From ac4255647341a3a1b17bbebda24f9e44b02a5777 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Mon, 8 Aug 2022 11:38:34 +0100
Subject: [PATCH] jackson-core: improve fuzzers (#8178)

Signed-off-by: AdamKorcz <adam@adalogics.com>
---
 projects/jackson-core/DataInputFuzzer.java    | 15 ++++++-
 .../jackson-core/UTF8GeneratorFuzzer.java     | 41 +++++++++++++++++--
 2 files changed, 52 insertions(+), 4 deletions(-)

diff --git a/projects/jackson-core/DataInputFuzzer.java b/projects/jackson-core/DataInputFuzzer.java
index d67cab2b9..0d9acde2b 100644
--- a/projects/jackson-core/DataInputFuzzer.java
+++ b/projects/jackson-core/DataInputFuzzer.java
@@ -154,7 +154,7 @@ public class DataInputFuzzer {
         }
       int typeOfNext = data.consumeInt();
       JsonParser jp = jf.createParser(new MockFuzzDataInput(data.consumeRemainingAsString()));
-      switch (typeOfNext%5) {
+      switch (typeOfNext%11) {
       case 0:
         while (jp.nextToken() != null) {
               ;
@@ -175,6 +175,19 @@ public class DataInputFuzzer {
         ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
         Base64Variants b64vs = new Base64Variants();
         jp.readBinaryValue(b64vs.MIME, outputStream);
+      case 5:
+        String outString = jp.getValueAsString();
+      case 6:
+        int outInt = jp.getValueAsInt();
+      case 7:
+        Writer writer = new StringWriter();
+        int len = jp.getText(writer);
+      case 8:
+        char[] textChars = jp.getTextCharacters();
+      case 9:
+        int textLen = jp.getTextLength();
+      case 10:
+        int textOffset = jp.getTextOffset();
       }      
     } catch (IOException | IllegalArgumentException ignored) {
     }
diff --git a/projects/jackson-core/UTF8GeneratorFuzzer.java b/projects/jackson-core/UTF8GeneratorFuzzer.java
index fd091997a..bfbddbd16 100644
--- a/projects/jackson-core/UTF8GeneratorFuzzer.java
+++ b/projects/jackson-core/UTF8GeneratorFuzzer.java
@@ -18,6 +18,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.ByteArrayInputStream;
 import java.io.StringReader;
 import java.io.InputStream;
+import java.math.BigDecimal;
 
 import com.code_intelligence.jazzer.api.FuzzedDataProvider;
 import com.fasterxml.jackson.core.Base64Variant;
@@ -25,6 +26,7 @@ import com.fasterxml.jackson.core.Base64Variants;
 import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.core.json.UTF8JsonGenerator;
 import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonGenerator.Feature;
 import com.fasterxml.jackson.core.SerializableString;
 import com.fasterxml.jackson.core.io.SerializedString;
 
@@ -40,8 +42,28 @@ public class UTF8GeneratorFuzzer {
     byte[] b;
     Base64Variant b64v;
 
+    Feature[] features = new Feature[]{
+        Feature.AUTO_CLOSE_TARGET,
+        Feature.AUTO_CLOSE_JSON_CONTENT,
+        Feature.FLUSH_PASSED_TO_STREAM,
+        Feature.QUOTE_FIELD_NAMES,
+        Feature.QUOTE_NON_NUMERIC_NUMBERS,
+        Feature.ESCAPE_NON_ASCII,
+        Feature.WRITE_NUMBERS_AS_STRINGS,
+        Feature.WRITE_BIGDECIMAL_AS_PLAIN,
+        Feature.STRICT_DUPLICATE_DETECTION,
+        Feature.IGNORE_UNKNOWN,
+    };
+
     try {
       g = jf.createGenerator(out);
+      for (int i = 0; i < features.length; i++) {
+        if (data.consumeBoolean()) {
+          g.enable(features[i]);
+        } else {
+          g.disable(features[i]);
+        }
+      }
     } catch (IOException ignored) {
       return;
     }
@@ -50,7 +72,7 @@ public class UTF8GeneratorFuzzer {
     for (int i = 0; i < numberOfOps%20; i++) {
       try {      
         int apiType = data.consumeInt();
-        switch(apiType%9) {
+        switch(apiType%13) {
         case 0:
           fuzzString = data.consumeString(1000000);
           StringReader targetReader = new StringReader(fuzzString);
@@ -101,11 +123,24 @@ public class UTF8GeneratorFuzzer {
         case 8:
           b64v = Base64Variants.getDefaultVariant();
           b = data.consumeBytes(1000000);
-          offset = data.consumeInt();
+          int l = data.consumeInt();
           InputStream targetStream = new ByteArrayInputStream(b);
           g.writeStartArray();
-          g.writeBinary(b64v, targetStream, b.length);
+          g.writeBinary(b64v, targetStream, l);
           g.writeEndArray();
+        case 9:
+          String dcString = data.consumeString(10);
+          BigDecimal BD = new BigDecimal(dcString);
+          g.writeNumber(BD);
+        case 10:
+          int fuzzInt = data.consumeInt();
+          g.writeNumber(fuzzInt);
+        case 11:
+          float fuzzFloat = data.consumeFloat();
+          g.writeNumber(fuzzFloat);
+        case 12:
+          fuzzString = data.consumeString(100000);
+          g.writeNumber(fuzzString);
         }
       } catch (IOException | IllegalArgumentException ignored) {
       }