diff --git a/projects/jackson-core/Dockerfile b/projects/jackson-core/Dockerfile index b455a375e..e226dfaaf 100644 --- a/projects/jackson-core/Dockerfile +++ b/projects/jackson-core/Dockerfile @@ -31,5 +31,5 @@ RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/ja RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-annotations COPY build.sh $SRC/ -COPY JsonFuzzer.java FuzzParseNextToken.java UTF8GeneratorFuzzer.java $SRC/ +COPY *Fuzzer.java $SRC/ WORKDIR $SRC/ diff --git a/projects/jackson-core/FuzzParseNextToken.java b/projects/jackson-core/ParseNextTokenFuzzer.java similarity index 79% rename from projects/jackson-core/FuzzParseNextToken.java rename to projects/jackson-core/ParseNextTokenFuzzer.java index bf61f107a..24e54f5ec 100644 --- a/projects/jackson-core/FuzzParseNextToken.java +++ b/projects/jackson-core/ParseNextTokenFuzzer.java @@ -14,7 +14,6 @@ // //////////////////////////////////////////////////////////////////////////////// -import java.io.ByteArrayOutputStream; import com.code_intelligence.jazzer.api.FuzzedDataProvider; import com.fasterxml.jackson.core.JsonParser; @@ -23,21 +22,30 @@ import com.fasterxml.jackson.core.Base64Variants; import com.fasterxml.jackson.core.JsonFactory; import java.io.IOException; +import java.io.ByteArrayOutputStream; +import java.io.ByteArrayInputStream; +import java.io.InputStream; -public class FuzzParseNextToken { +public class ParseNextTokenFuzzer { public static void fuzzerTestOneInput(FuzzedDataProvider data) { JsonFactory jf = new JsonFactory(); + JsonParser jp; try { - JsonParser jp = jf.createParser(data.consumeRemainingAsBytes()); + jp = jf.createParser(data.consumeRemainingAsBytes()); + if (data.consumeBoolean()) { + } else { + InputStream myInputStream = new ByteArrayInputStream(data.consumeRemainingAsBytes()); + jp = jf.createParser(myInputStream); + } jp.nextFieldName(); ByteArrayOutputStream bytes = new ByteArrayOutputStream(); Base64Variant orig = Base64Variants.PEM; - jp.readBinaryValue(orig, bytes); while (jp.nextToken() != null) { ; } + jp.readBinaryValue(orig, bytes); } catch (IOException | IllegalArgumentException ignored) { } } diff --git a/projects/jackson-core/UTF8GeneratorFuzzer.java b/projects/jackson-core/UTF8GeneratorFuzzer.java index 414b48b3b..fd091997a 100644 --- a/projects/jackson-core/UTF8GeneratorFuzzer.java +++ b/projects/jackson-core/UTF8GeneratorFuzzer.java @@ -15,7 +15,9 @@ //////////////////////////////////////////////////////////////////////////////// import java.io.ByteArrayOutputStream; +import java.io.ByteArrayInputStream; import java.io.StringReader; +import java.io.InputStream; import com.code_intelligence.jazzer.api.FuzzedDataProvider; import com.fasterxml.jackson.core.Base64Variant; @@ -34,6 +36,9 @@ public class UTF8GeneratorFuzzer { ByteArrayOutputStream out = new ByteArrayOutputStream(); String fuzzString; JsonGenerator g; + int offset; + byte[] b; + Base64Variant b64v; try { g = jf.createGenerator(out); @@ -41,56 +46,74 @@ public class UTF8GeneratorFuzzer { return; } - try { - int apiType = data.consumeInt(); - switch(apiType%7) { - case 0: - fuzzString = data.consumeString(1000000); - StringReader targetReader = new StringReader(fuzzString); - g.writeStartArray(); - g.writeString(targetReader, fuzzString.length()); - g.writeEndArray(); - case 1: - fuzzString = data.consumeString(1000000); - g.writeStartArray(); - g.writeString(fuzzString); - g.writeEndArray(); - case 2: - fuzzString = data.consumeString(1000000); - SerializableString ss = new SerializedString(fuzzString); - g.writeStartArray(); - g.writeString(ss); - g.writeEndArray(); - case 3: - fuzzString = data.consumeString(1000000); - g.writeStartArray(); - g.writeRaw(fuzzString); - g.writeEndArray(); - case 4: - fuzzString = data.consumeString(1000000); - g.writeStartArray(); - g.writeRaw(fuzzString, 0, fuzzString.length()); - g.writeEndArray(); - case 5: - String key = data.consumeString(50000); - String value = data.consumeString(50000); - g.writeStartObject(); - g.writeStringField(key, value); - g.writeEndObject(); - case 6: - Base64Variant b64v = Base64Variants.getDefaultVariant(); - byte[] b = data.consumeRemainingAsBytes(); - g.writeStartArray(); - g.writeBinary(b64v, b, 0, b.length); - g.writeEndArray(); + int numberOfOps = data.consumeInt(); + for (int i = 0; i < numberOfOps%20; i++) { + try { + int apiType = data.consumeInt(); + switch(apiType%9) { + case 0: + fuzzString = data.consumeString(1000000); + StringReader targetReader = new StringReader(fuzzString); + g.writeStartArray(); + g.writeString(targetReader, fuzzString.length()); + g.writeEndArray(); + case 1: + fuzzString = data.consumeString(1000000); + g.writeStartArray(); + g.writeString(fuzzString); + g.writeEndArray(); + case 2: + fuzzString = data.consumeString(1000000); + SerializableString ss = new SerializedString(fuzzString); + g.writeStartArray(); + g.writeString(ss); + g.writeEndArray(); + case 3: + fuzzString = data.consumeString(1000000); + g.writeStartArray(); + g.writeRaw(fuzzString); + g.writeEndArray(); + case 4: + fuzzString = data.consumeString(1000000); + offset = data.consumeInt(); + g.writeStartArray(); + g.writeRaw(fuzzString, offset, fuzzString.length()); + g.writeEndArray(); + case 5: + String key = data.consumeString(1000000); + String value = data.consumeString(1000000); + g.writeStartObject(); + g.writeStringField(key, value); + g.writeEndObject(); + case 6: + b64v = Base64Variants.getDefaultVariant(); + b = data.consumeBytes(1000000); + offset = data.consumeInt(); + g.writeStartArray(); + g.writeBinary(b64v, b, offset, b.length); + g.writeEndArray(); + case 7: + b = data.consumeBytes(1000000); + offset = data.consumeInt(); + g.writeStartObject(); + g.writeUTF8String(b, offset, b.length); + g.writeEndObject(); + case 8: + b64v = Base64Variants.getDefaultVariant(); + b = data.consumeBytes(1000000); + offset = data.consumeInt(); + InputStream targetStream = new ByteArrayInputStream(b); + g.writeStartArray(); + g.writeBinary(b64v, targetStream, b.length); + g.writeEndArray(); + } + } catch (IOException | IllegalArgumentException ignored) { } - } catch (IOException | IllegalArgumentException ignored) { } try { g.close(); } catch (IOException ignored) { - return; } }