Skip to content

Add fuzz target for MiniReflect API (FlatBufferToString / IterateFlatBuffer) #9021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sameerali275 wants to merge 2 commits into
base: master
Choose a base branch
from
+53 −0
Open

Add fuzz target for MiniReflect API (FlatBufferToString / IterateFlatBuffer) #9021

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3c16681
Add MiniReflect fuzz target
sameerali275 Apr 4, 2026
8195fe6
Add minireflect_fuzzer build target
sameerali275 Apr 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions tests/fuzzer/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,9 @@ target_link_libraries(flexverifier_fuzzer PRIVATE flatbuffers_fuzzed)
add_executable(monster_fuzzer flatbuffers_monster_fuzzer.cc)
target_link_libraries(monster_fuzzer PRIVATE flatbuffers_fuzzed)

add_executable(minireflect_fuzzer flatbuffers_minireflect_fuzzer.cc)
target_link_libraries(minireflect_fuzzer PRIVATE flatbuffers_fuzzed)

add_executable(codegen_fuzzer flatbuffers_codegen_fuzzer.cc ${FlatBuffers_Compiler_SRCS})
target_link_libraries(codegen_fuzzer PRIVATE flatbuffers_fuzzed)
target_compile_definitions(codegen_fuzzer PRIVATE assert=fuzzer_assert_impl)
Expand Down
50 changes: 50 additions & 0 deletions tests/fuzzer/flatbuffers_minireflect_fuzzer.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
// Copyright 2026 Google Inc. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Fuzz target for the MiniReflect API (FlatBufferToString, IterateFlatBuffer).
// This exercises minireflect.h which was previously completely unfuzzed.
//
// The fuzzer feeds arbitrary bytes as a FlatBuffer to the MiniReflect
// iteration/traversal functions, exercising:
// - IterateObject / IterateValue (union dispatch, vector iteration)
// - FlatBufferToString (ToStringVisitor)
// - TypeTable-driven traversal of all field types including union vectors
//
// Uses the Movie schema (union_vector.fbs) which contains:
// - Union vectors: characters:[Character]
// - Single unions: main_character:Character
// - Structs in unions: Rapunzel, BookReader
// - Strings in unions: Other, Unused
// - Nested tables: Attacker, HandFan

#include <stddef.h>
#include <stdint.h>

#include <string>

#include "cpp17/generated_cpp17/union_vector_generated.h"
#include "flatbuffers/minireflect.h"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
// Exercise FlatBufferToString with the Movie schema.
// This traverses all fields including union vectors via IterateObject
// and IterateValue, covering the union type dispatch path in minireflect.h.
flatbuffers::FlatBufferToString(data, MovieTypeTable());

// Also exercise with the Monster schema for broader coverage of
// table/struct/enum field types without union vectors.
flatbuffers::FlatBufferToString(data, AttackerTypeTable());

return 0;
}