From 5c6e695ca942f9a417d24e58f14d51f3e8e1885d Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Tue, 25 Apr 2017 14:54:59 +0200
Subject: Add fuzzing targets for libFuzzer used by Google's OSS-Fuzz

---
 fuzz/bplist.dict           |  1 +
 fuzz/bplist_fuzzer.cc      | 32 +++++++++++++++++++++++++++++
 fuzz/bplist_fuzzer.options |  3 +++
 fuzz/xplist.dict           | 51 ++++++++++++++++++++++++++++++++++++++++++++++
 fuzz/xplist_fuzzer.cc      | 32 +++++++++++++++++++++++++++++
 fuzz/xplist_fuzzer.options |  3 +++
 6 files changed, 122 insertions(+)
 create mode 100644 fuzz/bplist.dict
 create mode 100644 fuzz/bplist_fuzzer.cc
 create mode 100644 fuzz/bplist_fuzzer.options
 create mode 100644 fuzz/xplist.dict
 create mode 100644 fuzz/xplist_fuzzer.cc
 create mode 100644 fuzz/xplist_fuzzer.options

diff --git a/fuzz/bplist.dict b/fuzz/bplist.dict
new file mode 100644
index 0000000..bb0ea5d
--- /dev/null
+++ b/fuzz/bplist.dict
@@ -0,0 +1 @@
+header_bplist = "bplist00"
diff --git a/fuzz/bplist_fuzzer.cc b/fuzz/bplist_fuzzer.cc
new file mode 100644
index 0000000..17d0649
--- /dev/null
+++ b/fuzz/bplist_fuzzer.cc
@@ -0,0 +1,32 @@
+/*
+ * bplist_fuzzer.cc
+ * binary plist fuzz target for libFuzzer
+ *
+ * Copyright (c) 2017 Nikias Bassen All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#include <plist/plist.h>
+#include <stdio.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size)
+{
+	plist_t root_node = NULL;
+	plist_from_bin(reinterpret_cast<const char*>(data), size, &root_node);
+	plist_free(root_node);
+
+	return 0;
+}
diff --git a/fuzz/bplist_fuzzer.options b/fuzz/bplist_fuzzer.options
new file mode 100644
index 0000000..c0689b2
--- /dev/null
+++ b/fuzz/bplist_fuzzer.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 4096
+dict = bplist.dict
diff --git a/fuzz/xplist.dict b/fuzz/xplist.dict
new file mode 100644
index 0000000..48b0367
--- /dev/null
+++ b/fuzz/xplist.dict
@@ -0,0 +1,51 @@
+################################################################################
+#
+# AFL dictionary for XML Property Lists
+# ----------------------
+#
+# Several basic syntax elements and attributes for libplist.
+#
+# Created by Nikias Bassen <nikias@gmx.li>
+# Adapted from libxml2's dict file (created by Michal Zalewski <lcamtuf@google.com>)
+#
+
+attr_encoding=" encoding=\"1\""
+attr_generic=" a=\"1\""
+attr_version=" version=\"1\""
+
+entity_builtin="&lt;"
+entity_decimal="&#1;"
+entity_external="&a;"
+entity_hex="&#x1;"
+
+string_cdata="CDATA"
+string_dashes="--"
+string_empty="EMPTY"
+string_empty_dblquotes="\"\""
+string_empty_quotes="''"
+string_parentheses="()"
+string_pcdata="#PCDATA"
+string_percent="%a"
+string_public="PUBLIC"
+string_utf8="UTF-8"
+
+tag_cdata="<![CDATA["
+tag_close="</plist>"
+tag_doctype="<!DOCTYPE"
+tag_open="<plist>"
+tag_open_close="<plist />"
+tag_open_exclamation="<!"
+tag_open_q="<?"
+tag_sq2_close="]]>"
+tag_xml_q="<?xml?>"
+tag_array="<array>"
+tag_data="<data>"
+tag_date="<date>"
+tag_dict="<dict>"
+tag_false="<false/>"
+tag_integer="<integer>"
+tag_key="<key>"
+tag_plist="<plist>"
+tag_real="<real>"
+tag_string="<string>"
+tag_true="<true/>"
diff --git a/fuzz/xplist_fuzzer.cc b/fuzz/xplist_fuzzer.cc
new file mode 100644
index 0000000..c477c4d
--- /dev/null
+++ b/fuzz/xplist_fuzzer.cc
@@ -0,0 +1,32 @@
+/*
+ * xplist_fuzzer.cc
+ * XML plist fuzz target for libFuzzer
+ *
+ * Copyright (c) 2017 Nikias Bassen All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#include <plist/plist.h>
+#include <stdio.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size)
+{
+	plist_t root_node = NULL;
+	plist_from_xml(reinterpret_cast<const char*>(data), size, &root_node);
+	plist_free(root_node);
+
+	return 0;
+}
diff --git a/fuzz/xplist_fuzzer.options b/fuzz/xplist_fuzzer.options
new file mode 100644
index 0000000..bad5dac
--- /dev/null
+++ b/fuzz/xplist_fuzzer.options
@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 4096
+dict = xplist.dict
-- 
cgit v1.1-32-gdbae