From a16ea051f915eb4c975fe06f89470aa99d99d7e4 Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Fri, 27 Mar 2020 14:12:11 +0000
Subject: [PATCH 1/5] tests: Add fuzzing harness for functions/classes in
 flatfile.h

---
 src/Makefile.test.include  |  7 +++++++
 src/test/fuzz/flatfile.cpp | 30 ++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 src/test/fuzz/flatfile.cpp

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index 2938ccdc9f9..05d3acfb3eb 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -35,6 +35,7 @@ FUZZ_TARGETS = \
   test/fuzz/fee_rate \
   test/fuzz/fee_rate_deserialize \
   test/fuzz/flat_file_pos_deserialize \
+  test/fuzz/flatfile \
   test/fuzz/float \
   test/fuzz/hex \
   test/fuzz/integer \
@@ -480,6 +481,12 @@ test_fuzz_flat_file_pos_deserialize_LDADD = $(FUZZ_SUITE_LD_COMMON)
 test_fuzz_flat_file_pos_deserialize_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_flat_file_pos_deserialize_SOURCES = $(FUZZ_SUITE) test/fuzz/deserialize.cpp
 
+test_fuzz_flatfile_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_flatfile_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_flatfile_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_flatfile_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_flatfile_SOURCES = $(FUZZ_SUITE) test/fuzz/flatfile.cpp
+
 test_fuzz_float_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
 test_fuzz_float_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_float_LDADD = $(FUZZ_SUITE_LD_COMMON)
diff --git a/src/test/fuzz/flatfile.cpp b/src/test/fuzz/flatfile.cpp
new file mode 100644
index 00000000000..a55de77df77
--- /dev/null
+++ b/src/test/fuzz/flatfile.cpp
@@ -0,0 +1,30 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <flatfile.h>
+#include <optional.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cassert>
+#include <cstdint>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    Optional<FlatFilePos> flat_file_pos = ConsumeDeserializable<FlatFilePos>(fuzzed_data_provider);
+    if (!flat_file_pos) {
+        return;
+    }
+    Optional<FlatFilePos> another_flat_file_pos = ConsumeDeserializable<FlatFilePos>(fuzzed_data_provider);
+    if (another_flat_file_pos) {
+        assert((*flat_file_pos == *another_flat_file_pos) != (*flat_file_pos != *another_flat_file_pos));
+    }
+    (void)flat_file_pos->ToString();
+    flat_file_pos->SetNull();
+    assert(flat_file_pos->IsNull());
+}

From 9718f38f54357f15b8a27e060aed56f91015112d Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Fri, 27 Mar 2020 20:55:47 +0000
Subject: [PATCH 2/5] tests: Add fuzzing harness for functions/classes in
 merkleblock.h

---
 src/Makefile.test.include     |  7 +++++++
 src/test/fuzz/merkleblock.cpp | 27 +++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 src/test/fuzz/merkleblock.cpp

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index 05d3acfb3eb..16a23a073f5 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -45,6 +45,7 @@ FUZZ_TARGETS = \
   test/fuzz/key_origin_info_deserialize \
   test/fuzz/locale \
   test/fuzz/merkle_block_deserialize \
+  test/fuzz/merkleblock \
   test/fuzz/messageheader_deserialize \
   test/fuzz/multiplication_overflow \
   test/fuzz/net_permissions \
@@ -541,6 +542,12 @@ test_fuzz_merkle_block_deserialize_LDADD = $(FUZZ_SUITE_LD_COMMON)
 test_fuzz_merkle_block_deserialize_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_merkle_block_deserialize_SOURCES = $(FUZZ_SUITE) test/fuzz/deserialize.cpp
 
+test_fuzz_merkleblock_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_merkleblock_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_merkleblock_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_merkleblock_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_merkleblock_SOURCES = $(FUZZ_SUITE) test/fuzz/merkleblock.cpp
+
 test_fuzz_messageheader_deserialize_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES) -DMESSAGEHEADER_DESERIALIZE=1
 test_fuzz_messageheader_deserialize_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_messageheader_deserialize_LDADD = $(FUZZ_SUITE_LD_COMMON)
diff --git a/src/test/fuzz/merkleblock.cpp b/src/test/fuzz/merkleblock.cpp
new file mode 100644
index 00000000000..eb8fa1d421d
--- /dev/null
+++ b/src/test/fuzz/merkleblock.cpp
@@ -0,0 +1,27 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <merkleblock.h>
+#include <optional.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <uint256.h>
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    Optional<CPartialMerkleTree> partial_merkle_tree = ConsumeDeserializable<CPartialMerkleTree>(fuzzed_data_provider);
+    if (!partial_merkle_tree) {
+        return;
+    }
+    (void)partial_merkle_tree->GetNumTransactions();
+    std::vector<uint256> matches;
+    std::vector<unsigned int> indices;
+    (void)partial_merkle_tree->ExtractMatches(matches, indices);
+}

From f205cf7fef5618aaa96f016fda168eedfd9da437 Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Fri, 27 Mar 2020 21:12:28 +0000
Subject: [PATCH 3/5] tests: Add fuzzing harness for functions/classes in
 span.h

---
 src/Makefile.test.include |  7 +++++++
 src/test/fuzz/span.cpp    | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 src/test/fuzz/span.cpp

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index 16a23a073f5..c01c9fc52ac 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -100,6 +100,7 @@ FUZZ_TARGETS = \
   test/fuzz/service_deserialize \
   test/fuzz/signature_checker \
   test/fuzz/snapshotmetadata_deserialize \
+  test/fuzz/span \
   test/fuzz/spanparsing \
   test/fuzz/string \
   test/fuzz/strprintf \
@@ -872,6 +873,12 @@ test_fuzz_snapshotmetadata_deserialize_LDADD = $(FUZZ_SUITE_LD_COMMON)
 test_fuzz_snapshotmetadata_deserialize_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_snapshotmetadata_deserialize_SOURCES = $(FUZZ_SUITE) test/fuzz/deserialize.cpp
 
+test_fuzz_span_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_span_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_span_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_span_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_span_SOURCES = $(FUZZ_SUITE) test/fuzz/span.cpp
+
 test_fuzz_spanparsing_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
 test_fuzz_spanparsing_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_spanparsing_LDADD = $(FUZZ_SUITE_LD_COMMON)
diff --git a/src/test/fuzz/span.cpp b/src/test/fuzz/span.cpp
new file mode 100644
index 00000000000..4aea530ef25
--- /dev/null
+++ b/src/test/fuzz/span.cpp
@@ -0,0 +1,39 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <span.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cassert>
+#include <cstddef>
+#include <cstdint>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+
+    std::string str = fuzzed_data_provider.ConsumeBytesAsString(32);
+    const Span<const char> span = MakeSpan(str);
+    (void)span.data();
+    (void)span.begin();
+    (void)span.end();
+    if (span.size() > 0) {
+        const std::ptrdiff_t idx = fuzzed_data_provider.ConsumeIntegralInRange<std::ptrdiff_t>(0U, span.size() - 1U);
+        (void)span.first(idx);
+        (void)span.last(idx);
+        (void)span.subspan(idx);
+        (void)span.subspan(idx, span.size() - idx);
+        (void)span[idx];
+    }
+
+    std::string another_str = fuzzed_data_provider.ConsumeBytesAsString(32);
+    const Span<const char> another_span = MakeSpan(another_str);
+    assert((span <= another_span) != (span > another_span));
+    assert((span == another_span) != (span != another_span));
+    assert((span >= another_span) != (span < another_span));
+}

From 64d277bbbcbd464b2a795bae011ee808298a42ca Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Sat, 28 Mar 2020 08:10:41 +0000
Subject: [PATCH 4/5] tests: Add fuzzing harness for LimitedString
 (serialize.h)

---
 src/test/fuzz/string.cpp | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/src/test/fuzz/string.cpp b/src/test/fuzz/string.cpp
index bb583885ba1..3de0cf8db7c 100644
--- a/src/test/fuzz/string.cpp
+++ b/src/test/fuzz/string.cpp
@@ -12,6 +12,8 @@
 #include <rpc/server.h>
 #include <rpc/util.h>
 #include <script/descriptor.h>
+#include <serialize.h>
+#include <streams.h>
 #include <test/fuzz/FuzzedDataProvider.h>
 #include <test/fuzz/fuzz.h>
 #include <test/fuzz/util.h>
@@ -24,6 +26,7 @@
 #include <util/system.h>
 #include <util/translation.h>
 #include <util/url.h>
+#include <version.h>
 
 #include <cstdint>
 #include <string>
@@ -86,4 +89,30 @@ void test_one_input(const std::vector<uint8_t>& buffer)
     (void)urlDecode(random_string_1);
     (void)ValidAsCString(random_string_1);
     (void)_(random_string_1.c_str());
+
+    {
+        CDataStream data_stream{SER_NETWORK, INIT_PROTO_VERSION};
+        std::string s;
+        LimitedString<10> limited_string = LIMITED_STRING(s, 10);
+        data_stream << random_string_1;
+        try {
+            data_stream >> limited_string;
+            assert(data_stream.empty());
+            assert(s.size() <= random_string_1.size());
+            assert(s.size() <= 10);
+            if (!random_string_1.empty()) {
+                assert(!s.empty());
+            }
+        } catch (const std::ios_base::failure&) {
+        }
+    }
+    {
+        CDataStream data_stream{SER_NETWORK, INIT_PROTO_VERSION};
+        const LimitedString<10> limited_string = LIMITED_STRING(random_string_1, 10);
+        data_stream << limited_string;
+        std::string deserialized_string;
+        data_stream >> deserialized_string;
+        assert(data_stream.empty());
+        assert(deserialized_string == random_string_1);
+    }
 }

From 11a520f6793e21e0a8a9301f5ec4c28a48131b85 Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Sat, 28 Mar 2020 08:56:38 +0000
Subject: [PATCH 5/5] tests: Add fuzzing harness for functions/classes in
 random.h

---
 src/Makefile.test.include |  7 +++++++
 src/random.h              | 14 +++++++++-----
 src/test/fuzz/random.cpp  | 31 +++++++++++++++++++++++++++++++
 src/test/fuzz/util.h      | 19 +++++++++++++++----
 4 files changed, 62 insertions(+), 9 deletions(-)
 create mode 100644 src/test/fuzz/random.cpp

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index c01c9fc52ac..059876bec83 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -91,6 +91,7 @@ FUZZ_TARGETS = \
   test/fuzz/psbt_input_deserialize \
   test/fuzz/psbt_output_deserialize \
   test/fuzz/pub_key_deserialize \
+  test/fuzz/random \
   test/fuzz/rolling_bloom_filter \
   test/fuzz/script \
   test/fuzz/script_deserialize \
@@ -819,6 +820,12 @@ test_fuzz_pub_key_deserialize_LDADD = $(FUZZ_SUITE_LD_COMMON)
 test_fuzz_pub_key_deserialize_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_pub_key_deserialize_SOURCES = $(FUZZ_SUITE) test/fuzz/deserialize.cpp
 
+test_fuzz_random_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_random_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_random_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_random_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_random_SOURCES = $(FUZZ_SUITE) test/fuzz/random.cpp
+
 test_fuzz_rolling_bloom_filter_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
 test_fuzz_rolling_bloom_filter_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_rolling_bloom_filter_LDADD = $(FUZZ_SUITE_LD_COMMON)
diff --git a/src/random.h b/src/random.h
index 518a5cd3e36..4e4597cff63 100644
--- a/src/random.h
+++ b/src/random.h
@@ -103,7 +103,8 @@ void RandAddEvent(const uint32_t event_info) noexcept;
  *
  * This class is not thread-safe.
  */
-class FastRandomContext {
+class FastRandomContext
+{
 private:
     bool requires_seed;
     ChaCha20 rng;
@@ -155,7 +156,8 @@ public:
     }
 
     /** Generate a random (bits)-bit integer. */
-    uint64_t randbits(int bits) noexcept {
+    uint64_t randbits(int bits) noexcept
+    {
         if (bits == 0) {
             return 0;
         } else if (bits > 32) {
@@ -169,7 +171,9 @@ public:
         }
     }
 
-    /** Generate a random integer in the range [0..range). */
+    /** Generate a random integer in the range [0..range).
+     * Precondition: range > 0.
+     */
     uint64_t randrange(uint64_t range) noexcept
     {
         assert(range);
@@ -210,7 +214,7 @@ public:
  * debug mode detects and panics on. This is a known issue, see
  * https://stackoverflow.com/questions/22915325/avoiding-self-assignment-in-stdshuffle
  */
-template<typename I, typename R>
+template <typename I, typename R>
 void Shuffle(I first, I last, R&& rng)
 {
     while (first != last) {
@@ -233,7 +237,7 @@ static const int NUM_OS_RANDOM_BYTES = 32;
 /** Get 32 bytes of system entropy. Do not use this in application code: use
  * GetStrongRandBytes instead.
  */
-void GetOSRand(unsigned char *ent32);
+void GetOSRand(unsigned char* ent32);
 
 /** Check that OS randomness is available and returning the requested number
  * of bytes.
diff --git a/src/test/fuzz/random.cpp b/src/test/fuzz/random.cpp
new file mode 100644
index 00000000000..7df6594ad69
--- /dev/null
+++ b/src/test/fuzz/random.cpp
@@ -0,0 +1,31 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <random.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <algorithm>
+#include <cstdint>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    FastRandomContext fast_random_context{ConsumeUInt256(fuzzed_data_provider)};
+    (void)fast_random_context.rand64();
+    (void)fast_random_context.randbits(fuzzed_data_provider.ConsumeIntegralInRange<int>(0, 64));
+    (void)fast_random_context.randrange(fuzzed_data_provider.ConsumeIntegralInRange<uint64_t>(FastRandomContext::min() + 1, FastRandomContext::max()));
+    (void)fast_random_context.randbytes(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 1024));
+    (void)fast_random_context.rand32();
+    (void)fast_random_context.rand256();
+    (void)fast_random_context.randbool();
+    (void)fast_random_context();
+
+    std::vector<int64_t> integrals = ConsumeRandomLengthIntegralVector<int64_t>(fuzzed_data_provider);
+    Shuffle(integrals.begin(), integrals.end(), fast_random_context);
+    std::shuffle(integrals.begin(), integrals.end(), fast_random_context);
+}
diff --git a/src/test/fuzz/util.h b/src/test/fuzz/util.h
index 10be2ebaf70..7004aff4209 100644
--- a/src/test/fuzz/util.h
+++ b/src/test/fuzz/util.h
@@ -20,13 +20,13 @@
 #include <string>
 #include <vector>
 
-NODISCARD inline std::vector<uint8_t> ConsumeRandomLengthByteVector(FuzzedDataProvider& fuzzed_data_provider, size_t max_length = 4096) noexcept
+NODISCARD inline std::vector<uint8_t> ConsumeRandomLengthByteVector(FuzzedDataProvider& fuzzed_data_provider, const size_t max_length = 4096) noexcept
 {
     const std::string s = fuzzed_data_provider.ConsumeRandomLengthString(max_length);
     return {s.begin(), s.end()};
 }
 
-NODISCARD inline std::vector<std::string> ConsumeRandomLengthStringVector(FuzzedDataProvider& fuzzed_data_provider, size_t max_vector_size = 16, size_t max_string_length = 16) noexcept
+NODISCARD inline std::vector<std::string> ConsumeRandomLengthStringVector(FuzzedDataProvider& fuzzed_data_provider, const size_t max_vector_size = 16, const size_t max_string_length = 16) noexcept
 {
     const size_t n_elements = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, max_vector_size);
     std::vector<std::string> r;
@@ -37,7 +37,18 @@ NODISCARD inline std::vector<std::string> ConsumeRandomLengthStringVector(Fuzzed
 }
 
 template <typename T>
-NODISCARD inline Optional<T> ConsumeDeserializable(FuzzedDataProvider& fuzzed_data_provider, size_t max_length = 4096) noexcept
+NODISCARD inline std::vector<T> ConsumeRandomLengthIntegralVector(FuzzedDataProvider& fuzzed_data_provider, const size_t max_vector_size = 16) noexcept
+{
+    const size_t n_elements = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, max_vector_size);
+    std::vector<T> r;
+    for (size_t i = 0; i < n_elements; ++i) {
+        r.push_back(fuzzed_data_provider.ConsumeIntegral<T>());
+    }
+    return r;
+}
+
+template <typename T>
+NODISCARD inline Optional<T> ConsumeDeserializable(FuzzedDataProvider& fuzzed_data_provider, const size_t max_length = 4096) noexcept
 {
     const std::vector<uint8_t> buffer = ConsumeRandomLengthByteVector(fuzzed_data_provider, max_length);
     CDataStream ds{buffer, SER_NETWORK, INIT_PROTO_VERSION};
@@ -81,7 +92,7 @@ NODISCARD inline uint256 ConsumeUInt256(FuzzedDataProvider& fuzzed_data_provider
 }
 
 template <typename T>
-bool MultiplicationOverflow(T i, T j)
+NODISCARD bool MultiplicationOverflow(const T i, const T j) noexcept
 {
     static_assert(std::is_integral<T>::value, "Integral required.");
     if (std::numeric_limits<T>::is_signed) {