From e239eda39e3f0f9342bc0dd6658b49d4bd900875 Mon Sep 17 00:00:00 2001
From: Max Dymond <cmeister2@gmail.com>
Date: Mon, 11 Sep 2017 20:00:27 +0100
Subject: ossfuzz: don't write out to stdout

Don't make the fuzzer write out to stdout - instead write some of the
contents to a memory block so we exercise the data output code but
quietly.

Closes #1885
---
 tests/fuzz/curl_fuzzer.cc | 30 ++++++++++++++++++++++++++++++
 tests/fuzz/curl_fuzzer.h  | 10 ++++++++++
 2 files changed, 40 insertions(+)

diff --git a/tests/fuzz/curl_fuzzer.cc b/tests/fuzz/curl_fuzzer.cc
index bbf91c222..fadb3231b 100644
--- a/tests/fuzz/curl_fuzzer.cc
+++ b/tests/fuzz/curl_fuzzer.cc
@@ -136,6 +136,12 @@ int fuzz_initialize_fuzz_data(FUZZ_DATA *fuzz,
                         fuzz_read_callback));
   FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_READDATA, fuzz));
 
+  /* Set the standard write function callback. */
+  FTRY(curl_easy_setopt(fuzz->easy,
+                        CURLOPT_WRITEFUNCTION,
+                        fuzz_write_callback));
+  FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_WRITEDATA, fuzz));
+
   /* Can enable verbose mode by changing 0L to 1L */
   FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_VERBOSE, 0L));
 
@@ -269,6 +275,30 @@ static size_t fuzz_read_callback(char *buffer,
   return fuzz->upload1_data_len;
 }
 
+/**
+ * Callback function for handling data output quietly.
+ */
+static size_t fuzz_write_callback(void *contents,
+                                  size_t size,
+                                  size_t nmemb,
+                                  void *ptr)
+{
+  size_t total = size * nmemb;
+  FUZZ_DATA *fuzz = (FUZZ_DATA *)ptr;
+  size_t copy_len = total;
+
+  /* Restrict copy_len to at most TEMP_WRITE_ARRAY_SIZE. */
+  if(copy_len > TEMP_WRITE_ARRAY_SIZE) {
+    copy_len = TEMP_WRITE_ARRAY_SIZE;
+  }
+
+  /* Copy bytes to the temp store just to ensure the parameters are
+     exercised. */
+  memcpy(fuzz->write_array, contents, copy_len);
+
+  return total;
+}
+
 /**
  * TLV access function - gets the first TLV from a data stream.
  */
diff --git a/tests/fuzz/curl_fuzzer.h b/tests/fuzz/curl_fuzzer.h
index 2dd3827d0..e7af89bb4 100644
--- a/tests/fuzz/curl_fuzzer.h
+++ b/tests/fuzz/curl_fuzzer.h
@@ -46,6 +46,9 @@
 #define TLV_RC_NO_MORE_TLVS             1
 #define TLV_RC_SIZE_ERROR               2
 
+/* Temporary write array size */
+#define TEMP_WRITE_ARRAY_SIZE           10
+
 /**
  * Byte stream representation of the TLV header. Casting the byte stream
  * to a TLV_RAW allows us to examine the type and length.
@@ -98,6 +101,9 @@ typedef struct fuzz_data
   /* Parser state */
   FUZZ_PARSE_STATE state;
 
+  /* Temporary writefunction state */
+  char write_array[TEMP_WRITE_ARRAY_SIZE];
+
   /* Response data and length */
   const uint8_t *rsp1_data;
   size_t rsp1_data_len;
@@ -142,6 +148,10 @@ static size_t fuzz_read_callback(char *buffer,
                                  size_t size,
                                  size_t nitems,
                                  void *ptr);
+static size_t fuzz_write_callback(void *contents,
+                                  size_t size,
+                                  size_t nmemb,
+                                  void *ptr);
 int fuzz_get_first_tlv(FUZZ_DATA *fuzz, TLV *tlv);
 int fuzz_get_next_tlv(FUZZ_DATA *fuzz, TLV *tlv);
 int fuzz_get_tlv_comn(FUZZ_DATA *fuzz, TLV *tlv);
-- 
cgit v1.2.1