fuzz/x86_emulate: fix bounds for input size

The maximum size for the input size was set to INPUT_SIZE, which is actually
the size of the data array inside the fuzz_corpus structure and so was not
abling user (or AFL) to fill in the whole structure. Changing to
sizeof(struct fuzz_corpus) correct this problem.

Signed-off-by: Paul Semel <semelpaul@gmail.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
index 964682aa1a8e11db90a513d4ace94c8cd0d3b5a7..0ada613f52cbc025d5044175aa4af1e405bd68f5 100644 (file)
--- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
@@ -33,6 +33,7 @@ struct fuzz_corpus
     unsigned char data[INPUT_SIZE];
 } input;
 #define DATA_OFFSET offsetof(struct fuzz_corpus, data)
+#define FUZZ_CORPUS_SIZE (sizeof(struct fuzz_corpus))
 
 /*
  * Internal state of the fuzzing harness.  Calculated initially from the input
@@ -828,7 +829,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
         return 1;
     }
 
-    if ( size > INPUT_SIZE )
+    if ( size > FUZZ_CORPUS_SIZE )
     {
         printf("Input too large\n");
         return 1;
@@ -859,8 +860,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
 
 unsigned int fuzz_minimal_input_size(void)
 {
-    BUILD_BUG_ON(DATA_OFFSET > INPUT_SIZE);
-
     return DATA_OFFSET + 1;
 }