[NRBF] Fuzzing non-seekable stream input (#107605)

adamsitnik · web-flow · commit f26c2396d0d8 · 2024-09-10T17:05:19.000-07:00
diff --git a/src/libraries/Fuzzing/DotnetFuzzing/Fuzzers/NrbfDecoderFuzzer.cs b/src/libraries/Fuzzing/DotnetFuzzing/Fuzzers/NrbfDecoderFuzzer.cs
@@ -18,16 +18,23 @@ internal sealed class NrbfDecoderFuzzer : IFuzzer
 
         public void FuzzTarget(ReadOnlySpan<byte> bytes)
         {
-            using PooledBoundedMemory<byte> inputPoisonedAfter = PooledBoundedMemory<byte>.Rent(bytes, PoisonPagePlacement.After);
-            using PooledBoundedMemory<byte> inputPoisonedBefore = PooledBoundedMemory<byte>.Rent(bytes, PoisonPagePlacement.Before);
-            using MemoryStream streamAfter = new MemoryStream(inputPoisonedAfter.Memory.ToArray());
-            using MemoryStream streamBefore = new MemoryStream(inputPoisonedBefore.Memory.ToArray());
+            Test(bytes, PoisonPagePlacement.Before);
+            Test(bytes, PoisonPagePlacement.After);
+        }
+
+        private static void Test(ReadOnlySpan<byte> bytes, PoisonPagePlacement poisonPagePlacement)
+        {
+            using PooledBoundedMemory<byte> inputPoisoned = PooledBoundedMemory<byte>.Rent(bytes, poisonPagePlacement);
+
+            using MemoryStream seekableStream = new(inputPoisoned.Memory.ToArray());
+            Test(inputPoisoned.Span, seekableStream);
 
-            Test(inputPoisonedAfter.Span, streamAfter);
-            Test(inputPoisonedBefore.Span, streamBefore);
+            // NrbfDecoder has few code paths dedicated to non-seekable streams, let's test them as well.
+            using NonSeekableStream nonSeekableStream = new(inputPoisoned.Memory.ToArray());
+            Test(inputPoisoned.Span, nonSeekableStream);
         }
 
-        private static void Test(Span<byte> testSpan, MemoryStream stream)
+        private static void Test(Span<byte> testSpan, Stream stream)
         {
             if (NrbfDecoder.StartsWithPayloadHeader(testSpan))
             {
@@ -109,5 +116,11 @@ private static void Test(Span<byte> testSpan, MemoryStream stream)
                 catch (EndOfStreamException) { /* The end of the stream was reached before reading SerializationRecordType.MessageEnd record. */ }
             }
         }
+
+        private class NonSeekableStream : MemoryStream
+        {
+            public NonSeekableStream(byte[] buffer) : base(buffer) { }
+            public override bool CanSeek => false;
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -18,16 +18,23 @@ internal sealed class NrbfDecoderFuzzer : IFuzzer`
`18`	`18`
`19`	`19`	`public void FuzzTarget(ReadOnlySpan<byte> bytes)`
`20`	`20`	`{`
`21`		`- using PooledBoundedMemory<byte> inputPoisonedAfter = PooledBoundedMemory<byte>.Rent(bytes, PoisonPagePlacement.After);`
`22`		`- using PooledBoundedMemory<byte> inputPoisonedBefore = PooledBoundedMemory<byte>.Rent(bytes, PoisonPagePlacement.Before);`
`23`		`- using MemoryStream streamAfter = new MemoryStream(inputPoisonedAfter.Memory.ToArray());`
`24`		`- using MemoryStream streamBefore = new MemoryStream(inputPoisonedBefore.Memory.ToArray());`
	`21`	`+ Test(bytes, PoisonPagePlacement.Before);`
	`22`	`+ Test(bytes, PoisonPagePlacement.After);`
	`23`	`+ }`
	`24`	`+`
	`25`	`+ private static void Test(ReadOnlySpan<byte> bytes, PoisonPagePlacement poisonPagePlacement)`
	`26`	`+ {`
	`27`	`+ using PooledBoundedMemory<byte> inputPoisoned = PooledBoundedMemory<byte>.Rent(bytes, poisonPagePlacement);`
	`28`	`+`
	`29`	`+ using MemoryStream seekableStream = new(inputPoisoned.Memory.ToArray());`
	`30`	`+ Test(inputPoisoned.Span, seekableStream);`
`25`	`31`
`26`		`- Test(inputPoisonedAfter.Span, streamAfter);`
`27`		`- Test(inputPoisonedBefore.Span, streamBefore);`
	`32`	`+ // NrbfDecoder has few code paths dedicated to non-seekable streams, let's test them as well.`
	`33`	`+ using NonSeekableStream nonSeekableStream = new(inputPoisoned.Memory.ToArray());`
	`34`	`+ Test(inputPoisoned.Span, nonSeekableStream);`
`28`	`35`	`}`
`29`	`36`
`30`		`- private static void Test(Span<byte> testSpan, MemoryStream stream)`
	`37`	`+ private static void Test(Span<byte> testSpan, Stream stream)`
`31`	`38`	`{`
`32`	`39`	`if (NrbfDecoder.StartsWithPayloadHeader(testSpan))`
`33`	`40`	`{`
`@@ -109,5 +116,11 @@ private static void Test(Span<byte> testSpan, MemoryStream stream)`
`109`	`116`	`catch (EndOfStreamException) { /* The end of the stream was reached before reading SerializationRecordType.MessageEnd record. */ }`
`110`	`117`	`}`
`111`	`118`	`}`
	`119`	`+`
	`120`	`+ private class NonSeekableStream : MemoryStream`
	`121`	`+ {`
	`122`	`+ public NonSeekableStream(byte[] buffer) : base(buffer) { }`
	`123`	`+ public override bool CanSeek => false;`
	`124`	`+ }`
`112`	`125`	`}`
`113`	`126`	`}`