Add fuzzer for mmap module

Author: AdamKorcz

Makefile

@@ -1,8 +1,8 @@
-all : fuzzer-html fuzzer-email fuzzer-httpclient fuzzer-json fuzzer-difflib fuzzer-csv fuzzer-decode fuzzer-ast fuzzer-tarfile fuzzer-tarfile-hypothesis fuzzer-zipfile fuzzer-zipfile-hypothesis fuzzer-re fuzzer-configparser fuzzer-tomllib fuzzer-plistlib fuzzer-xml fuzzer-zoneinfo
+all : fuzzer-html fuzzer-email fuzzer-httpclient fuzzer-json fuzzer-difflib fuzzer-csv fuzzer-decode fuzzer-ast fuzzer-tarfile fuzzer-tarfile-hypothesis fuzzer-zipfile fuzzer-zipfile-hypothesis fuzzer-re fuzzer-configparser fuzzer-tomllib fuzzer-plistlib fuzzer-xml fuzzer-zoneinfo fuzzer-mmap
 
 PYTHON_CONFIG_PATH=$(CPYTHON_INSTALL_PATH)/bin/python3-config
 CXXFLAGS += $(shell $(PYTHON_CONFIG_PATH) --cflags)
-LDFLAGS += -rdynamic $(shell $(PYTHON_CONFIG_PATH) --ldflags --embed)
+LDFLAGS += -rdynamic $(shell $(PYTHON_CONFIG_PATH) --ldflags --embed) $(CPYTHON_MODLIBS) -Wl,--allow-multiple-definition
 
 fuzzer-html:
 	clang++ $(CXXFLAGS) $(LIB_FUZZING_ENGINE) -std=c++17 fuzzer.cpp -DPYTHON_HARNESS_PATH="\"html.py\"" -ldl $(LDFLAGS) -o fuzzer-html
@@ -40,3 +40,6 @@ fuzzer-xml:
 	clang++ $(CXXFLAGS) $(LIB_FUZZING_ENGINE) -std=c++17 fuzzer.cpp -DPYTHON_HARNESS_PATH="\"xml.py\"" -ldl $(LDFLAGS) -o fuzzer-xml
 fuzzer-zoneinfo:
 	clang++ $(CXXFLAGS) $(LIB_FUZZING_ENGINE) -std=c++17 fuzzer.cpp -DPYTHON_HARNESS_PATH="\"zoneinfo.py\"" -ldl $(LDFLAGS) -o fuzzer-zoneinfo
+
+fuzzer-mmap:
+	clang++ $(CXXFLAGS) $(LIB_FUZZING_ENGINE) -std=c++17 fuzzer.cpp -DPYTHON_HARNESS_PATH="\"mmap.py\"" -ldl $(LDFLAGS) -o fuzzer-mmap

fuzz_targets.txt

@@ -7,6 +7,7 @@ email email.py
 html html.py
 httpclient httpclient.py
 json json.py
+mmap mmap.py
 plistlib plist.py
 re re.py
 tarfile tarfile.py

mmap.py

@@ -0,0 +1,100 @@
+from fuzzeddataprovider import FuzzedDataProvider
+import os
+import mmap
+import tempfile
+
+OP_FIND = 0
+OP_RFIND = 1
+OP_READ = 2
+OP_READLINE = 3
+OP_SEEK = 4
+OP_GETITEM = 5
+OP_WRITE = 6
+OP_SETITEM = 7
+OP_MOVE = 8
+OP_FLUSH = 9
+
+_OP_MAX = OP_FLUSH
+
+
+# Fuzzes the mmap C module (Modules/mmapmodule.c). Creates a temporary
+# file-backed mmap and exercises find, rfind, seek, read, readline,
+# getitem, write, setitem, move, and flush operations with fuzzed
+# offsets, sizes, and byte content.
+def FuzzerRunOne(FuzzerInput):
+    if len(FuzzerInput) < 1 or len(FuzzerInput) > 0x10000:
+        return
+    fdp = FuzzedDataProvider(FuzzerInput)
+    init_size = (
+        fdp.ConsumeIntInRange(1, min(fdp.remaining_bytes(), 4096))
+        if fdp.remaining_bytes() > 0
+        else 0
+    )
+    if init_size == 0:
+        return
+    init_data = fdp.ConsumeBytes(init_size)
+    tmpname = None
+    try:
+        with tempfile.NamedTemporaryFile(delete=False) as tmp:
+            tmpname = tmp.name
+            tmp.write(init_data)
+            tmp.flush()
+
+        with open(tmpname, "r+b") as f:
+            mm = mmap.mmap(f.fileno(), 0)
+            num_ops = fdp.ConsumeIntInRange(1, 10)
+            for _ in range(num_ops):
+                if fdp.remaining_bytes() == 0:
+                    break
+                op = fdp.ConsumeIntInRange(0, _OP_MAX)
+                if op == OP_FIND:
+                    needle = fdp.ConsumeBytes(
+                        fdp.ConsumeIntInRange(1, min(fdp.remaining_bytes(), 20))
+                    )
+                    mm.find(needle)
+                elif op == OP_RFIND:
+                    needle = fdp.ConsumeBytes(
+                        fdp.ConsumeIntInRange(1, min(fdp.remaining_bytes(), 20))
+                    )
+                    mm.rfind(needle)
+                elif op == OP_READ:
+                    mm.seek(0)
+                    mm.read(fdp.ConsumeIntInRange(0, len(mm)))
+                elif op == OP_READLINE:
+                    mm.seek(0)
+                    mm.readline()
+                elif op == OP_SEEK:
+                    pos = fdp.ConsumeIntInRange(0, max(0, len(mm) - 1))
+                    mm.seek(pos)
+                elif op == OP_GETITEM:
+                    if len(mm) > 0:
+                        idx = fdp.ConsumeIntInRange(0, len(mm) - 1)
+                        _ = mm[idx]
+                elif op == OP_WRITE:
+                    data = fdp.ConsumeBytes(
+                        fdp.ConsumeIntInRange(1, min(fdp.remaining_bytes(), 50))
+                    )
+                    pos = fdp.ConsumeIntInRange(0, max(0, len(mm) - len(data)))
+                    mm.seek(pos)
+                    mm.write(data)
+                elif op == OP_SETITEM:
+                    if len(mm) > 0:
+                        idx = fdp.ConsumeIntInRange(0, len(mm) - 1)
+                        mm[idx] = fdp.ConsumeInt(1)
+                elif op == OP_MOVE:
+                    if len(mm) > 1:
+                        count = fdp.ConsumeIntInRange(1, len(mm) // 2)
+                        src = fdp.ConsumeIntInRange(0, len(mm) - count)
+                        dest = fdp.ConsumeIntInRange(0, len(mm) - count)
+                        mm.move(dest, src, count)
+                elif op == OP_FLUSH:
+                    mm.flush()
+            mm.close()
+    except Exception:
+        pass
+    finally:
+        if tmpname:
+            try:
+                os.unlink(tmpname)
+            except Exception:
+                pass