From 950f5cc4e3ddd9bc0f8881950082283aa381c805 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Tue, 11 Jul 2023 10:12:08 +0200
Subject: fuzz: extend fuzzing coverage (#2040)

Some notes:
* libinjection: according to https://github.com/libinjection/libinjection/issues/44,
it seems NULL characters are valid in the input string;
* RTP: `rtp_get_stream_type()` is called only for RTP packets; if you
want to tell RTP from RTCP you should use `is_rtp_or_rtcp()`;
* TLS: unnecessary check; we already make the same check just above, at
the beginning of the `while` loop
---
 fuzz/fuzz_libinjection.c | 26 +++++++-------------------
 1 file changed, 7 insertions(+), 19 deletions(-)

(limited to 'fuzz/fuzz_libinjection.c')

diff --git a/fuzz/fuzz_libinjection.c b/fuzz/fuzz_libinjection.c
index f614a62e1..b1d897d23 100644
--- a/fuzz/fuzz_libinjection.c
+++ b/fuzz/fuzz_libinjection.c
@@ -4,36 +4,24 @@
 #include "../src/lib/third_party/include/libinjection_sqli.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  char *query;
   struct libinjection_sqli_state state;
 
   /* No memory allocations involved */
 
-  /* Libinjection: it wants null-terminated string */
-
-  query = malloc(size + 1);
-  if (!query)
-    return 0;
-  memcpy(query, data, size);
-  query[size] = '\0';
-
-
-  libinjection_sqli_init(&state, query, strlen(query), 0); /* Default: FLAG_QUOTE_NONE | FLAG_SQL_ANSI */
+  libinjection_sqli_init(&state, (char *)data, size, 0); /* Default: FLAG_QUOTE_NONE | FLAG_SQL_ANSI */
   libinjection_is_sqli(&state);
-  libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_SINGLE | FLAG_SQL_ANSI);
+  libinjection_sqli_init(&state, (char *)data, size, FLAG_QUOTE_SINGLE | FLAG_SQL_ANSI);
   libinjection_is_sqli(&state);
-  libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_DOUBLE | FLAG_SQL_ANSI);
+  libinjection_sqli_init(&state, (char *)data, size, FLAG_QUOTE_DOUBLE | FLAG_SQL_ANSI);
   libinjection_is_sqli(&state);
-  libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_NONE | FLAG_SQL_MYSQL);
+  libinjection_sqli_init(&state, (char *)data, size, FLAG_QUOTE_NONE | FLAG_SQL_MYSQL);
   libinjection_is_sqli(&state);
-  libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_SINGLE | FLAG_SQL_MYSQL);
+  libinjection_sqli_init(&state, (char *)data, size, FLAG_QUOTE_SINGLE | FLAG_SQL_MYSQL);
   libinjection_is_sqli(&state);
-  libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_DOUBLE | FLAG_SQL_MYSQL);
+  libinjection_sqli_init(&state, (char *)data, size, FLAG_QUOTE_DOUBLE | FLAG_SQL_MYSQL);
   libinjection_is_sqli(&state);
 
-  libinjection_xss(query, strlen(query));
-
-  free(query);
+  libinjection_xss((char *)data, size);
 
   libinjection_version();
 
-- 
cgit v1.2.3