Merging upstream version 3.5.1+dfsg1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

3 files changed, 228 insertions, 3 deletions

diff --git a/libfreerdp/core/test/CMakeLists.txt b/libfreerdp/core/test/CMakeLists.txt
index ebd8fef..9b2e654 100644
--- a/libfreerdp/core/test/CMakeLists.txt
+++ b/libfreerdp/core/test/CMakeLists.txt
@@ -10,7 +10,9 @@ set(${MODULE_PREFIX}_TESTS
 	TestSettings.c)
 
 set(FUZZERS
-	TestFuzzCryptoCertificateDataSetPEM.c
+	TestFuzzCoreClient.c
+	TestFuzzCoreServer.c
+    TestFuzzCryptoCertificateDataSetPEM.c
 )
 
 if(WITH_SAMPLE AND WITH_SERVER AND NOT WIN32)
@@ -34,7 +36,7 @@ add_definitions(-DTESTING_SRC_DIRECTORY="${PROJECT_SOURCE_DIR}")
 target_link_libraries(${MODULE_NAME} freerdp winpr freerdp-client)
 
 include (AddFuzzerTest)
-add_fuzzer_test("${FUZZERS}" "freerdp winpr")
+add_fuzzer_test("${FUZZERS}" "freerdp-client freerdp winpr")
 
 set_target_properties(${MODULE_NAME} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${TESTING_OUTPUT_DIRECTORY}")
 
@@ -44,4 +46,3 @@ foreach(test ${${MODULE_PREFIX}_TESTS})
 endforeach()
 
 set_property(TARGET ${MODULE_NAME} PROPERTY FOLDER "FreeRDP/Core/Test")
-
diff --git a/libfreerdp/core/test/TestFuzzCoreClient.c b/libfreerdp/core/test/TestFuzzCoreClient.c
new file mode 100644
index 0000000..5c67497
--- /dev/null
+++ b/libfreerdp/core/test/TestFuzzCoreClient.c
@@ -0,0 +1,116 @@
+#include <freerdp/client.h>
+
+#include "../fastpath.h"
+#include "../surface.h"
+#include "../window.h"
+#include "../info.h"
+#include "../multitransport.h"
+
+static BOOL test_client(const uint8_t* Data, size_t Size)
+{
+	RDP_CLIENT_ENTRY_POINTS entry = { 0 };
+
+	entry.Version = RDP_CLIENT_INTERFACE_VERSION;
+	entry.Size = sizeof(RDP_CLIENT_ENTRY_POINTS_V1);
+	entry.ContextSize = sizeof(rdpContext);
+
+	rdpContext* context = freerdp_client_context_new(&entry);
+	if (!context)
+		goto fail;
+
+	rdpRdp* rdp = context->rdp;
+	WINPR_ASSERT(rdp);
+
+	wStream sbuffer = { 0 };
+	wStream* s = Stream_StaticConstInit(&sbuffer, Data, Size);
+
+	{
+		rdpFastPath* fastpath = rdp->fastpath;
+		WINPR_ASSERT(fastpath);
+
+		fastpath_recv_updates(fastpath, s);
+		fastpath_recv_inputs(fastpath, s);
+
+		UINT16 length = 0;
+		fastpath_read_header_rdp(fastpath, s, &length);
+		fastpath_decrypt(fastpath, s, &length);
+	}
+
+	{
+		UINT16 length = 0;
+		UINT16 flags = 0;
+		UINT16 channelId = 0;
+		UINT16 tpktLength = 0;
+		UINT16 remainingLength = 0;
+		UINT16 type = 0;
+		UINT16 securityFlags = 0;
+		UINT32 share_id = 0;
+		BYTE compressed_type = 0;
+		BYTE btype = 0;
+		UINT16 compressed_len = 0;
+
+		rdp_recv_callback(rdp->transport, s, rdp);
+		rdp_read_security_header(rdp, s, &flags, &length);
+		rdp_read_header(rdp, s, &length, &channelId);
+		rdp_read_share_control_header(rdp, s, &tpktLength, &remainingLength, &type, &channelId);
+		rdp_read_share_data_header(rdp, s, &length, &btype, &share_id, &compressed_type,
+		                           &compressed_len);
+		rdp_recv_enhanced_security_redirection_packet(rdp, s);
+		rdp_recv_out_of_sequence_pdu(rdp, s, type, length);
+		rdp_recv_message_channel_pdu(rdp, s, securityFlags);
+	}
+	{
+		rdpUpdate* update = rdp->update;
+		UINT16 channelId = 0;
+		UINT16 length = 0;
+		UINT16 pduSource = 0;
+		UINT16 pduLength = 0;
+		update_recv_order(update, s);
+		update_recv_altsec_window_order(update, s);
+		update_recv_play_sound(update, s);
+		update_recv_pointer(update, s);
+		update_recv_surfcmds(update, s);
+		rdp_recv_get_active_header(rdp, s, &channelId, &length);
+		rdp_recv_demand_active(rdp, s, pduSource, length);
+		rdp_recv_confirm_active(rdp, s, pduLength);
+	}
+	{
+		rdpNla* nla = nla_new(rdp->context, rdp->transport);
+		nla_recv_pdu(nla, s);
+		nla_free(nla);
+	}
+	{
+		rdp_recv_heartbeat_packet(rdp, s);
+		rdp->state = CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE;
+		rdp_recv_client_info(rdp, s);
+		rdp_recv_save_session_info(rdp, s);
+	}
+	{
+		freerdp_is_valid_mcs_create_request(Data, Size);
+		freerdp_is_valid_mcs_create_response(Data, Size);
+	}
+	{
+		multitransport_recv_request(rdp->multitransport, s);
+		multitransport_recv_response(rdp->multitransport, s);
+	}
+	{
+		autodetect_recv_request_packet(rdp->autodetect, RDP_TRANSPORT_TCP, s);
+		autodetect_recv_response_packet(rdp->autodetect, RDP_TRANSPORT_TCP, s);
+	}
+	{
+		rdp_recv_deactivate_all(rdp, s);
+		rdp_recv_server_synchronize_pdu(rdp, s);
+		rdp_recv_client_synchronize_pdu(rdp, s);
+
+		rdp_recv_data_pdu(rdp, s);
+		rdp_recv_font_map_pdu(rdp, s);
+	}
+fail:
+	freerdp_client_context_free(context);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size)
+{
+	test_client(Data, Size);
+	return 0;
+}
diff --git a/libfreerdp/core/test/TestFuzzCoreServer.c b/libfreerdp/core/test/TestFuzzCoreServer.c
new file mode 100644
index 0000000..cd469f4
--- /dev/null
+++ b/libfreerdp/core/test/TestFuzzCoreServer.c
@@ -0,0 +1,108 @@
+#include <freerdp/peer.h>
+
+#include "../fastpath.h"
+#include "../surface.h"
+#include "../window.h"
+#include "../info.h"
+#include "../multitransport.h"
+
+static BOOL test_server(const uint8_t* Data, size_t Size)
+{
+	freerdp_peer* client = calloc(1, sizeof(freerdp_peer));
+	if (!client)
+		goto fail;
+	client->ContextSize = sizeof(rdpContext);
+	if (!freerdp_peer_context_new(client))
+		goto fail;
+
+	WINPR_ASSERT(client->context);
+	rdpRdp* rdp = client->context->rdp;
+	WINPR_ASSERT(rdp);
+
+	wStream sbuffer = { 0 };
+	wStream* s = Stream_StaticConstInit(&sbuffer, Data, Size);
+
+	{
+		rdpFastPath* fastpath = rdp->fastpath;
+		WINPR_ASSERT(fastpath);
+
+		fastpath_recv_updates(fastpath, s);
+		fastpath_recv_inputs(fastpath, s);
+
+		UINT16 length = 0;
+		fastpath_read_header_rdp(fastpath, s, &length);
+		fastpath_decrypt(fastpath, s, &length);
+	}
+
+	{
+		UINT16 length = 0;
+		UINT16 flags = 0;
+		UINT16 channelId = 0;
+		UINT16 tpktLength = 0;
+		UINT16 remainingLength = 0;
+		UINT16 type = 0;
+		UINT16 securityFlags = 0;
+		UINT32 share_id = 0;
+		BYTE compressed_type = 0;
+		BYTE btype = 0;
+		UINT16 compressed_len = 0;
+		rdp_read_security_header(rdp, s, &flags, &length);
+		rdp_read_header(rdp, s, &length, &channelId);
+		rdp_read_share_control_header(rdp, s, &tpktLength, &remainingLength, &type, &channelId);
+		rdp_read_share_data_header(rdp, s, &length, &btype, &share_id, &compressed_type,
+		                           &compressed_len);
+		rdp_recv_message_channel_pdu(rdp, s, securityFlags);
+	}
+	{
+		rdpUpdate* update = rdp->update;
+		UINT16 channelId = 0;
+		UINT16 length = 0;
+		UINT16 pduSource = 0;
+		UINT16 pduLength = 0;
+		update_recv_order(update, s);
+		update_recv_altsec_window_order(update, s);
+		update_recv_play_sound(update, s);
+		update_recv_pointer(update, s);
+		update_recv_surfcmds(update, s);
+		rdp_recv_get_active_header(rdp, s, &channelId, &length);
+		rdp_recv_demand_active(rdp, s, pduSource, length);
+		rdp_recv_confirm_active(rdp, s, pduLength);
+	}
+	{
+		rdpNla* nla = nla_new(rdp->context, rdp->transport);
+		nla_recv_pdu(nla, s);
+		nla_free(nla);
+	}
+	{
+		rdp_recv_heartbeat_packet(rdp, s);
+		rdp->state = CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE;
+		rdp_recv_client_info(rdp, s);
+		rdp_recv_save_session_info(rdp, s);
+	}
+	{
+		freerdp_is_valid_mcs_create_request(Data, Size);
+		freerdp_is_valid_mcs_create_response(Data, Size);
+	}
+	{
+		multitransport_recv_request(rdp->multitransport, s);
+		multitransport_recv_response(rdp->multitransport, s);
+	}
+	{
+		autodetect_recv_request_packet(rdp->autodetect, RDP_TRANSPORT_TCP, s);
+		autodetect_recv_response_packet(rdp->autodetect, RDP_TRANSPORT_TCP, s);
+	}
+	{
+		rdp_recv_deactivate_all(rdp, s);
+		rdp_recv_server_synchronize_pdu(rdp, s);
+		rdp_recv_client_synchronize_pdu(rdp, s);
+	}
+fail:
+	freerdp_peer_context_free(client);
+	free(client);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size)
+{
+	test_server(Data, Size);
+	return 0;
+}