From b98db3773ed560bb12da54df787da620136c328b Mon Sep 17 00:00:00 2001
From: Kirk Baird <baird.k@outlook.com>
Date: Wed, 20 Feb 2019 16:15:30 +1100
Subject: [PATCH] Fuzz test ssz_encode for u8 to u64

---
 eth2/utils/ssz/fuzz/Cargo.toml                | 16 ++++++++
 .../fuzz_targets/fuzz_target_u16_encode.rs    | 22 ++++++++++
 .../fuzz_targets/fuzz_target_u32_encode.rs    | 22 ++++++++++
 .../fuzz_targets/fuzz_target_u64_decode.rs    |  2 +-
 .../fuzz_targets/fuzz_target_u64_encode.rs    | 40 +++++++++++++++++++
 .../fuzz_targets/fuzz_target_u8_decode.rs     |  2 +-
 .../fuzz_targets/fuzz_target_u8_encode.rs     | 22 ++++++++++
 7 files changed, 124 insertions(+), 2 deletions(-)
 create mode 100644 eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u16_encode.rs
 create mode 100644 eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u32_encode.rs
 create mode 100644 eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u64_encode.rs
 create mode 100644 eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u8_encode.rs

diff --git a/eth2/utils/ssz/fuzz/Cargo.toml b/eth2/utils/ssz/fuzz/Cargo.toml
index d0455a556..5af3275cd 100644
--- a/eth2/utils/ssz/fuzz/Cargo.toml
+++ b/eth2/utils/ssz/fuzz/Cargo.toml
@@ -21,14 +21,30 @@ members = ["."]
 name = "fuzz_target_u8_decode"
 path = "fuzz_targets/fuzz_target_u8_decode.rs"
 
+[[bin]]
+name = "fuzz_target_u8_encode"
+path = "fuzz_targets/fuzz_target_u8_encode.rs"
+
 [[bin]]
 name = "fuzz_target_u16_decode"
 path = "fuzz_targets/fuzz_target_u16_decode.rs"
 
+[[bin]]
+name = "fuzz_target_u16_encode"
+path = "fuzz_targets/fuzz_target_u16_encode.rs"
+
 [[bin]]
 name = "fuzz_target_u32_decode"
 path = "fuzz_targets/fuzz_target_u32_decode.rs"
 
+[[bin]]
+name = "fuzz_target_u32_encode"
+path = "fuzz_targets/fuzz_target_u32_encode.rs"
+
 [[bin]]
 name = "fuzz_target_u64_decode"
 path = "fuzz_targets/fuzz_target_u64_decode.rs"
+
+[[bin]]
+name = "fuzz_target_u64_encode"
+path = "fuzz_targets/fuzz_target_u64_encode.rs"
diff --git a/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u16_encode.rs b/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u16_encode.rs
new file mode 100644
index 000000000..ce8a51845
--- /dev/null
+++ b/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u16_encode.rs
@@ -0,0 +1,22 @@
+#![no_main]
+#[macro_use] extern crate libfuzzer_sys;
+extern crate ssz;
+
+use ssz::SszStream;
+
+// Fuzz ssz_encode (via ssz_append)
+fuzz_target!(|data: &[u8]| {
+    let mut ssz = SszStream::new();
+    let mut number_u16 = 0;
+    if data.len() >= 2 {
+        number_u16 = u16::from_be_bytes([data[0], data[1]]);
+    }
+
+    ssz.append(&number_u16);
+    let ssz = ssz.drain();
+
+    // TODO: change to little endian bytes
+    // https://github.com/sigp/lighthouse/issues/215
+    assert_eq!(ssz.len(), 2);
+    assert_eq!(number_u16, u16::from_be_bytes([ssz[0], ssz[1]]));
+});
diff --git a/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u32_encode.rs b/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u32_encode.rs
new file mode 100644
index 000000000..c71bcecaf
--- /dev/null
+++ b/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u32_encode.rs
@@ -0,0 +1,22 @@
+#![no_main]
+#[macro_use] extern crate libfuzzer_sys;
+extern crate ssz;
+
+use ssz::SszStream;
+
+// Fuzz ssz_encode (via ssz_append)
+fuzz_target!(|data: &[u8]| {
+    let mut ssz = SszStream::new();
+    let mut number_u32 = 0;
+    if data.len() >= 4 {
+        number_u32 = u32::from_be_bytes([data[0], data[1], data[2], data[3]]);
+    }
+
+    ssz.append(&number_u32);
+    let ssz = ssz.drain();
+
+    // TODO: change to little endian bytes
+    // https://github.com/sigp/lighthouse/issues/215
+    assert_eq!(ssz.len(), 4);
+    assert_eq!(number_u32, u32::from_be_bytes([ssz[0], ssz[1], ssz[2], ssz[3]]));
+});
diff --git a/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u64_decode.rs b/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u64_decode.rs
index 9e13ab604..63eb60f55 100644
--- a/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u64_decode.rs
+++ b/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u64_decode.rs
@@ -25,7 +25,7 @@ fuzz_target!(|data: &[u8]| {
             ]);
         assert_eq!(number_u64, val);
     } else {
-        // Length less then 4 should return error
+        // Length less then 8 should return error
         assert_eq!(result, Err(DecodeError::TooShort));
     }
 });
diff --git a/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u64_encode.rs b/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u64_encode.rs
new file mode 100644
index 000000000..68616e0da
--- /dev/null
+++ b/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u64_encode.rs
@@ -0,0 +1,40 @@
+#![no_main]
+#[macro_use] extern crate libfuzzer_sys;
+extern crate ssz;
+
+use ssz::SszStream;
+
+// Fuzz ssz_encode (via ssz_append)
+fuzz_target!(|data: &[u8]| {
+    let mut ssz = SszStream::new();
+    let mut number_u64 = 0;
+    if data.len() >= 8 {
+        number_u64 = u64::from_be_bytes([
+            data[0],
+            data[1],
+            data[2],
+            data[3],
+            data[4],
+            data[5],
+            data[6],
+            data[7],
+            ]);
+    }
+
+    ssz.append(&number_u64);
+    let ssz = ssz.drain();
+
+    // TODO: change to little endian bytes
+    // https://github.com/sigp/lighthouse/issues/215
+    assert_eq!(ssz.len(), 8);
+    assert_eq!(number_u64, u64::from_be_bytes([
+        ssz[0],
+        ssz[1],
+        ssz[2],
+        ssz[3],
+        ssz[4],
+        ssz[5],
+        ssz[6],
+        ssz[7],
+        ]));
+});
diff --git a/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u8_decode.rs b/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u8_decode.rs
index 296b6fa3d..6f17a4c85 100644
--- a/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u8_decode.rs
+++ b/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u8_decode.rs
@@ -12,8 +12,8 @@ fuzz_target!(|data: &[u8]| {
         let (number_u8, index) = result.unwrap();
         // TODO: change to little endian bytes
         // https://github.com/sigp/lighthouse/issues/215
-        assert_eq!(number_u8, data[0]);
         assert_eq!(index, 1);
+        assert_eq!(number_u8, data[0]);
     } else {
         // Length of 0 should return error
         assert_eq!(result, Err(DecodeError::TooShort));
diff --git a/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u8_encode.rs b/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u8_encode.rs
new file mode 100644
index 000000000..a135f2cd5
--- /dev/null
+++ b/eth2/utils/ssz/fuzz/fuzz_targets/fuzz_target_u8_encode.rs
@@ -0,0 +1,22 @@
+#![no_main]
+#[macro_use] extern crate libfuzzer_sys;
+extern crate ssz;
+
+use ssz::SszStream;
+
+// Fuzz ssz_encode (via ssz_append)
+fuzz_target!(|data: &[u8]| {
+    let mut ssz = SszStream::new();
+    let mut number_u8 = 0;
+    if data.len() >= 1 {
+        number_u8 = data[0];
+    }
+
+    ssz.append(&number_u8);
+    let ssz = ssz.drain();
+
+    // TODO: change to little endian bytes
+    // https://github.com/sigp/lighthouse/issues/215
+    assert_eq!(number_u8, ssz[0]);
+    assert_eq!(ssz.len(), 1);
+});