Fuzz test bug (DRQS 175594554) (#4808)

bloomberg · Jun 27, 2024 · 196c09c · 196c09c
1 parent 472c990
commit 196c09c
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 3 deletions.
diff --git a/groups/bal/balber/balber_berdecoder.cpp b/groups/bal/balber/balber_berdecoder.cpp
@@ -198,6 +198,7 @@ int BerDecoder_Node::logError(const char *msg)
 int BerDecoder_Node::decode(bsl::vector<char>         *variable,
                             bdlat_TypeCategory::Array  )
 {
+    typedef bdlat_FormattingMode FMode;
     switch (d_tagType) {
       case BerConstants::e_PRIMITIVE:
           // 'BerEncoder' will encode 'vector<char>' this way if and only if
@@ -206,7 +207,13 @@ int BerDecoder_Node::decode(bsl::vector<char>         *variable,
           // or 'e_TEXT'
         return this->readVectorChar(variable); // RETURN
       case BerConstants::e_CONSTRUCTED:
-        return this->decodeArray(variable); // RETURN
+        switch (d_formattingMode & FMode::e_TYPE_MASK) {
+          case FMode::e_DEFAULT:
+          case FMode::e_DEC:
+            return this->decodeArray(variable);                       // RETURN
+          default:
+            return logError("Unexpected CONSTRUCTED encoding");       // RETURN
+        }
       default:
         return logError("Expected PRIMITIVE or CONSTRUCTED tag class"
                         " for vector<char>");                         // RETURN

diff --git a/groups/bal/balber/balber_berdecoder.t.cpp b/groups/bal/balber/balber_berdecoder.t.cpp
@@ -115,7 +115,8 @@ namespace test = BloombergLP::s_baltst;
 // [20] DECODE SEQUENCES OF MAXIMUM SIZE
 // [21] DECODE INTS AS ENUMS AND VICE VERSA
 // [22] DECODE DATE/TIME WITH LENGTH ANOMALIES
-// [23] USAGE EXAMPLE
+// [23] FUZZ TEST BUG (DRQS 175594554)
+// [24] USAGE EXAMPLE
 //
 // [-1] PERFORMANCE TEST
 
@@ -2306,6 +2307,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *bytes, size_t size)
     return 0;
 }
 
+void reproduceFuzzTest(const char *hexDump)
+{
+    bsl::vector<char> testData = loadFromHex(hexDump);
+    LLVMFuzzerTestOneInput(reinterpret_cast<const uint8_t *>(testData.data()),
+                           testData.size());
+}
+
 // ============================================================================
 //                               MAIN PROGRAM
 // ----------------------------------------------------------------------------
@@ -2334,7 +2342,7 @@ int main(int argc, char *argv[])
     bsl::cout << "TEST " << __FILE__ << " CASE " << test << bsl::endl;;
 
     switch (test) { case 0:  // Zero is always the leading case.
-      case 23: {
+      case 24: {
         // --------------------------------------------------------------------
         // USAGE EXAMPLE
         //   Extracted from component header file.
@@ -2358,6 +2366,25 @@ int main(int argc, char *argv[])
 
         if (verbose) cout << "\nEnd of test.\n";
       } break;
+      case 23: {
+        // --------------------------------------------------------------------
+        // FUZZ TEST BUG (DRQS 175594554)
+        //
+        // Concerns:
+        //: 1 The input sample mustn't cause a crash.
+        //
+        // Plan:
+        //: 1 Reproduce the failing fuzz test.
+        //
+        // Testing:
+        //   FUZZ TEST BUG (DRQS 175594554)
+        // --------------------------------------------------------------------
+
+        if (verbose) cout << "\nFUZZ TEST BUG (DRQS 175594554)"
+                             "\n==============================\n";
+
+        reproduceFuzzTest("2a0a353d ff87ff30 5da05da1 00a024a1 10000031 00");
+      } break;
       case 22: {
         // --------------------------------------------------------------------
         // DECODE DATE/TIME WITH LENGTH ANOMALIES