From 1e7f14a81d36818a252b10b18682d4c8bf62a0e7 Mon Sep 17 00:00:00 2001
From: Yunshu Ouyang <ouyangyunshu@google.com>
Date: Thu, 18 Jun 2020 08:44:44 +0200
Subject: [PATCH] [spdlog] Added new fuzzers, modifed existing ones

---
 projects/spdlog/Dockerfile             |  5 +-
 projects/spdlog/backtrace_fuzzer.cc    | 43 ++++++++++++++++
 projects/spdlog/build.sh               |  3 ++
 projects/spdlog/format_fuzzer.cc       | 70 ++++++++++++++++++++++++++
 projects/spdlog/format_fuzzer.options  |  2 +
 projects/spdlog/levels_fuzzer.cc       | 56 +++++++++++++++++++++
 projects/spdlog/levels_fuzzer.options  |  2 +
 projects/spdlog/log_fuzzer.cc          | 18 ++++++-
 projects/spdlog/log_fuzzer.options     |  2 +
 projects/spdlog/pattern_fuzzer.cc      | 38 ++++++++++++++
 projects/spdlog/pattern_fuzzer.options |  2 +
 projects/spdlog/project.yaml           |  2 +-
 projects/spdlog/spdlog_fuzzer.dict     | 20 ++++++++
 13 files changed, 259 insertions(+), 4 deletions(-)
 create mode 100644 projects/spdlog/backtrace_fuzzer.cc
 create mode 100644 projects/spdlog/format_fuzzer.cc
 create mode 100644 projects/spdlog/format_fuzzer.options
 create mode 100644 projects/spdlog/levels_fuzzer.cc
 create mode 100644 projects/spdlog/levels_fuzzer.options
 create mode 100644 projects/spdlog/log_fuzzer.options
 create mode 100644 projects/spdlog/pattern_fuzzer.cc
 create mode 100644 projects/spdlog/pattern_fuzzer.options
 create mode 100644 projects/spdlog/spdlog_fuzzer.dict

diff --git a/projects/spdlog/Dockerfile b/projects/spdlog/Dockerfile
index 6c2c73d87..437bd33db 100644
--- a/projects/spdlog/Dockerfile
+++ b/projects/spdlog/Dockerfile
@@ -20,5 +20,8 @@ MAINTAINER gmelman1@gmail.com
 RUN apt-get update && apt-get install --yes cmake
 
 RUN git clone --depth 1 https://github.com/gabime/spdlog.git
+RUN zip spdlog_fuzzer_seed_corpus.zip spdlog/example/*
 WORKDIR spdlog
-COPY build.sh log_fuzzer.cc $SRC/
+COPY build.sh spdlog_fuzzer.dict $SRC/
+COPY *\.cc $SRC/
+COPY *\.options $SRC/
\ No newline at end of file
diff --git a/projects/spdlog/backtrace_fuzzer.cc b/projects/spdlog/backtrace_fuzzer.cc
new file mode 100644
index 000000000..cde3121e5
--- /dev/null
+++ b/projects/spdlog/backtrace_fuzzer.cc
@@ -0,0 +1,43 @@
+// Copyright 2019 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <cstddef>
+
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include "spdlog/spdlog.h"
+#include "spdlog/sinks/basic_file_sink.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  static std::shared_ptr<spdlog::logger> my_logger;
+  if (!my_logger.get()) {
+    my_logger = spdlog::basic_logger_mt("basic_logger", "/dev/null");
+    spdlog::set_default_logger(my_logger);
+  }
+
+  if (size == 0) {
+    return 0;
+  }
+
+  FuzzedDataProvider stream(data, size);
+
+  const uint16_t size_arg = stream.ConsumeIntegral<uint16_t>();
+
+  spdlog::enable_backtrace(size_arg);
+  for(int i=0; i<size_arg; i++){
+    spdlog::debug(stream.ConsumeRandomLengthString(size));
+  }
+  spdlog::dump_backtrace();
+  return 0;
+}
diff --git a/projects/spdlog/build.sh b/projects/spdlog/build.sh
index 5e9087dbb..5811dad35 100755
--- a/projects/spdlog/build.sh
+++ b/projects/spdlog/build.sh
@@ -25,3 +25,6 @@ for f in $(find $SRC -name '*_fuzzer.cc'); do
     $f $LIB_FUZZING_ENGINE ./libspdlog.a \
     -o $OUT/$b
 done
+
+cp $SRC/spdlog_fuzzer_seed_corpus.zip $OUT/
+cp $SRC/*.dict $SRC/*.options $OUT/
diff --git a/projects/spdlog/format_fuzzer.cc b/projects/spdlog/format_fuzzer.cc
new file mode 100644
index 000000000..c677d2310
--- /dev/null
+++ b/projects/spdlog/format_fuzzer.cc
@@ -0,0 +1,70 @@
+// Copyright 2019 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <cstddef>
+
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include "spdlog/spdlog.h"
+#include "spdlog/sinks/basic_file_sink.h"
+#include "spdlog/pattern_formatter.h"
+
+
+std::string my_formatter_txt = "custom-flag";
+
+class my_formatter_flag : public spdlog::custom_flag_formatter
+{
+  
+public:
+    void format(const spdlog::details::log_msg &, const std::tm &, spdlog::memory_buf_t &dest) override
+    {
+        dest.append(my_formatter_txt.data(), my_formatter_txt.data() + my_formatter_txt.size());
+    }
+
+    std::unique_ptr<custom_flag_formatter> clone() const override
+    {
+        return spdlog::details::make_unique<my_formatter_flag>();
+    }
+};
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  static std::shared_ptr<spdlog::logger> my_logger;
+  if (!my_logger.get()) {
+    my_logger = spdlog::basic_logger_mt("basic_logger", "/dev/null");
+    spdlog::set_default_logger(my_logger);
+  }
+
+  if (size == 0) {
+    return 0;
+  }
+
+
+  FuzzedDataProvider stream(data, size);
+
+  const unsigned long size_arg = stream.ConsumeIntegral<unsigned long>();
+  const unsigned long  int_arg = stream.ConsumeIntegral<unsigned long>();
+  const char flag = (char)(stream.ConsumeIntegral<unsigned char>());
+  const std::string pattern = stream.ConsumeRandomLengthString();
+  my_formatter_txt = stream.ConsumeRandomLengthString();
+  const std::string string_arg = stream.ConsumeRandomLengthString();
+  const std::string format_string = stream.ConsumeRemainingBytesAsString();
+  
+  using spdlog::details::make_unique;
+  auto formatter = make_unique<spdlog::pattern_formatter>();
+  formatter->add_flag<my_formatter_flag>(flag).set_pattern(pattern);
+  spdlog::set_formatter(std::move(formatter));
+  
+  spdlog::info(format_string.c_str(), size_arg, int_arg, string_arg);
+  return 0;
+}
diff --git a/projects/spdlog/format_fuzzer.options b/projects/spdlog/format_fuzzer.options
new file mode 100644
index 000000000..a1728afa6
--- /dev/null
+++ b/projects/spdlog/format_fuzzer.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+dict = spdlog_fuzzer.dict
\ No newline at end of file
diff --git a/projects/spdlog/levels_fuzzer.cc b/projects/spdlog/levels_fuzzer.cc
new file mode 100644
index 000000000..91d52686b
--- /dev/null
+++ b/projects/spdlog/levels_fuzzer.cc
@@ -0,0 +1,56 @@
+// Copyright 2019 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <cstddef>
+
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include "spdlog/spdlog.h"
+#include "spdlog/sinks/basic_file_sink.h"
+#include "spdlog/cfg/argv.h"
+#include "spdlog/cfg/env.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  static std::shared_ptr<spdlog::logger> my_logger;
+  if (!my_logger.get()) {
+    my_logger = spdlog::basic_logger_mt("basic_logger", "/dev/null");
+    spdlog::set_default_logger(my_logger);
+  }
+
+  if (size == 0) {
+    return 0;
+  }
+
+  FuzzedDataProvider stream(data, size);
+
+  
+  std::vector<std::string> strings;
+  const unsigned char strsize = stream.ConsumeIntegral<unsigned char>();
+  for(unsigned char i=0; i<strsize; i++){
+    strings.push_back(stream.ConsumeRandomLengthString());
+  }
+  std::vector<char*> argvv; argvv.reserve(strsize);
+  for(unsigned char i=0; i< strsize; ++i)
+    argvv.push_back(const_cast<char*>(strings[i].c_str()));
+  
+  const unsigned char int_arg = strsize;
+  if(int_arg==0) return 0;
+  
+  const char** argv = (const char**) &argvv[0];
+  spdlog::cfg::load_env_levels();
+  spdlog::cfg::load_argv_levels(int_arg, argv);
+  spdlog::info(stream.ConsumeRemainingBytesAsString());
+  
+  return 0;
+}
diff --git a/projects/spdlog/levels_fuzzer.options b/projects/spdlog/levels_fuzzer.options
new file mode 100644
index 000000000..a1728afa6
--- /dev/null
+++ b/projects/spdlog/levels_fuzzer.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+dict = spdlog_fuzzer.dict
\ No newline at end of file
diff --git a/projects/spdlog/log_fuzzer.cc b/projects/spdlog/log_fuzzer.cc
index f51219175..6b9aa0610 100644
--- a/projects/spdlog/log_fuzzer.cc
+++ b/projects/spdlog/log_fuzzer.cc
@@ -30,13 +30,27 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     return 0;
   }
 
+
   FuzzedDataProvider stream(data, size);
 
-  const size_t size_arg = stream.ConsumeIntegral<size_t>();
-  const int int_arg = stream.ConsumeIntegral<int>();
+  const unsigned long size_arg = stream.ConsumeIntegral<unsigned long>();
+  const unsigned long int_arg = stream.ConsumeIntegral<unsigned long>();
   const std::string string_arg = stream.ConsumeRandomLengthString(size);
   const std::string format_string = stream.ConsumeRemainingBytesAsString();
+
   spdlog::info(format_string.c_str(), size_arg, int_arg, string_arg);
+  spdlog::trace(format_string.c_str(), size_arg, int_arg, string_arg);
+  spdlog::debug(format_string.c_str(), size_arg, int_arg, string_arg);
+  spdlog::error(format_string.c_str(), size_arg, int_arg, string_arg);
+  spdlog::warn(format_string.c_str(), size_arg, int_arg, string_arg);
+  spdlog::critical(format_string.c_str(), size_arg, int_arg, string_arg);
+
+  SPDLOG_INFO(format_string.c_str(), size_arg, int_arg, string_arg);
+  SPDLOG_TRACE(format_string.c_str(), size_arg, int_arg, string_arg);
+  SPDLOG_DEBUG(format_string.c_str(), size_arg, int_arg, string_arg);
+  SPDLOG_ERROR(format_string.c_str(), size_arg, int_arg, string_arg);
+  SPDLOG_WARN(format_string.c_str(), size_arg, int_arg, string_arg);
+  SPDLOG_CRITICAL(format_string.c_str(), size_arg, int_arg, string_arg);
 
   return 0;
 }
diff --git a/projects/spdlog/log_fuzzer.options b/projects/spdlog/log_fuzzer.options
new file mode 100644
index 000000000..a1728afa6
--- /dev/null
+++ b/projects/spdlog/log_fuzzer.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+dict = spdlog_fuzzer.dict
\ No newline at end of file
diff --git a/projects/spdlog/pattern_fuzzer.cc b/projects/spdlog/pattern_fuzzer.cc
new file mode 100644
index 000000000..95d04c0d8
--- /dev/null
+++ b/projects/spdlog/pattern_fuzzer.cc
@@ -0,0 +1,38 @@
+// Copyright 2019 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <cstddef>
+
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include "spdlog/spdlog.h"
+#include "spdlog/sinks/basic_file_sink.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  static std::shared_ptr<spdlog::logger> my_logger;
+  if (!my_logger.get()) {
+    my_logger = spdlog::basic_logger_mt("basic_logger", "/dev/null");
+    spdlog::set_default_logger(my_logger);
+  }
+
+  if (size == 0) {
+    return 0;
+  }
+
+  FuzzedDataProvider stream(data, size);
+  const std::string str = stream.ConsumeRemainingBytesAsString();
+  spdlog::set_pattern(str);
+
+  return 0;
+}
diff --git a/projects/spdlog/pattern_fuzzer.options b/projects/spdlog/pattern_fuzzer.options
new file mode 100644
index 000000000..a1728afa6
--- /dev/null
+++ b/projects/spdlog/pattern_fuzzer.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+dict = spdlog_fuzzer.dict
\ No newline at end of file
diff --git a/projects/spdlog/project.yaml b/projects/spdlog/project.yaml
index 695484c0e..fa83902fa 100644
--- a/projects/spdlog/project.yaml
+++ b/projects/spdlog/project.yaml
@@ -6,4 +6,4 @@ auto_ccs:
 sanitizers:
   - address
   - memory
-  - undefined
+  - undefined
\ No newline at end of file
diff --git a/projects/spdlog/spdlog_fuzzer.dict b/projects/spdlog/spdlog_fuzzer.dict
new file mode 100644
index 000000000..dc7d1ebbd
--- /dev/null
+++ b/projects/spdlog/spdlog_fuzzer.dict
@@ -0,0 +1,20 @@
+"{}"
+"{:08d}"
+"{0:d}"
+"{0:x}"
+"{0:o}"
+"{0:b}"
+"{:03.2f}"
+"{1}"
+"{0}"
+"{:<8}"
+"{:<999999999999999999999999}"
+"[%H:%M:%S %z]"
+"[%^%L%$]"
+"[thread %t]"
+"%v"
+"%+"
+"{:X}"
+"{:s}"
+"{:p}"
+"{:n}"
\ No newline at end of file