1 #include "random_data.h"
2 #include <string.h>
3 #include <malloc_wrappers.h>
4 #include <pb_encode.h>
5 
6 #ifndef LLVMFUZZER
7 
8 static uint32_t g_random_seed = 1234;
9 
random_set_seed(uint32_t seed)10 void random_set_seed(uint32_t seed)
11 {
12     g_random_seed = seed;
13 }
14 
random_get_seed()15 uint32_t random_get_seed()
16 {
17     return g_random_seed;
18 }
19 
20 /* Uses xorshift64 here instead of rand() for both speed and
21  * reproducibility across platforms. */
rand_word()22 uint32_t rand_word()
23 {
24     g_random_seed ^= g_random_seed << 13;
25     g_random_seed ^= g_random_seed >> 17;
26     g_random_seed ^= g_random_seed << 5;
27     return g_random_seed;
28 }
29 
30 /* Get a random integer in range, with approximately flat distribution. */
rand_int(int min,int max)31 int rand_int(int min, int max)
32 {
33     return rand_word() % (max + 1 - min) + min;
34 }
35 
rand_bool()36 bool rand_bool()
37 {
38     return rand_word() & 1;
39 }
40 
41 /* Get a random byte, with skewed distribution.
42  * Important corner cases like 0xFF, 0x00 and 0xFE occur more
43  * often than other values. */
rand_byte()44 uint8_t rand_byte()
45 {
46     uint32_t w = rand_word();
47     uint8_t b = w & 0xFF;
48     if (w & 0x100000)
49         b >>= (w >> 8) & 7;
50     if (w & 0x200000)
51         b <<= (w >> 12) & 7;
52     if (w & 0x400000)
53         b ^= 0xFF;
54     return b;
55 }
56 
57 /* Get a random length, with skewed distribution.
58  * Favors the shorter lengths, but always at least 1. */
rand_len(size_t max)59 size_t rand_len(size_t max)
60 {
61     uint32_t w = rand_word();
62     size_t s;
63     if (w & 0x800000)
64         w &= 3;
65     else if (w & 0x400000)
66         w &= 15;
67     else if (w & 0x200000)
68         w &= 255;
69 
70     s = (w % max);
71     if (s == 0)
72         s = 1;
73 
74     return s;
75 }
76 
77 /* Fills a buffer with random data with skewed distribution. */
rand_fill(uint8_t * buf,size_t count)78 void rand_fill(uint8_t *buf, size_t count)
79 {
80     for (; count > 0; count--)
81     {
82         *buf++ = rand_byte();
83     }
84 }
85 
86 /* Fill with random protobuf-like data */
rand_fill_protobuf(uint8_t * buf,size_t min_bytes,size_t max_bytes,int min_tag)87 size_t rand_fill_protobuf(uint8_t *buf, size_t min_bytes, size_t max_bytes, int min_tag)
88 {
89     pb_ostream_t stream = pb_ostream_from_buffer(buf, max_bytes);
90 
91     while(stream.bytes_written < min_bytes)
92     {
93         pb_wire_type_t wt = rand_int(0, 3);
94         if (wt == 3) wt = 5; /* Gap in values */
95 
96         if (!pb_encode_tag(&stream, wt, rand_int(min_tag, min_tag + 512)))
97             break;
98 
99         if (wt == PB_WT_VARINT)
100         {
101             uint64_t value;
102             rand_fill((uint8_t*)&value, sizeof(value));
103             pb_encode_varint(&stream, value);
104         }
105         else if (wt == PB_WT_64BIT)
106         {
107             uint64_t value;
108             rand_fill((uint8_t*)&value, sizeof(value));
109             pb_encode_fixed64(&stream, &value);
110         }
111         else if (wt == PB_WT_32BIT)
112         {
113             uint32_t value;
114             rand_fill((uint8_t*)&value, sizeof(value));
115             pb_encode_fixed32(&stream, &value);
116         }
117         else if (wt == PB_WT_STRING)
118         {
119             size_t len;
120             uint8_t *buf;
121 
122             if (min_bytes > stream.bytes_written)
123                 len = rand_len(min_bytes - stream.bytes_written);
124             else
125                 len = 0;
126 
127             buf = malloc(len);
128             pb_encode_varint(&stream, len);
129             rand_fill(buf, len);
130             pb_write(&stream, buf, len);
131             free(buf);
132         }
133     }
134 
135     return stream.bytes_written;
136 }
137 
138 /* Given a buffer of data, mess it up a bit */
rand_mess(uint8_t * buf,size_t count)139 void rand_mess(uint8_t *buf, size_t count)
140 {
141     int m = rand_int(0, 3);
142 
143     if (m == 0)
144     {
145         /* Replace random substring */
146         int s = rand_int(0, count - 1);
147         int l = rand_len(count - s);
148         rand_fill(buf + s, l);
149     }
150     else if (m == 1)
151     {
152         /* Swap random bytes */
153         int a = rand_int(0, count - 1);
154         int b = rand_int(0, count - 1);
155         int x = buf[a];
156         buf[a] = buf[b];
157         buf[b] = x;
158     }
159     else if (m == 2)
160     {
161         /* Duplicate substring */
162         int s = rand_int(0, count - 2);
163         int l = rand_len((count - s) / 2);
164         memcpy(buf + s + l, buf + s, l);
165     }
166     else if (m == 3)
167     {
168         /* Add random protobuf noise */
169         int s = rand_int(0, count - 1);
170         int l = rand_len(count - s);
171         rand_fill_protobuf(buf + s, l, count - s, 1);
172     }
173 }
174 
175 /* Append or prepend protobuf noise */
rand_protobuf_noise(uint8_t * buffer,size_t bufsize,size_t * msglen)176 void rand_protobuf_noise(uint8_t *buffer, size_t bufsize, size_t *msglen)
177 {
178     int m = rand_int(0, 2);
179     size_t max_size = bufsize - 32 - *msglen;
180     if (m == 1)
181     {
182         /* Prepend */
183         uint8_t *tmp = malloc_with_check(bufsize);
184         size_t s = rand_fill_protobuf(tmp, rand_len(max_size), bufsize - *msglen, 1000);
185         memmove(buffer + s, buffer, *msglen);
186         memcpy(buffer, tmp, s);
187         free_with_check(tmp);
188         *msglen += s;
189     }
190     else if (m == 2)
191     {
192         /* Append */
193         size_t s = rand_fill_protobuf(buffer + *msglen, rand_len(max_size), bufsize - *msglen, 1000);
194         *msglen += s;
195     }
196 }
197 
198 #endif
199