Fix uregex_open_fuzzer: hardcoded flags and unaligned memory access

icu4c/source/test/fuzzer/list_format_fuzzer.cpp

@@ -22,19 +22,28 @@ void TestFormat(icu::ListFormatter* listFormat, const icu::UnicodeString* items)
 }
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     uint16_t rnd;
-    UListFormatterType type;
-    UListFormatterWidth width;
-    if (size < sizeof(rnd) + sizeof(type) + sizeof(width)) return 0;
+    int32_t raw_type;
+    int32_t raw_width;
+    if (size < sizeof(rnd) + sizeof(raw_type) + sizeof(raw_width)) return 0;
     icu::StringPiece fuzzData(reinterpret_cast<const char *>(data), size);
 
     std::memcpy(&rnd, fuzzData.data(), sizeof(rnd));
     icu::Locale locale = GetRandomLocale(rnd);
     fuzzData.remove_prefix(sizeof(rnd));
 
-    std::memcpy(&type, fuzzData.data(), sizeof(type));
-    fuzzData.remove_prefix(sizeof(type));
-    std::memcpy(&width, fuzzData.data(), sizeof(width));
-    fuzzData.remove_prefix(sizeof(width));
+    std::memcpy(&raw_type, fuzzData.data(), sizeof(raw_type));
+    fuzzData.remove_prefix(sizeof(raw_type));
+    std::memcpy(&raw_width, fuzzData.data(), sizeof(raw_width));
+    fuzzData.remove_prefix(sizeof(raw_width));
+
+    // Ensure non-negative before modulo.
+    int32_t type_index = raw_type < 0 ? -raw_type : raw_type;
+    int32_t width_index = raw_width < 0 ? -raw_width : raw_width;
+
+    UListFormatterType type = static_cast<UListFormatterType>(
+        type_index % (static_cast<int>(ULISTFMT_TYPE_UNITS) + 1));
+    UListFormatterWidth width = static_cast<UListFormatterWidth>(
+        width_index % (static_cast<int>(ULISTFMT_WIDTH_NARROW) + 1));
 
     size_t len = fuzzData.size() / sizeof(char16_t);
     icu::UnicodeString text(false, reinterpret_cast<const char16_t*>(fuzzData.data()), len);
@@ -54,16 +63,5 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
         TestFormat(listFormat.get(), items);
     }
 
-    status = U_ZERO_ERROR;
-    type = static_cast<UListFormatterType>(
-        static_cast<int>(type) % (static_cast<int>(ULISTFMT_TYPE_UNITS) + 1));
-    width = static_cast<UListFormatterWidth>(
-        static_cast<int>(width) % (static_cast<int>(ULISTFMT_WIDTH_NARROW) + 1));
-    listFormat.reset(
-        icu::ListFormatter::createInstance(locale, type, width, status));
-    if (U_SUCCESS(status)) {
-        TestFormat(listFormat.get(), items);
-    }
-
     return EXIT_SUCCESS;
 }

icu4c/source/test/fuzzer/uregex_open_fuzzer.cpp

@@ -4,21 +4,41 @@
 #include <stddef.h>
 #include <stdint.h>
 #include <string.h>
-
+#include <memory>
 
 #include "fuzzer_utils.h"
 #include "unicode/regex.h"
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // Need at least 1 byte for flags + 2 bytes for a char16_t pattern
+  if (size < 3) {
+    return 0;
+  }
+
+  // Use first byte to derive regex flags
+  uint32_t flags = data[0];
+  const uint8_t* pattern_data = data + 1;
+  size_t pattern_size = size - 1;
+
+  // Round down to even size for char16_t alignment
+  size_t unistr_size = pattern_size / sizeof(char16_t);
+  if (unistr_size == 0) {
+    return 0;
+  }
+
+  // Copy to properly aligned buffer
+  std::unique_ptr<char16_t[]> fuzzbuff(new char16_t[unistr_size]);
+  std::memcpy(fuzzbuff.get(), pattern_data, unistr_size * sizeof(char16_t));
+
   UParseError pe = { 0, 0, {0}, {0} };
   UErrorCode status = U_ZERO_ERROR;
 
-  URegularExpression* re = uregex_open(reinterpret_cast<const char16_t*>(data),
-                                       static_cast<int>(size) / sizeof(char16_t),
-                                       0, &pe, &status);
+  URegularExpression* re = uregex_open(fuzzbuff.get(),
+                                       static_cast<int>(unistr_size),
+                                       flags, &pe, &status);
 
   if (re)
     uregex_close(re);
- 
+
   return 0;
 }