introduce fuzzer and removed fuzzer-guided warning

skeletons/ber_tlv_length.c

@@ -40,28 +40,18 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
 		for(len = 0, buf++, skipped = 1;
 			oct && (++skipped <= size); buf++, oct--) {
 
-			len = (len << 8) | *buf;
-			if(len < 0
-			|| (len >> ((8 * sizeof(len)) - 8) && oct > 1)) {
-				/*
-				 * Too large length value.
-				 */
+			/* Verify that we won't overflow. */
+			if(!(len >> ((8 * sizeof(len)) - (8+1)))) {
+				len = (len << 8) | *buf;
+			} else {
+				/* Too large length value. */
 				return -1;
 			}
 		}
 
 		if(oct == 0) {
-			ber_tlv_len_t lenplusepsilon = (size_t)len + 1024;
-			/*
-			 * Here length may be very close or equal to 2G.
-			 * However, the arithmetics used in some decoders
-			 * may add some (small) quantities to the length,
-			 * to check the resulting value against some limits.
-			 * This may result in integer wrap-around, which
-			 * we try to avoid by checking it earlier here.
-			 */
-			if(lenplusepsilon < 0) {
-				/* Too large length value */
+			if(len < 0 || len > RSIZE_MAX) {
+				/* Length value out of sane range. */
 				return -1;
 			}
 

tests/tests-c-compiler/Makefile.am

@@ -14,6 +14,7 @@ TESTS_ENVIRONMENT= \
 				   CFLAGS="${TESTSUITE_CFLAGS} ${CFLAGS}" \
 				   CXXFLAGS="${CXXFLAGS}" \
 				   LDFLAGS="${LDFLAGS}" \
+				   LIBFUZZER_CFLAGS="${LIBFUZZER_CFLAGS}" \
 				   srcdir=${srcdir} \
 				   abs_top_srcdir=${abs_top_srcdir} \
 				   abs_top_builddir=${abs_top_builddir} \

tests/tests-c-compiler/check-src/check-42.c

@@ -126,6 +126,17 @@ check_serialize() {
 	assert(memcmp(buf0, buf, sizeof(buf0)) == 0);
 }
 
+#ifdef ENABLE_LIBFUZZER
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+	LogLine_t *lp = 0;
+	(void)ber_decode(0, &asn_DEF_LogLine, (void **)&lp, Data, Size);
+    ASN_STRUCT_FREE(asn_DEF_LogLine, lp);
+    return 0;
+}
+
+#else
+
 int
 main(int ac, char **av) {
 	LogLine_t t;
@@ -140,3 +151,5 @@ main(int ac, char **av) {
 
 	return 0;
 }
+
+#endif