From 3c16681811eac4929453fa2b20b03e0924d9e045 Mon Sep 17 00:00:00 2001 From: Sameer Ali <89sameerali@gmail.com> Date: Sat, 4 Apr 2026 15:22:00 +0500 Subject: [PATCH 1/2] Add MiniReflect fuzz target Add fuzz target for the MiniReflect API (FlatBufferToString, IterateFlatBuffer). Covers minireflect.h which was previously unfuzzed despite handling untrusted binary input. --- .../fuzzer/flatbuffers_minireflect_fuzzer.cc | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 tests/fuzzer/flatbuffers_minireflect_fuzzer.cc diff --git a/tests/fuzzer/flatbuffers_minireflect_fuzzer.cc b/tests/fuzzer/flatbuffers_minireflect_fuzzer.cc new file mode 100644 index 0000000000..33a0f9d987 --- /dev/null +++ b/tests/fuzzer/flatbuffers_minireflect_fuzzer.cc @@ -0,0 +1,50 @@ +// Copyright 2026 Google Inc. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Fuzz target for the MiniReflect API (FlatBufferToString, IterateFlatBuffer). +// This exercises minireflect.h which was previously completely unfuzzed. +// +// The fuzzer feeds arbitrary bytes as a FlatBuffer to the MiniReflect +// iteration/traversal functions, exercising: +// - IterateObject / IterateValue (union dispatch, vector iteration) +// - FlatBufferToString (ToStringVisitor) +// - TypeTable-driven traversal of all field types including union vectors +// +// Uses the Movie schema (union_vector.fbs) which contains: +// - Union vectors: characters:[Character] +// - Single unions: main_character:Character +// - Structs in unions: Rapunzel, BookReader +// - Strings in unions: Other, Unused +// - Nested tables: Attacker, HandFan + +#include +#include + +#include + +#include "cpp17/generated_cpp17/union_vector_generated.h" +#include "flatbuffers/minireflect.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + // Exercise FlatBufferToString with the Movie schema. + // This traverses all fields including union vectors via IterateObject + // and IterateValue, covering the union type dispatch path in minireflect.h. + flatbuffers::FlatBufferToString(data, MovieTypeTable()); + + // Also exercise with the Monster schema for broader coverage of + // table/struct/enum field types without union vectors. + flatbuffers::FlatBufferToString(data, AttackerTypeTable()); + + return 0; +} From 8195fe612a3990d0b9982a1fbc63f66c312ef1f6 Mon Sep 17 00:00:00 2001 From: Sameer Ali <89sameerali@gmail.com> Date: Sat, 4 Apr 2026 15:32:11 +0500 Subject: [PATCH 2/2] Add minireflect_fuzzer build target Register the MiniReflect fuzz target in the CMake build --- tests/fuzzer/CMakeLists.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/fuzzer/CMakeLists.txt b/tests/fuzzer/CMakeLists.txt index 272c121aab..f660d13739 100644 --- a/tests/fuzzer/CMakeLists.txt +++ b/tests/fuzzer/CMakeLists.txt @@ -216,6 +216,9 @@ target_link_libraries(flexverifier_fuzzer PRIVATE flatbuffers_fuzzed) add_executable(monster_fuzzer flatbuffers_monster_fuzzer.cc) target_link_libraries(monster_fuzzer PRIVATE flatbuffers_fuzzed) +add_executable(minireflect_fuzzer flatbuffers_minireflect_fuzzer.cc) +target_link_libraries(minireflect_fuzzer PRIVATE flatbuffers_fuzzed) + add_executable(codegen_fuzzer flatbuffers_codegen_fuzzer.cc ${FlatBuffers_Compiler_SRCS}) target_link_libraries(codegen_fuzzer PRIVATE flatbuffers_fuzzed) target_compile_definitions(codegen_fuzzer PRIVATE assert=fuzzer_assert_impl)