[glib] GLib: more targets (#1695)

* better seed corpus for fuzz_key

* new target: fuzz_variant_text

* new target: fuzz_dbus_message

* get ninja from pip

* remove target: fuzz_markup

* new target: fuzz_variant_binary

projects/glib/Dockerfile

@@ -17,8 +17,8 @@
 FROM gcr.io/oss-fuzz-base/base-builder
 MAINTAINER pdknsk@gmail.com
 RUN apt-get update && \
-    apt-get install -y autoconf libtool ninja-build python3-pip
-RUN pip3 install -U meson
+    apt-get install -y autoconf libtool python3-pip
+RUN pip3 install -U meson ninja
 RUN git clone https://gitlab.gnome.org/GNOME/glib
 WORKDIR glib
-COPY build.sh fuzz.options fuzz_bookmark.c fuzz_markup.c fuzz_key.c $SRC/
+COPY build.sh fuzz* $SRC/

projects/glib/build.sh

@@ -27,14 +27,6 @@ meson $BUILD \
 
 ninja -C $BUILD
 
-$CC $CFLAGS -I. -Iglib -I$BUILD/glib -c $SRC/fuzz_markup.c
-$CXX $CXXFLAGS -lFuzzingEngine \
-  fuzz_markup.o -o $OUT/fuzz_markup \
-  $BUILD/glib/libglib-2.0.a $BUILD/glib/libcharset/libcharset.a
-cp $SRC/fuzz.options $OUT/fuzz_markup.options
-find glib/tests -type f -size -32k -name "*.gmarkup" \
-  -exec zip -qju $OUT/fuzz_markup_seed_corpus.zip "{}" \;
-
 $CC $CFLAGS -I. -Iglib -I$BUILD/glib -c $SRC/fuzz_bookmark.c
 $CXX $CXXFLAGS -lFuzzingEngine \
   fuzz_bookmark.o -o $OUT/fuzz_bookmark \
@@ -48,5 +40,30 @@ $CXX $CXXFLAGS -lFuzzingEngine \
   fuzz_key.o -o $OUT/fuzz_key \
   $BUILD/glib/libglib-2.0.a $BUILD/glib/libcharset/libcharset.a
 cp $SRC/fuzz.options $OUT/fuzz_key.options
-find glib/tests -type f -size -32k -name "*.ini" \
+find gio/tests -type f -size -32k -name "*.desktop" \
   -exec zip -qju $OUT/fuzz_key_seed_corpus.zip "{}" \;
+
+$CC $CFLAGS -I. -Iglib -I$BUILD/glib -c $SRC/fuzz_variant_text.c
+$CXX $CXXFLAGS -lFuzzingEngine \
+  fuzz_variant_text.o -o $OUT/fuzz_variant_text \
+  $BUILD/glib/libglib-2.0.a $BUILD/glib/libcharset/libcharset.a
+cp $SRC/fuzz.options $OUT/fuzz_variant_text.options
+cp $SRC/fuzz_variant_text.dict $OUT
+
+$CC $CFLAGS -I. -Iglib -I$BUILD/glib -c $SRC/fuzz_variant_binary.c
+$CXX $CXXFLAGS -lFuzzingEngine \
+  fuzz_variant_binary.o -o $OUT/fuzz_variant_binary \
+  $BUILD/glib/libglib-2.0.a $BUILD/glib/libcharset/libcharset.a
+cp $SRC/fuzz.options $OUT/fuzz_variant_binary.options
+
+$CC $CFLAGS -I. -Iglib -Igmodule -I$BUILD -I$BUILD/glib \
+  -c $SRC/fuzz_dbus_message.c
+$CXX $CXXFLAGS -lFuzzingEngine \
+  fuzz_dbus_message.o -o $OUT/fuzz_dbus_message \
+  $BUILD/gio/libgio-2.0.a $BUILD/gmodule/libgmodule-2.0.a \
+  $BUILD/gobject/libgobject-2.0.a $BUILD/glib/libglib-2.0.a \
+  $BUILD/glib/libcharset/libcharset.a $BUILD/glib/pcre/libpcre.a \
+  $BUILD/gio/xdgmime/libxdgmime.a $BUILD/gio/inotify/libinotify.a \
+  $BUILD/subprojects/zlib*/libz.a $BUILD/subprojects/libffi/src/libffi.a \
+  -Bstatic -lresolv
+cp $SRC/fuzz.options $OUT/fuzz_dbus_message.options

projects/glib/fuzz_dbus_message.c

@@ -0,0 +1,19 @@
+#include "gio/gio.h"
+#include <stdint.h>
+
+static GDBusCapabilityFlags flags = G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING;
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  gssize bytes = g_dbus_message_bytes_needed((guchar*)data, size, NULL);
+  if (bytes <= 0 || bytes > (100 << 20))
+    return 0;
+
+  g_autoptr(GDBusMessage) msg =
+      g_dbus_message_new_from_blob((guchar*)data, size, flags, NULL);
+  if (!msg)
+    return 0;
+
+  gsize msg_size;
+  g_autofree guchar* blob = g_dbus_message_to_blob(msg, &msg_size, flags, NULL);
+  return 0;
+}

projects/glib/fuzz_markup.c

@@ -1,33 +0,0 @@
-#include <stdint.h>
-#include "glib/glib.h"
-
-static GMarkupParser parser = {
-    NULL, NULL, NULL, NULL, NULL,
-};
-
-int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  g_autoptr(GMarkupParseContext) ctx =
-      g_markup_parse_context_new(&parser, 0, NULL, NULL);
-
-  // Parses incrementally in chunks.
-
-  const uint8_t* new_data = data;
-  size_t new_size = (size % 0x200) + 1;
-
-  while (1) {
-    if (new_data + new_size > data + size)
-      new_size = data + size - new_data;
-    if (!g_markup_parse_context_parse(
-        ctx, (const gchar*)new_data, new_size, NULL)) {
-      break;
-    }
-    if (!new_size) {
-      g_markup_parse_context_end_parse(ctx, NULL);
-      break;
-    }
-    new_data += new_size;
-    new_size += size % 0x10;
-  }
-
-  return 0;
-}

projects/glib/fuzz_variant_binary.c

@@ -0,0 +1,12 @@
+#include "glib/glib.h"
+#include <stdint.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  g_autoptr(GVariant) variant = g_variant_new_from_data(
+      G_VARIANT_TYPE_VARIANT, data, size, FALSE, NULL, NULL);
+  if (variant) {
+    g_variant_get_normal_form(variant);
+    g_variant_get_data(variant);
+  }
+  return 0;
+}

projects/glib/fuzz_variant_text.c

@@ -0,0 +1,12 @@
+#include "glib/glib.h"
+#include <stdint.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  const gchar* gdata = (const gchar*)data;
+  g_autoptr(GVariant) variant =
+      g_variant_parse(NULL, gdata, gdata + size, NULL, NULL);
+  if (variant) { // g_autofree requires {}
+    g_autofree gchar* text = g_variant_print(variant, TRUE);
+  }
+  return 0;
+}

projects/glib/fuzz_variant_text.dict

@@ -0,0 +1,29 @@
+value="'"
+value="("
+value=")"
+value="<"
+value=">"
+value="["
+value="]"
+value="{"
+value="}"
+value="*"
+value="?"
+value="@"
+value="boolean"
+value="byte"
+value="double"
+value="false"
+value="handle"
+value="int16"
+value="int32"
+value="int64"
+value="just"
+value="nothing"
+value="objectpath"
+value="signature"
+value="string"
+value="true"
+value="uint16"
+value="uint32"
+value="uint64"