[fuzzer] Use puts() rather than printf() in CopyFileToErr()

Roy Sundahl · Roy Sundahl · commit 90b4d1bcb201 · 2023-03-28T14:19:35.000-07:00
CopyFileToErr() uses Printf("%s", ...) which fails with a negative size on files >2Gb (Its path is through var-args wrappers to an unnecessary "%s" expansion and subject to int overflows) Using puts() in place of printf() bypasses this path and writes the string directly to stderr. This avoids the present loss of data when a crashed worker has generated >2Gb of output. rdar://99384640 Reviewed By: yln, rsundahl Differential Revision: https://reviews.llvm.org/D146189
diff --git a/compiler-rt/lib/fuzzer/FuzzerIO.cpp b/compiler-rt/lib/fuzzer/FuzzerIO.cpp
@@ -65,7 +65,7 @@ std::string FileToString(const std::string &Path) {
 }
 
 void CopyFileToErr(const std::string &Path) {
-  Printf("%s", FileToString(Path).c_str());
+  Puts(FileToString(Path).c_str());
 }
 
 void WriteToFile(const Unit &U, const std::string &Path) {
@@ -151,6 +151,11 @@ void CloseStdout() {
   DiscardOutput(1);
 }
 
+void Puts(const char *Str) {
+  fputs(Str, OutputFile);
+  fflush(OutputFile);
+}
+
 void Printf(const char *Fmt, ...) {
   va_list ap;
   va_start(ap, Fmt);
diff --git a/compiler-rt/lib/fuzzer/FuzzerIO.h b/compiler-rt/lib/fuzzer/FuzzerIO.h
@@ -58,6 +58,7 @@ void CloseStdout();
 FILE *GetOutputFile();
 void SetOutputFile(FILE *NewOutputFile);
 
+void Puts(const char *Str);
 void Printf(const char *Fmt, ...);
 void VPrintf(bool Verbose, const char *Fmt, ...);
 
diff --git a/compiler-rt/test/fuzzer/BigFileCopy.cpp b/compiler-rt/test/fuzzer/BigFileCopy.cpp
@@ -0,0 +1,31 @@
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+#include <cstddef>
+#include <cstdint>
+#include <cstdio>
+#include <cstdlib>
+#include <cstring>
+
+#include "FuzzerIO.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  const char *FileName = "big-file.txt";
+  FILE *f = fopen(FileName, "w");
+
+  // This is the biggest file possible unless CopyFileToErr() uses Puts()
+  fprintf(f, "%2147483646s", "2Gb-2");
+
+  // This makes the file too big if CopyFileToErr() uses fprintf("%s", <file>)
+  fprintf(f, "THIS LINE RESPONSIBLE FOR EXCEEDING 2Gb FILE SIZE\n");
+  fclose(f);
+
+  // Should now because CopyFileToErr() now uses Puts()
+  fuzzer::CopyFileToErr(FileName);
+
+  // File is >2Gb so clean up
+  remove(FileName);
+
+  return 0;
+}
diff --git a/compiler-rt/test/fuzzer/big-file-copy.test b/compiler-rt/test/fuzzer/big-file-copy.test
@@ -0,0 +1,4 @@
+RUN: %cpp_compiler %S/BigFileCopy.cpp -o %t
+RUN: %run %t -runs=1 -rss_limit_mb=4096 2>big-file-out.txt; result=$?
+RUN: %run rm -f big-file.txt big-file-out.txt
+RUN: %run (exit $result)

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ std::string FileToString(const std::string &Path) {`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`void CopyFileToErr(const std::string &Path) {`
`68`		`- Printf("%s", FileToString(Path).c_str());`
	`68`	`+ Puts(FileToString(Path).c_str());`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`void WriteToFile(const Unit &U, const std::string &Path) {`
`@@ -151,6 +151,11 @@ void CloseStdout() {`
`151`	`151`	`DiscardOutput(1);`
`152`	`152`	`}`
`153`	`153`
	`154`	`+void Puts(const char *Str) {`
	`155`	`+ fputs(Str, OutputFile);`
	`156`	`+ fflush(OutputFile);`
	`157`	`+}`
	`158`	`+`
`154`	`159`	`void Printf(const char *Fmt, ...) {`
`155`	`160`	`va_list ap;`
`156`	`161`	`va_start(ap, Fmt);`