fuzz: Add fuzzer for JSON format

author: Nikias Bassen 2022-01-25 03:45:30 +0100
committer: Nikias Bassen 2022-01-25 03:45:30 +0100
commit: c7b005bc7864b6109115d4278872152208e78c23 (patch)
tree: 73b635fea8d49521bfff3815a0fc1566d3185692 /fuzz
parent: 323009bfd003ff1540967b7b67efebab1ee8693d (diff)
download: libplist-c7b005bc7864b6109115d4278872152208e78c23.tar.gz
libplist-c7b005bc7864b6109115d4278872152208e78c23.tar.bz2
6 files changed, 110 insertions, 4 deletions
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
index 8fb7cc8..da6c8ae 100644
--- a/fuzz/Makefile.am
+++ b/fuzz/Makefile.am
@@ -21,7 +21,8 @@ CLEANFILES = libFuzzer.a
 noinst_PROGRAMS = \
        xplist_fuzzer \
-        bplist_fuzzer
+        bplist_fuzzer \
+        jplist_fuzzer
 xplist_fuzzer_SOURCES = xplist_fuzzer.cc
 xplist_fuzzer_LDFLAGS = -static
@@ -31,11 +32,16 @@ bplist_fuzzer_SOURCES = bplist_fuzzer.cc
 bplist_fuzzer_LDFLAGS = -static
 bplist_fuzzer_LDADD = $(top_builddir)/src/libplist-2.0.la libFuzzer.a
+jplist_fuzzer_SOURCES = jplist_fuzzer.cc
+jplist_fuzzer_LDFLAGS = -static
+jplist_fuzzer_LDADD = $(top_builddir)/src/libplist-2.0.la libFuzzer.a
 TESTS = fuzzers.test
 EXTRA_DIST = \
        bplist.dict \
        xplist.dict \
+        jplist.dict \
        init-fuzzers.sh \
        test-fuzzers.sh \
        fuzzers.test
diff --git a/fuzz/init-fuzzers.sh b/fuzz/init-fuzzers.sh
index 4d28016..ea2c8cc 100755
--- a/fuzz/init-fuzzers.sh
+++ b/fuzz/init-fuzzers.sh
@@ -5,7 +5,7 @@ FUZZDIR=`dirname $0`
 cd ${FUZZDIR}
-if ! test -x xplist_fuzzer || ! test -x bplist_fuzzer; then
+if ! test -x xplist_fuzzer || ! test -x bplist_fuzzer || ! test -x jplist_fuzzer; then
        echo "ERROR: you need to build the fuzzers first."
        cd ${CURDIR}
        exit 1
@@ -19,5 +19,12 @@ mkdir -p bplist-input
 cp ../test/data/*.bplist bplist-input/
 ./bplist_fuzzer -merge=1 bplist-input bplist-crashes bplist-leaks -dict=bplist.dict
+mkdir -p jplist-input
+mkdir -p jplist-crashes
+mkdir -p jplist-leaks
+cp ../test/data/j1.plist jplist-input/
+cp ../test/data/j2.plist jplist-input/
+./jplist_fuzzer -merge=1 jplist-input jplist-crashes jplist-leaks -dict=jplist.dict
 cd ${CURDIR}
 exit 0
diff --git a/fuzz/jplist.dict b/fuzz/jplist.dict
new file mode 100644
index 0000000..e08245a
--- /dev/null
+++ b/fuzz/jplist.dict
@@ -0,0 +1,52 @@
+#
+# AFL dictionary for JSON
+# -----------------------
+#
+# Just the very basics.
+#
+# Inspired by a dictionary by Jakub Wilk <jwilk@jwilk.net>
+#
+"0"
+",0"
+":0"
+"0:"
+"-1.2e+3"
+"true"
+"false"
+"null"
+"\"\""
+",\"\""
+":\"\""
+"\"\":"
+"{}"
+",{}"
+":{}"
+"{\"\":0}"
+"{{}}"
+"[]"
+",[]"
+":[]"
+"[0]"
+"[[]]"
+"''"
+"\\"
+"\\b"
+"\\f"
+"\\n"
+"\\r"
+"\\t"
+"\\u0000"
+"\\x00"
+"\\0"
+"\\uD800\\uDC00"
+"\\uDBFF\\uDFFF"
+"\"\":0"
+"//"
+"/**/"
diff --git a/fuzz/jplist_fuzzer.cc b/fuzz/jplist_fuzzer.cc
new file mode 100644
index 0000000..d2fe8d3
--- /dev/null
+++ b/fuzz/jplist_fuzzer.cc
@@ -0,0 +1,32 @@
+/*
+ * xplist_fuzzer.cc
+ * XML plist fuzz target for libFuzzer
+ *
+ * Copyright (c) 2021 Nikias Bassen All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+#include <plist/plist.h>
+#include <stdio.h>
+extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size)
+{
+        plist_t root_node = NULL;
+        plist_from_json(reinterpret_cast<const char*>(data), size, &root_node);
+        plist_free(root_node);
+        return 0;
+}
diff --git a/fuzz/jplist_fuzzer.options b/fuzz/jplist_fuzzer.options
new file mode 100644
index 0000000..b22e679
--- /dev/null
+++ b/fuzz/jplist_fuzzer.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 4096
+dict = jplist.dict
diff --git a/fuzz/test-fuzzers.sh b/fuzz/test-fuzzers.sh
index b0a8367..40be74f 100755
--- a/fuzz/test-fuzzers.sh
+++ b/fuzz/test-fuzzers.sh
@@ -5,13 +5,13 @@ FUZZDIR=`dirname $0`
 cd ${FUZZDIR}
-if ! test -x xplist_fuzzer || ! test -x bplist_fuzzer; then
+if ! test -x xplist_fuzzer || ! test -x bplist_fuzzer || ! test -x jplist_fuzzer; then
        echo "ERROR: you need to build the fuzzers first."
        cd ${CURDIR}
        exit 1
 fi
-if ! test -d xplist-input || ! test -d bplist-input; then
+if ! test -d xplist-input || ! test -d bplist-input || ! test -d jplist-input; then
        echo "ERROR: fuzzer corpora directories are not present. Did you run init-fuzzers.sh ?"
        cd ${CURDIR}
        exit 1
@@ -29,5 +29,11 @@ if ! ./bplist_fuzzer bplist-input -dict=bplist.dict -max_len=4096 -runs=10000; t
        exit 1
 fi
+echo "### TESTING jplist_fuzzer ###"
+if ! ./jplist_fuzzer jplist-input -dict=jplist.dict -max_len=65536 -runs=10000; then
+        cd ${CURDIR}
+        exit 1
+fi
 cd ${CURDIR}
 exit 0
author	Nikias Bassen	2022-01-25 03:45:30 +0100
committer	Nikias Bassen	2022-01-25 03:45:30 +0100
commit	c7b005bc7864b6109115d4278872152208e78c23 (patch)
tree	73b635fea8d49521bfff3815a0fc1566d3185692 /fuzz
parent	323009bfd003ff1540967b7b67efebab1ee8693d (diff)
download	libplist-c7b005bc7864b6109115d4278872152208e78c23.tar.gz libplist-c7b005bc7864b6109115d4278872152208e78c23.tar.bz2

diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index 8fb7cc8..da6c8ae 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am
@@ -21,7 +21,8 @@ CLEANFILES = libFuzzer.a
21		21
22	noinst_PROGRAMS = \	22	noinst_PROGRAMS = \
23	xplist_fuzzer \	23	xplist_fuzzer \
24	bplist_fuzzer	24	bplist_fuzzer \
		25	jplist_fuzzer
25		26
26	xplist_fuzzer_SOURCES = xplist_fuzzer.cc	27	xplist_fuzzer_SOURCES = xplist_fuzzer.cc
27	xplist_fuzzer_LDFLAGS = -static	28	xplist_fuzzer_LDFLAGS = -static
@@ -31,11 +32,16 @@ bplist_fuzzer_SOURCES = bplist_fuzzer.cc
31	bplist_fuzzer_LDFLAGS = -static	32	bplist_fuzzer_LDFLAGS = -static
32	bplist_fuzzer_LDADD = $(top_builddir)/src/libplist-2.0.la libFuzzer.a	33	bplist_fuzzer_LDADD = $(top_builddir)/src/libplist-2.0.la libFuzzer.a
33		34
		35	jplist_fuzzer_SOURCES = jplist_fuzzer.cc
		36	jplist_fuzzer_LDFLAGS = -static
		37	jplist_fuzzer_LDADD = $(top_builddir)/src/libplist-2.0.la libFuzzer.a
		38
34	TESTS = fuzzers.test	39	TESTS = fuzzers.test
35		40
36	EXTRA_DIST = \	41	EXTRA_DIST = \
37	bplist.dict \	42	bplist.dict \
38	xplist.dict \	43	xplist.dict \
		44	jplist.dict \
39	init-fuzzers.sh \	45	init-fuzzers.sh \
40	test-fuzzers.sh \	46	test-fuzzers.sh \
41	fuzzers.test	47	fuzzers.test


diff --git a/fuzz/init-fuzzers.sh b/fuzz/init-fuzzers.sh index 4d28016..ea2c8cc 100755 --- a/fuzz/init-fuzzers.sh +++ b/fuzz/init-fuzzers.sh
@@ -5,7 +5,7 @@ FUZZDIR=`dirname $0`
5		5
6	cd ${FUZZDIR}	6	cd ${FUZZDIR}
7		7
8	if ! test -x xplist_fuzzer \|\| ! test -x bplist_fuzzer; then	8	if ! test -x xplist_fuzzer \|\| ! test -x bplist_fuzzer \|\| ! test -x jplist_fuzzer; then
9	echo "ERROR: you need to build the fuzzers first."	9	echo "ERROR: you need to build the fuzzers first."
10	cd ${CURDIR}	10	cd ${CURDIR}
11	exit 1	11	exit 1
@@ -19,5 +19,12 @@ mkdir -p bplist-input
19	cp ../test/data/*.bplist bplist-input/	19	cp ../test/data/*.bplist bplist-input/
20	./bplist_fuzzer -merge=1 bplist-input bplist-crashes bplist-leaks -dict=bplist.dict	20	./bplist_fuzzer -merge=1 bplist-input bplist-crashes bplist-leaks -dict=bplist.dict
21		21
		22	mkdir -p jplist-input
		23	mkdir -p jplist-crashes
		24	mkdir -p jplist-leaks
		25	cp ../test/data/j1.plist jplist-input/
		26	cp ../test/data/j2.plist jplist-input/
		27	./jplist_fuzzer -merge=1 jplist-input jplist-crashes jplist-leaks -dict=jplist.dict
		28
22	cd ${CURDIR}	29	cd ${CURDIR}
23	exit 0	30	exit 0


diff --git a/fuzz/jplist.dict b/fuzz/jplist.dict new file mode 100644 index 0000000..e08245a --- /dev/null +++ b/fuzz/jplist.dict
@@ -0,0 +1,52 @@
		1	#
		2	# AFL dictionary for JSON
		3	# -----------------------
		4	#
		5	# Just the very basics.
		6	#
		7	# Inspired by a dictionary by Jakub Wilk <jwilk@jwilk.net>
		8	#
		9
		10	"0"
		11	",0"
		12	":0"
		13	"0:"
		14	"-1.2e+3"
		15
		16	"true"
		17	"false"
		18	"null"
		19
		20	"\"\""
		21	",\"\""
		22	":\"\""
		23	"\"\":"
		24
		25	"{}"
		26	",{}"
		27	":{}"
		28	"{\"\":0}"
		29	"{{}}"
		30
		31	"[]"
		32	",[]"
		33	":[]"
		34	"[0]"
		35	"[[]]"
		36
		37	"''"
		38	"\\"
		39	"\\b"
		40	"\\f"
		41	"\\n"
		42	"\\r"
		43	"\\t"
		44	"\\u0000"
		45	"\\x00"
		46	"\\0"
		47	"\\uD800\\uDC00"
		48	"\\uDBFF\\uDFFF"
		49
		50	"\"\":0"
		51	"//"
		52	"/**/"


diff --git a/fuzz/jplist_fuzzer.cc b/fuzz/jplist_fuzzer.cc new file mode 100644 index 0000000..d2fe8d3 --- /dev/null +++ b/fuzz/jplist_fuzzer.cc
@@ -0,0 +1,32 @@
		1	/*
		2	* xplist_fuzzer.cc
		3	* XML plist fuzz target for libFuzzer
		4	*
		5	* Copyright (c) 2021 Nikias Bassen All Rights Reserved.
		6	*
		7	* This library is free software; you can redistribute it and/or
		8	* modify it under the terms of the GNU Lesser General Public
		9	* License as published by the Free Software Foundation; either
		10	* version 2.1 of the License, or (at your option) any later version.
		11	*
		12	* This library is distributed in the hope that it will be useful,
		13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		15	* Lesser General Public License for more details.
		16	*
		17	* You should have received a copy of the GNU Lesser General Public
		18	* License along with this library; if not, write to the Free Software
		19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
		20	*/
		21
		22	#include <plist/plist.h>
		23	#include <stdio.h>
		24
		25	extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size)
		26	{
		27	plist_t root_node = NULL;
		28	plist_from_json(reinterpret_cast<const char*>(data), size, &root_node);
		29	plist_free(root_node);
		30
		31	return 0;
		32	}


diff --git a/fuzz/jplist_fuzzer.options b/fuzz/jplist_fuzzer.options new file mode 100644 index 0000000..b22e679 --- /dev/null +++ b/fuzz/jplist_fuzzer.options
@@ -0,0 +1,3 @@
		1	[libfuzzer]
		2	max_len = 4096
		3	dict = jplist.dict


diff --git a/fuzz/test-fuzzers.sh b/fuzz/test-fuzzers.sh index b0a8367..40be74f 100755 --- a/fuzz/test-fuzzers.sh +++ b/fuzz/test-fuzzers.sh
@@ -5,13 +5,13 @@ FUZZDIR=`dirname $0`
5		5
6	cd ${FUZZDIR}	6	cd ${FUZZDIR}
7		7
8	if ! test -x xplist_fuzzer \|\| ! test -x bplist_fuzzer; then	8	if ! test -x xplist_fuzzer \|\| ! test -x bplist_fuzzer \|\| ! test -x jplist_fuzzer; then
9	echo "ERROR: you need to build the fuzzers first."	9	echo "ERROR: you need to build the fuzzers first."
10	cd ${CURDIR}	10	cd ${CURDIR}
11	exit 1	11	exit 1
12	fi	12	fi
13		13
14	if ! test -d xplist-input \|\| ! test -d bplist-input; then	14	if ! test -d xplist-input \|\| ! test -d bplist-input \|\| ! test -d jplist-input; then
15	echo "ERROR: fuzzer corpora directories are not present. Did you run init-fuzzers.sh ?"	15	echo "ERROR: fuzzer corpora directories are not present. Did you run init-fuzzers.sh ?"
16	cd ${CURDIR}	16	cd ${CURDIR}
17	exit 1	17	exit 1
@@ -29,5 +29,11 @@ if ! ./bplist_fuzzer bplist-input -dict=bplist.dict -max_len=4096 -runs=10000; t
29	exit 1	29	exit 1
30	fi	30	fi
31		31
		32	echo "### TESTING jplist_fuzzer ###"
		33	if ! ./jplist_fuzzer jplist-input -dict=jplist.dict -max_len=65536 -runs=10000; then
		34	cd ${CURDIR}
		35	exit 1
		36	fi
		37
32	cd ${CURDIR}	38	cd ${CURDIR}
33	exit 0	39	exit 0