From c0e1e46bab68fb5e1fa655eb5e54201380801e34 Mon Sep 17 00:00:00 2001 From: pdknsk Date: Thu, 9 Aug 2018 16:52:25 +0200 Subject: [PATCH] [glib] GLib: more targets (#1695) * better seed corpus for fuzz_key * new target: fuzz_variant_text * new target: fuzz_dbus_message * get ninja from pip * remove target: fuzz_markup * new target: fuzz_variant_binary --- projects/glib/Dockerfile | 6 ++--- projects/glib/build.sh | 35 +++++++++++++++++++++------- projects/glib/fuzz_dbus_message.c | 19 +++++++++++++++ projects/glib/fuzz_markup.c | 33 -------------------------- projects/glib/fuzz_variant_binary.c | 12 ++++++++++ projects/glib/fuzz_variant_text.c | 12 ++++++++++ projects/glib/fuzz_variant_text.dict | 29 +++++++++++++++++++++++ 7 files changed, 101 insertions(+), 45 deletions(-) create mode 100644 projects/glib/fuzz_dbus_message.c delete mode 100644 projects/glib/fuzz_markup.c create mode 100644 projects/glib/fuzz_variant_binary.c create mode 100644 projects/glib/fuzz_variant_text.c create mode 100644 projects/glib/fuzz_variant_text.dict diff --git a/projects/glib/Dockerfile b/projects/glib/Dockerfile index d99d85ae9..82de90863 100644 --- a/projects/glib/Dockerfile +++ b/projects/glib/Dockerfile @@ -17,8 +17,8 @@ FROM gcr.io/oss-fuzz-base/base-builder MAINTAINER pdknsk@gmail.com RUN apt-get update && \ - apt-get install -y autoconf libtool ninja-build python3-pip -RUN pip3 install -U meson + apt-get install -y autoconf libtool python3-pip +RUN pip3 install -U meson ninja RUN git clone https://gitlab.gnome.org/GNOME/glib WORKDIR glib -COPY build.sh fuzz.options fuzz_bookmark.c fuzz_markup.c fuzz_key.c $SRC/ +COPY build.sh fuzz* $SRC/ diff --git a/projects/glib/build.sh b/projects/glib/build.sh index d89c8f029..a55551b85 100755 --- a/projects/glib/build.sh +++ b/projects/glib/build.sh @@ -27,14 +27,6 @@ meson $BUILD \ ninja -C $BUILD -$CC $CFLAGS -I. -Iglib -I$BUILD/glib -c $SRC/fuzz_markup.c -$CXX $CXXFLAGS -lFuzzingEngine \ - fuzz_markup.o -o $OUT/fuzz_markup \ - $BUILD/glib/libglib-2.0.a $BUILD/glib/libcharset/libcharset.a -cp $SRC/fuzz.options $OUT/fuzz_markup.options -find glib/tests -type f -size -32k -name "*.gmarkup" \ - -exec zip -qju $OUT/fuzz_markup_seed_corpus.zip "{}" \; - $CC $CFLAGS -I. -Iglib -I$BUILD/glib -c $SRC/fuzz_bookmark.c $CXX $CXXFLAGS -lFuzzingEngine \ fuzz_bookmark.o -o $OUT/fuzz_bookmark \ @@ -48,5 +40,30 @@ $CXX $CXXFLAGS -lFuzzingEngine \ fuzz_key.o -o $OUT/fuzz_key \ $BUILD/glib/libglib-2.0.a $BUILD/glib/libcharset/libcharset.a cp $SRC/fuzz.options $OUT/fuzz_key.options -find glib/tests -type f -size -32k -name "*.ini" \ +find gio/tests -type f -size -32k -name "*.desktop" \ -exec zip -qju $OUT/fuzz_key_seed_corpus.zip "{}" \; + +$CC $CFLAGS -I. -Iglib -I$BUILD/glib -c $SRC/fuzz_variant_text.c +$CXX $CXXFLAGS -lFuzzingEngine \ + fuzz_variant_text.o -o $OUT/fuzz_variant_text \ + $BUILD/glib/libglib-2.0.a $BUILD/glib/libcharset/libcharset.a +cp $SRC/fuzz.options $OUT/fuzz_variant_text.options +cp $SRC/fuzz_variant_text.dict $OUT + +$CC $CFLAGS -I. -Iglib -I$BUILD/glib -c $SRC/fuzz_variant_binary.c +$CXX $CXXFLAGS -lFuzzingEngine \ + fuzz_variant_binary.o -o $OUT/fuzz_variant_binary \ + $BUILD/glib/libglib-2.0.a $BUILD/glib/libcharset/libcharset.a +cp $SRC/fuzz.options $OUT/fuzz_variant_binary.options + +$CC $CFLAGS -I. -Iglib -Igmodule -I$BUILD -I$BUILD/glib \ + -c $SRC/fuzz_dbus_message.c +$CXX $CXXFLAGS -lFuzzingEngine \ + fuzz_dbus_message.o -o $OUT/fuzz_dbus_message \ + $BUILD/gio/libgio-2.0.a $BUILD/gmodule/libgmodule-2.0.a \ + $BUILD/gobject/libgobject-2.0.a $BUILD/glib/libglib-2.0.a \ + $BUILD/glib/libcharset/libcharset.a $BUILD/glib/pcre/libpcre.a \ + $BUILD/gio/xdgmime/libxdgmime.a $BUILD/gio/inotify/libinotify.a \ + $BUILD/subprojects/zlib*/libz.a $BUILD/subprojects/libffi/src/libffi.a \ + -Bstatic -lresolv +cp $SRC/fuzz.options $OUT/fuzz_dbus_message.options diff --git a/projects/glib/fuzz_dbus_message.c b/projects/glib/fuzz_dbus_message.c new file mode 100644 index 000000000..8531e604d --- /dev/null +++ b/projects/glib/fuzz_dbus_message.c @@ -0,0 +1,19 @@ +#include "gio/gio.h" +#include + +static GDBusCapabilityFlags flags = G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING; + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + gssize bytes = g_dbus_message_bytes_needed((guchar*)data, size, NULL); + if (bytes <= 0 || bytes > (100 << 20)) + return 0; + + g_autoptr(GDBusMessage) msg = + g_dbus_message_new_from_blob((guchar*)data, size, flags, NULL); + if (!msg) + return 0; + + gsize msg_size; + g_autofree guchar* blob = g_dbus_message_to_blob(msg, &msg_size, flags, NULL); + return 0; +} diff --git a/projects/glib/fuzz_markup.c b/projects/glib/fuzz_markup.c deleted file mode 100644 index d2342f134..000000000 --- a/projects/glib/fuzz_markup.c +++ /dev/null @@ -1,33 +0,0 @@ -#include -#include "glib/glib.h" - -static GMarkupParser parser = { - NULL, NULL, NULL, NULL, NULL, -}; - -int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - g_autoptr(GMarkupParseContext) ctx = - g_markup_parse_context_new(&parser, 0, NULL, NULL); - - // Parses incrementally in chunks. - - const uint8_t* new_data = data; - size_t new_size = (size % 0x200) + 1; - - while (1) { - if (new_data + new_size > data + size) - new_size = data + size - new_data; - if (!g_markup_parse_context_parse( - ctx, (const gchar*)new_data, new_size, NULL)) { - break; - } - if (!new_size) { - g_markup_parse_context_end_parse(ctx, NULL); - break; - } - new_data += new_size; - new_size += size % 0x10; - } - - return 0; -} diff --git a/projects/glib/fuzz_variant_binary.c b/projects/glib/fuzz_variant_binary.c new file mode 100644 index 000000000..6579345e4 --- /dev/null +++ b/projects/glib/fuzz_variant_binary.c @@ -0,0 +1,12 @@ +#include "glib/glib.h" +#include + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + g_autoptr(GVariant) variant = g_variant_new_from_data( + G_VARIANT_TYPE_VARIANT, data, size, FALSE, NULL, NULL); + if (variant) { + g_variant_get_normal_form(variant); + g_variant_get_data(variant); + } + return 0; +} diff --git a/projects/glib/fuzz_variant_text.c b/projects/glib/fuzz_variant_text.c new file mode 100644 index 000000000..82abe765a --- /dev/null +++ b/projects/glib/fuzz_variant_text.c @@ -0,0 +1,12 @@ +#include "glib/glib.h" +#include + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + const gchar* gdata = (const gchar*)data; + g_autoptr(GVariant) variant = + g_variant_parse(NULL, gdata, gdata + size, NULL, NULL); + if (variant) { // g_autofree requires {} + g_autofree gchar* text = g_variant_print(variant, TRUE); + } + return 0; +} diff --git a/projects/glib/fuzz_variant_text.dict b/projects/glib/fuzz_variant_text.dict new file mode 100644 index 000000000..c146634e1 --- /dev/null +++ b/projects/glib/fuzz_variant_text.dict @@ -0,0 +1,29 @@ +value="'" +value="(" +value=")" +value="<" +value=">" +value="[" +value="]" +value="{" +value="}" +value="*" +value="?" +value="@" +value="boolean" +value="byte" +value="double" +value="false" +value="handle" +value="int16" +value="int32" +value="int64" +value="just" +value="nothing" +value="objectpath" +value="signature" +value="string" +value="true" +value="uint16" +value="uint32" +value="uint64"