Skip to content

Commit e7ddbd9

Browse files
practicalswiftpracticalswift
committed
tests: Add fuzzing harness for CScriptNum operations
1 parent 65a52a0 commit e7ddbd9

File tree

2 files changed

+144
-0
lines changed

2 files changed

+144
-0
lines changed

src/Makefile.test.include

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,7 @@ FUZZ_TARGETS = \
6262
test/fuzz/script_deserialize \
6363
test/fuzz/script_flags \
6464
test/fuzz/script_ops \
65+
test/fuzz/scriptnum_ops \
6566
test/fuzz/service_deserialize \
6667
test/fuzz/spanparsing \
6768
test/fuzz/strprintf \
@@ -597,6 +598,12 @@ test_fuzz_script_ops_LDADD = $(FUZZ_SUITE_LD_COMMON)
597598
test_fuzz_script_ops_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
598599
test_fuzz_script_ops_SOURCES = $(FUZZ_SUITE) test/fuzz/script_ops.cpp
599600

601+
test_fuzz_scriptnum_ops_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
602+
test_fuzz_scriptnum_ops_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
603+
test_fuzz_scriptnum_ops_LDADD = $(FUZZ_SUITE_LD_COMMON)
604+
test_fuzz_scriptnum_ops_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
605+
test_fuzz_scriptnum_ops_SOURCES = $(FUZZ_SUITE) test/fuzz/scriptnum_ops.cpp
606+
600607
test_fuzz_service_deserialize_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES) -DSERVICE_DESERIALIZE=1
601608
test_fuzz_service_deserialize_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
602609
test_fuzz_service_deserialize_LDADD = $(FUZZ_SUITE_LD_COMMON)

src/test/fuzz/scriptnum_ops.cpp

Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,137 @@
1+
// Copyright (c) 2020 The Bitcoin Core developers
2+
// Distributed under the MIT software license, see the accompanying
3+
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
4+
5+
#include <script/script.h>
6+
#include <test/fuzz/FuzzedDataProvider.h>
7+
#include <test/fuzz/fuzz.h>
8+
#include <test/fuzz/util.h>
9+
10+
#include <cassert>
11+
#include <cstdint>
12+
#include <limits>
13+
#include <vector>
14+
15+
namespace {
16+
bool IsValidAddition(const CScriptNum& lhs, const CScriptNum& rhs)
17+
{
18+
return rhs == 0 || (rhs > 0 && lhs <= CScriptNum{std::numeric_limits<int64_t>::max()} - rhs) || (rhs < 0 && lhs >= CScriptNum{std::numeric_limits<int64_t>::min()} - rhs);
19+
}
20+
21+
bool IsValidSubtraction(const CScriptNum& lhs, const CScriptNum& rhs)
22+
{
23+
return rhs == 0 || (rhs > 0 && lhs >= CScriptNum{std::numeric_limits<int64_t>::min()} + rhs) || (rhs < 0 && lhs <= CScriptNum{std::numeric_limits<int64_t>::max()} + rhs);
24+
}
25+
} // namespace
26+
27+
void test_one_input(const std::vector<uint8_t>& buffer)
28+
{
29+
FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
30+
CScriptNum script_num = ConsumeScriptNum(fuzzed_data_provider);
31+
while (fuzzed_data_provider.remaining_bytes() > 0) {
32+
switch (fuzzed_data_provider.ConsumeIntegralInRange(0, 11)) {
33+
case 0: {
34+
const int64_t i = fuzzed_data_provider.ConsumeIntegral<int64_t>();
35+
assert((script_num == i) != (script_num != i));
36+
assert((script_num <= i) != script_num > i);
37+
assert((script_num >= i) != (script_num < i));
38+
// Avoid signed integer overflow:
39+
// script/script.h:264:93: runtime error: signed integer overflow: -2261405121394637306 + -9223372036854775802 cannot be represented in type 'long'
40+
if (IsValidAddition(script_num, CScriptNum{i})) {
41+
assert((script_num + i) - i == script_num);
42+
}
43+
// Avoid signed integer overflow:
44+
// script/script.h:265:93: runtime error: signed integer overflow: 9223371895120855039 - -9223372036854710486 cannot be represented in type 'long'
45+
if (IsValidSubtraction(script_num, CScriptNum{i})) {
46+
assert((script_num - i) + i == script_num);
47+
}
48+
break;
49+
}
50+
case 1: {
51+
const CScriptNum random_script_num = ConsumeScriptNum(fuzzed_data_provider);
52+
assert((script_num == random_script_num) != (script_num != random_script_num));
53+
assert((script_num <= random_script_num) != (script_num > random_script_num));
54+
assert((script_num >= random_script_num) != (script_num < random_script_num));
55+
// Avoid signed integer overflow:
56+
// script/script.h:264:93: runtime error: signed integer overflow: -9223126527765971126 + -9223372036854756825 cannot be represented in type 'long'
57+
if (IsValidAddition(script_num, random_script_num)) {
58+
assert((script_num + random_script_num) - random_script_num == script_num);
59+
}
60+
// Avoid signed integer overflow:
61+
// script/script.h:265:93: runtime error: signed integer overflow: 6052837899185946624 - -9223372036854775808 cannot be represented in type 'long'
62+
if (IsValidSubtraction(script_num, random_script_num)) {
63+
assert((script_num - random_script_num) + random_script_num == script_num);
64+
}
65+
break;
66+
}
67+
case 2: {
68+
const CScriptNum random_script_num = ConsumeScriptNum(fuzzed_data_provider);
69+
if (!IsValidAddition(script_num, random_script_num)) {
70+
// Avoid assertion failure:
71+
// ./script/script.h:292: CScriptNum &CScriptNum::operator+=(const int64_t &): Assertion `rhs == 0 || (rhs > 0 && m_value <= std::numeric_limits<int64_t>::max() - rhs) || (rhs < 0 && m_value >= std::numeric_limits<int64_t>::min() - rhs)' failed.
72+
break;
73+
}
74+
script_num += random_script_num;
75+
break;
76+
}
77+
case 3: {
78+
const CScriptNum random_script_num = ConsumeScriptNum(fuzzed_data_provider);
79+
if (!IsValidSubtraction(script_num, random_script_num)) {
80+
// Avoid assertion failure:
81+
// ./script/script.h:300: CScriptNum &CScriptNum::operator-=(const int64_t &): Assertion `rhs == 0 || (rhs > 0 && m_value >= std::numeric_limits<int64_t>::min() + rhs) || (rhs < 0 && m_value <= std::numeric_limits<int64_t>::max() + rhs)' failed.
82+
break;
83+
}
84+
script_num -= random_script_num;
85+
break;
86+
}
87+
case 4:
88+
script_num = script_num & fuzzed_data_provider.ConsumeIntegral<int64_t>();
89+
break;
90+
case 5:
91+
script_num = script_num & ConsumeScriptNum(fuzzed_data_provider);
92+
break;
93+
case 6:
94+
script_num &= ConsumeScriptNum(fuzzed_data_provider);
95+
break;
96+
case 7:
97+
if (script_num == CScriptNum{std::numeric_limits<int64_t>::min()}) {
98+
// Avoid assertion failure:
99+
// ./script/script.h:279: CScriptNum CScriptNum::operator-() const: Assertion `m_value != std::numeric_limits<int64_t>::min()' failed.
100+
break;
101+
}
102+
script_num = -script_num;
103+
break;
104+
case 8:
105+
script_num = fuzzed_data_provider.ConsumeIntegral<int64_t>();
106+
break;
107+
case 9: {
108+
const int64_t random_integer = fuzzed_data_provider.ConsumeIntegral<int64_t>();
109+
if (!IsValidAddition(script_num, CScriptNum{random_integer})) {
110+
// Avoid assertion failure:
111+
// ./script/script.h:292: CScriptNum &CScriptNum::operator+=(const int64_t &): Assertion `rhs == 0 || (rhs > 0 && m_value <= std::numeric_limits<int64_t>::max() - rhs) || (rhs < 0 && m_value >= std::numeric_limits<int64_t>::min() - rhs)' failed.
112+
break;
113+
}
114+
script_num += random_integer;
115+
break;
116+
}
117+
case 10: {
118+
const int64_t random_integer = fuzzed_data_provider.ConsumeIntegral<int64_t>();
119+
if (!IsValidSubtraction(script_num, CScriptNum{random_integer})) {
120+
// Avoid assertion failure:
121+
// ./script/script.h:300: CScriptNum &CScriptNum::operator-=(const int64_t &): Assertion `rhs == 0 || (rhs > 0 && m_value >= std::numeric_limits<int64_t>::min() + rhs) || (rhs < 0 && m_value <= std::numeric_limits<int64_t>::max() + rhs)' failed.
122+
break;
123+
}
124+
script_num -= random_integer;
125+
break;
126+
}
127+
case 11:
128+
script_num &= fuzzed_data_provider.ConsumeIntegral<int64_t>();
129+
break;
130+
}
131+
// Avoid negation failure:
132+
// script/script.h:332:35: runtime error: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself
133+
if (script_num != CScriptNum{std::numeric_limits<int64_t>::min()}) {
134+
(void)script_num.getvch();
135+
}
136+
}
137+
}

0 commit comments

Comments
 (0)