From 6ede7890925f75c90987e79da8a427db4d4a233c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= <kasper93@gmail.com>
Date: Wed, 15 May 2024 17:52:38 +0200
Subject: [PATCH] fuzzer_load: use memfd_create instead of real file

Should be slightly faster. Also fixes leaking temporary file on errors.
---
 fuzzers/fuzzer_load.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/fuzzers/fuzzer_load.c b/fuzzers/fuzzer_load.c
index fd44a9bc6d..26fad2837e 100644
--- a/fuzzers/fuzzer_load.c
+++ b/fuzzers/fuzzer_load.c
@@ -19,6 +19,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include <sys/mman.h>
 #include <unistd.h>
 
 #include <libmpv/client.h>
@@ -27,20 +28,21 @@
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
-    if (size == 0)
-        return -1;
-
-    char filename[15 + 10 + 1];
-    sprintf(filename, "/tmp/libfuzzer.%d", getpid());
-
-    FILE *fp = fopen(filename, "wb");
-    if (!fp)
+    // fmemopen doesn't have associated file descriptor, so we do copy.
+    int fd = memfd_create("fuzz_mpv_load", 0);
+    if (fd == -1)
         exit(1);
-
-    if (fwrite(data, size, 1, fp) != 1)
+    ssize_t written = 0;
+    while (written < size) {
+        ssize_t result = write(fd, data + written, size - written);
+        if (result == -1)
+            exit(1);
+        written += result;
+    }
+    if (lseek(fd, 0, SEEK_SET) != 0)
         exit(1);
-
-    if (fclose(fp))
+    char filename[5 + 10 + 1];
+    if (sprintf(filename, "fd://%d", fd) <= 5)
         exit(1);
 
     mpv_handle *ctx = mpv_create();
@@ -69,7 +71,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 #endif
 
     mpv_terminate_destroy(ctx);
-    unlink(filename);
+    close(fd);
 
     return 0;
 }