::stringstream file_stream;
+    file_stream << file.rdbuf();
+
+    auto data_string = file_stream.str();
+    auto data_cstring = data_string.c_str();
+    std::array<uint64_t, 3> sections;
+    memcpy(sections.data(), data_cstring, sizeof(uint64_t) * 3);
+    sections[0] = sections[0] % 40000;
+    sections[1] = sections[1] % 40000;
+    sections[2] = sections[2] % 40000;
+
+    uint64_t data_index = 3 * sizeof(uint64_t);
+    std::string first = data_string.substr(data_index, sections[0]);
+    data_index += sections[0];
+    std::string second = data_string.substr(data_index, sections[1]);
+    data_index += sections[1];
+    std::string third = data_string.substr(data_index, sections[2]);
+    data_index += sections[2];
+
+    env.platform_shim->fuzz_data.resize(data_string.size() - data_index);
+    memcpy(env.platform_shim->fuzz_data.data(), data_cstring + data_index, env.platform_shim->fuzz_data.size());
+
+    env.write_file_from_string(first, ManifestCategory::implicit_layer, ManifestLocation::implicit_layer, "complex_layer.json");
+    env.write_file_from_string(second, ManifestCategory::settings, ManifestLocation::settings_location, "vk_loader_settings.json");
+    env.write_file_from_string(third, ManifestCategory::settings, ManifestLocation::settings_location, "icd_test.json");
+
+    execute_instance_create_fuzzer_logic(env);
+}
 void execute_json_load_fuzzer(std::string const& filename) {
     FrameworkEnvironment env{};
 
@@ -208,6 +253,12 @@ TEST(BadJsonInput, ClusterFuzzTestCase_5817896795701248) {
 TEST(BadJsonInput, ClusterFuzzTestCase_6541440380895232) {
     execute_instance_create_fuzzer("clusterfuzz-testcase-instance_create_fuzzer-6541440380895232");
 }
+TEST(BadJsonInput, ClusterFuzzTestCase_5612556809207808) {
+    execute_instance_create_advanced_fuzzer("clusterfuzz-testcase-minimized-instance_create_advanced_fuzzer-5612556809207808");
+}
+TEST(BadJsonInput, ClusterFuzzTestCase_4788849181261824) {
+    execute_instance_create_advanced_fuzzer("clusterfuzz-testcase-minimized-instance_create_advanced_fuzzer-4788849181261824");
+}
 TEST(BadJsonInput, ClusterFuzzTestCase_6465902356791296) {
     // Does crash with UBSAN
     // Doesn't crash with ASAN