code-fixer: extend for ConsumeBytes (#652)

Ref: #575 Ref: #301 --------- Signed-off-by: David Korczynski <[email protected]>
google · Oct 2, 2024 · 78f04b6 · 78f04b6
1 parent cdf8460
commit 78f04b6
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/benchmark-sets/bug-fdp-consume-buffers/libtheora.yaml b/benchmark-sets/bug-fdp-consume-buffers/libtheora.yaml
@@ -0,0 +1,15 @@
+"functions":
+- "name": "th_comment_query"
+  "params":
+  - "name": "_tc"
+    "type": "bool "
+  - "name": "_tag"
+    "type": "bool "
+  - "name": "_count"
+    "type": "int"
+  "return_type": "void"
+  "signature": "char * th_comment_query(th_comment *, const char *, int)"
+"language": "c++"
+"project": "libtheora"
+"target_name": "fuzzer-decoder"
+"target_path": "/src/oss-fuzz-fuzzers/libtheora/fuzzer.cpp"
diff --git a/llm_toolkit/code_fixer.py b/llm_toolkit/code_fixer.py
@@ -472,6 +472,7 @@ def _collect_instructions(benchmark: benchmarklib.Benchmark, errors: list[str],
   instruction += _collect_instruction_no_goto(fuzz_target_source_code)
   instruction += _collect_instruction_builtin_libs_first(benchmark, errors)
   instruction += _collect_instruction_extern(benchmark)
+  instruction += _collect_consume_buffers(fuzz_target_source_code)
 
   return instruction
 
@@ -656,6 +657,28 @@ def _collect_instruction_extern(benchmark: benchmarklib.Benchmark) -> str:
   return instruction
 
 
+def _collect_consume_buffers(fuzz_target_source_code: str) -> str:
+  """Provides advice on the use of ConsumeBytes and ConsumeData"""
+
+  instruction = ''
+
+  for buffer_method in ['ConsumeBytes', 'ConsumeData']:
+    if buffer_method in fuzz_target_source_code:
+      instruction += (
+          'IMPORTANT: the harness source code contains a call to '
+          f'`{buffer_method}`. Whenever this function is used, you MUST validate'
+          ' the size of the vector returned, and make sure that the size of the '
+          f'vector is equal to argument given to `{buffer_method}`. If it is '
+          'not equal, the harness should not proceed.\n')
+      instruction += (
+          f'Furthermore, consider changing {buffer_method} to '
+          '`ConsumeRandomLengthString` for creating `char` buffers or strings. '
+          'In most cases, `ConsumeRandomLengthString` is preferred, and '
+          f'should be used instead of {buffer_method}\n')
+
+  return instruction
+
+
 def main():
   args = parse_args()
   fix_all_targets(args.target_dir, args.project)