I am currently getting started with fuzzing in C++. Following the tutorial at https://github.com/google/fuzzer-test-suite/blob/master/tutorial/libFuzzerTutorial.md I have successfully used the AddressSanitizer. In that tutorial it is also recommended to at least try UBSan as well.
The example from the documentation on UBSan work just fine, I immediatly get a runtime error because of the signed integer overflow. But when I try to build a fuzzer around the example I no longer get any errors reported.
The example code is
// test.cpp
int main(int argc, char **argv) {
int k = 0x7fffffff;
k += argc;
return 0;
}
which I compiled with clang++ -fsanitize=undefined test.cpp -o test
.
To get my fuzzer I changed the code to
// fuzz.cpp
#include <cstddef>
extern "C" int LLVMFuzzerTestOneInput(const char *data, size_t len)
{
int k = 0x7fffffff;
k += len;
return 0;
}
and built it with clang++ -fsanitize=undefined -fno-sanitize-recover=undefined -fsanitize-coverage=trace-pc-guard fuzz.cpp libFuzzer.a -o fuzz
.
Does any one know what I have to change, so that the fuzzer also finds the signed integer overflow?
User contributions licensed under CC BY-SA 3.0