proxy-wasm
diff --git a/‎src/bytecode_util.cc‎
Lines changed: 32 additions & 12 deletions b/‎src/bytecode_util.cc‎
Lines changed: 32 additions & 12 deletions
diff --git a/‎src/exports.cc‎
Lines changed: 12 additions & 4 deletions b/‎src/exports.cc‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎test/fuzz/BUILD‎
Lines changed: 15 additions & 1 deletion b/‎test/fuzz/BUILD‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎test/fuzz/bytecode_util_fuzzer.cc‎
Lines changed: 41 additions & 0 deletions b/‎test/fuzz/bytecode_util_fuzzer.cc‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎test/fuzz/corpus_bytecode/crash-10198e96614e9ff7ca6dae581f4f7f13143257d7‎
15 Bytes b/‎test/fuzz/corpus_bytecode/crash-10198e96614e9ff7ca6dae581f4f7f13143257d7‎
15 Bytes
diff --git a/‎test/fuzz/corpus_bytecode/crash-6d94d1b10bc8dabc467a8e4a9a7105f62c81ff4c‎
15 Bytes b/‎test/fuzz/corpus_bytecode/crash-6d94d1b10bc8dabc467a8e4a9a7105f62c81ff4c‎
15 Bytes
diff --git a/‎test/fuzz/corpus_bytecode/crash-8cff35e5a0f9722df891fd1f05ca6dc2bd3d42aa‎
154 Bytes b/‎test/fuzz/corpus_bytecode/crash-8cff35e5a0f9722df891fd1f05ca6dc2bd3d42aa‎
154 Bytes
diff --git a/‎test/fuzz/corpus_bytecode/crash-9718722528a7c015ef3852490a6c67649bda70c0‎
478 Bytes b/‎test/fuzz/corpus_bytecode/crash-9718722528a7c015ef3852490a6c67649bda70c0‎
478 Bytes
diff --git a/‎test/fuzz/corpus_bytecode/crash-ed7193f661f04a66a13facee4d25709e6f479d3d‎
14 Bytes b/‎test/fuzz/corpus_bytecode/crash-ed7193f661f04a66a13facee4d25709e6f479d3d‎
14 Bytes
@@ -48,15 +48,18 @@ bool BytecodeUtil::getAbiVersion(std::string_view bytecode, proxy_wasm::AbiVersi
       return false;
     }
     if (section_type == 7 /* export section */) {
+      const char *section_end = pos + section_len;
       uint32_t export_vector_size = 0;
-      if (!parseVarint(pos, end, export_vector_size) || pos + export_vector_size > end) {
+      if (!parseVarint(pos, section_end, export_vector_size) ||
+          pos + export_vector_size > section_end) {
         return false;
       }
       // Search thourgh exports.
       for (uint32_t i = 0; i < export_vector_size; i++) {
         // Parse name of the export.
         uint32_t export_name_size = 0;
-        if (!parseVarint(pos, end, export_name_size) || pos + export_name_size > end) {
+        if (!parseVarint(pos, section_end, export_name_size) ||
+            pos + export_name_size > section_end) {
           return false;
         }
         const auto *const name_begin = pos;
@@ -65,7 +68,7 @@ bool BytecodeUtil::getAbiVersion(std::string_view bytecode, proxy_wasm::AbiVersi
           return false;
         }
         // Check if it is a function type export
-        if (*pos++ == 0x00) {
+        if (*pos++ == 0x00 /* function */) {
           const std::string export_name = {name_begin, export_name_size};
           // Check the name of the function.
           if (export_name == "proxy_abi_version_0_1_0") {
@@ -114,24 +117,25 @@ bool BytecodeUtil::getCustomSection(std::string_view bytecode, std::string_view
     }
     if (section_type == 0) {
       // Custom section.
-      const auto *const section_data_start = pos;
+      const char *section_end = pos + section_len;
       uint32_t section_name_len = 0;
-      if (!BytecodeUtil::parseVarint(pos, end, section_name_len) || pos + section_name_len > end) {
+      if (!BytecodeUtil::parseVarint(pos, section_end, section_name_len) ||
+          pos + section_name_len > section_end) {
         return false;
       }
       if (section_name_len == name.size() && ::memcmp(pos, name.data(), section_name_len) == 0) {
         pos += section_name_len;
-        ret = {pos, static_cast<size_t>(section_data_start + section_len - pos)};
+        ret = {pos, static_cast<size_t>(section_end - pos)};
         return true;
       }
-      pos = section_data_start + section_len;
+      pos = section_end;
     } else {
       // Skip other sections.
       pos += section_len;
     }
   }
   return true;
-};
+}
 
 bool BytecodeUtil::getFunctionNameIndex(std::string_view bytecode,
                                         std::unordered_map<uint32_t, std::string> &ret) {
@@ -242,16 +246,32 @@ bool BytecodeUtil::getStrippedSource(std::string_view bytecode, std::string &ret
 
 bool BytecodeUtil::parseVarint(const char *&pos, const char *end, uint32_t &ret) {
   uint32_t shift = 0;
+  uint32_t total = 0;
+  uint32_t v;
   char b;
-  do {
+  while (pos < end) {
     if (pos + 1 > end) {
+      // overread
       return false;
     }
     b = *pos++;
-    ret += (b & 0x7f) << shift;
+    v = (b & 0x7f);
+    if (shift == 28 && v > 3) {
+      // overflow
+      return false;
+    }
+    total += v << shift;
+    if ((b & 0x80) == 0) {
+      ret = total;
+      return true;
+    }
     shift += 7;
-  } while ((b & 0x80) != 0);
-  return ret != static_cast<uint32_t>(-1);
+    if (shift > 28) {
+      // overflow
+      return false;
+    }
+  }
+  return false;
 }
 
 } // namespace proxy_wasm
@@ -455,13 +455,21 @@ Word get_buffer_bytes(Word type, Word start, Word length, Word ptr_ptr, Word siz
     return WasmResult::BadArgument;
   }
   // Don't overread.
-  if (start + length > buffer->size()) {
+  if (start > buffer->size()) {
+    length = 0;
+  } else if (start + length > buffer->size()) {
     length = buffer->size() - start;
   }
-  if (length > 0) {
-    return buffer->copyTo(context->wasm(), start, length, ptr_ptr, size_ptr);
+  if (length == 0) {
+    if (!context->wasmVm()->setWord(ptr_ptr, Word(0))) {
+      return WasmResult::InvalidMemoryAccess;
+    }
+    if (!context->wasmVm()->setWord(size_ptr, Word(0))) {
+      return WasmResult::InvalidMemoryAccess;
+    }
+    return WasmResult::Ok;
   }
-  return WasmResult::Ok;
+  return buffer->copyTo(context->wasm(), start, length, ptr_ptr, size_ptr);
 }
 
 Word get_buffer_status(Word type, Word length_ptr, Word flags_ptr) {
 
@@ -4,6 +4,20 @@ licenses(["notice"])  # Apache 2
 
 package(default_visibility = ["//visibility:public"])
 
+filegroup(
+    name = "corpus_bytecode",
+    srcs = glob(["corpus_bytecode/**"]),
+)
+
+cc_fuzz_test(
+    name = "bytecode_util_fuzzer",
+    srcs = ["bytecode_util_fuzzer.cc"],
+    corpus = [":corpus_bytecode"],
+    deps = [
+        "//:lib",
+    ],
+)
+
 filegroup(
     name = "corpus_pairs",
     srcs = glob(["corpus_pairs/**"]),
@@ -16,4 +30,4 @@ cc_fuzz_test(
     deps = [
         "//:lib",
     ],
-)
+)
@@ -0,0 +1,41 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "include/proxy-wasm/bytecode_util.h"
+
+#include <string>
+
+namespace proxy_wasm {
+namespace {
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  auto bytecode = std::string_view(reinterpret_cast<const char *>(data), size);
+
+  AbiVersion version;
+  BytecodeUtil::getAbiVersion(bytecode, version);
+
+  std::string_view custom_section;
+  BytecodeUtil::getCustomSection(bytecode, "precompiled", custom_section);
+
+  std::string stripped_source;
+  BytecodeUtil::getStrippedSource(bytecode, stripped_source);
+
+  std::unordered_map<uint32_t, std::string> function_names;
+  BytecodeUtil::getFunctionNameIndex(bytecode, function_names);
+
+  return 0;
+}
+
+} // namespace
+} // namespace proxy_wasm