diff options
Diffstat (limited to 'projects')
213 files changed, 4824 insertions, 0 deletions
diff --git a/projects/all.sh b/projects/all.sh new file mode 100755 index 00000000..7e34cc21 --- /dev/null +++ b/projects/all.sh @@ -0,0 +1,39 @@ +#!/bin/bash -eu +# +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Development script to build all images. +IGNORE="build:docs:infra:tpm2:scripts" + +for target in targets/*; do + if [[ -f $target || ":${IGNORE}:" == *":$target:"* ]]; then continue; fi + echo "@ Building $target" + docker build -t ossfuzz/$target $target/ + + # Execute command ($1) if any + case ${1-} in + "") + ;; + compile|test) + docker run --rm -ti ossfuzz/$target $@ + ;; + *) + echo $"Usage: $0 {|compile}" + exit 1 + esac + +done diff --git a/projects/boringssl/Dockerfile b/projects/boringssl/Dockerfile new file mode 100644 index 00000000..0368f816 --- /dev/null +++ b/projects/boringssl/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mike.aizatsky@gmail.com +RUN apt-get install -y cmake ninja-build golang + +RUN git clone https://boringssl.googlesource.com/boringssl +COPY build.sh $SRC/ diff --git a/projects/boringssl/build.sh b/projects/boringssl/build.sh new file mode 100755 index 00000000..832b9665 --- /dev/null +++ b/projects/boringssl/build.sh @@ -0,0 +1,43 @@ +#!/bin/bash -eux +# +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +mkdir -p $WORK/boringssl +cd $WORK/boringssl + +CFLAGS="$CFLAGS -DBORINGSSL_UNSAFE_FUZZER_MODE" +CXXFLAGS="$CXXFLAGS -DBORINGSSL_UNSAFE_FUZZER_MODE" + +cmake -GNinja -DCMAKE_C_COMPILER=$CC -DCMAKE_CXX_COMPILER=$CXX \ + -DCMAKE_C_FLAGS="$CFLAGS" -DCMAKE_CXX_FLAGS="$CXXFLAGS" \ + $SRC/boringssl/ +ninja + +fuzzerFiles=$(find $SRC/boringssl/fuzz/ -name "*.cc") + +find . -name "*.a" + +for F in $fuzzerFiles; do + fuzzerName=$(basename $F .cc) + echo "Building fuzzer $fuzzerName" + $CXX $CXXFLAGS -std=c++11 \ + -o $OUT/${fuzzerName} -lfuzzer $F \ + -I $SRC/boringssl/include ./ssl/libssl.a ./crypto/libcrypto.a + + if [ -d "$SRC/boringssl/fuzz/${fuzzerName}_corpus" ]; then + zip -j $OUT/${fuzzerName}_seed_corpus.zip $SRC/boringssl/fuzz/${fuzzerName}_corpus/* + fi +done diff --git a/projects/boringssl/target.yaml b/projects/boringssl/target.yaml new file mode 100644 index 00000000..e57f1846 --- /dev/null +++ b/projects/boringssl/target.yaml @@ -0,0 +1 @@ +homepage: "https://boringssl.googlesource.com/boringssl/" diff --git a/projects/c-ares/Dockerfile b/projects/c-ares/Dockerfile new file mode 100644 index 00000000..56e50dcf --- /dev/null +++ b/projects/c-ares/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mmoroz@chromium.org +RUN apt-get install -y make autoconf automake libtool +RUN git clone https://github.com/c-ares/c-ares.git +WORKDIR c-ares +COPY build.sh *_fuzzer.cc $SRC/ diff --git a/projects/c-ares/build.sh b/projects/c-ares/build.sh new file mode 100755 index 00000000..41fbf3bb --- /dev/null +++ b/projects/c-ares/build.sh @@ -0,0 +1,28 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build the target. +./buildconf +./configure --enable-debug +make clean +make -j$(nproc) V=1 all + +# Build the fuzzer. +$CXX $CXXFLAGS -std=c++11 -I. \ + $SRC/c_ares_ares_create_query_fuzzer.cc \ + -o $OUT/c_ares_ares_create_query_fuzzer \ + -lfuzzer $SRC/c-ares/.libs/libcares.a diff --git a/projects/c-ares/c_ares_ares_create_query_fuzzer.cc b/projects/c-ares/c_ares_ares_create_query_fuzzer.cc new file mode 100644 index 00000000..fc12938e --- /dev/null +++ b/projects/c-ares/c_ares_ares_create_query_fuzzer.cc @@ -0,0 +1,31 @@ +// Copyright 2016 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include <stdint.h> +#include <stdlib.h> + +#include <arpa/nameser.h> + +#include <string> + +#include <ares.h> + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + unsigned char *buf; + int buflen; + std::string s(reinterpret_cast<const char *>(data), size); + ares_create_query(s.c_str(), ns_c_in, ns_t_a, 0x1234, 0, &buf, &buflen, 0); + ares_free_string(buf); + return 0; +} diff --git a/projects/c-ares/target.yaml b/projects/c-ares/target.yaml new file mode 100644 index 00000000..58790408 --- /dev/null +++ b/projects/c-ares/target.yaml @@ -0,0 +1 @@ +homepage: "https://c-ares.haxx.se/" diff --git a/projects/curl/Dockerfile b/projects/curl/Dockerfile new file mode 100644 index 00000000..d8df622d --- /dev/null +++ b/projects/curl/Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER dvyukov@google.com +RUN apt-get install -y make autoconf automake libtool libssl-dev zlib1g-dev + +RUN git clone https://github.com/curl/curl.git +WORKDIR curl +COPY build.sh curl_fuzzer.cc *.options *.dict $SRC/ + diff --git a/projects/curl/build.sh b/projects/curl/build.sh new file mode 100755 index 00000000..35deec89 --- /dev/null +++ b/projects/curl/build.sh @@ -0,0 +1,28 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +./buildconf +./configure --disable-shared --enable-debug --enable-maintainer-mode --disable-symbol-hiding --disable-threaded-resolver --enable-ipv6 --with-random=/dev/null +make -j$(nproc) +$CXX $CXXFLAGS $SRC/curl_fuzzer.cc -Iinclude lib/.libs/libcurl.a \ + -o $OUT/curl_fuzzer \ + -Wl,-Bstatic -lssl -lcrypto -lz -lfuzzer -Wl,-Bdynamic + +# /usr/lib/x86_64-linux-gnu/libssl.a \ +# /usr/lib/x86_64-linux-gnu/libcrypto.a \ + +cp $SRC/*.dict $SRC/*.options $OUT/ diff --git a/projects/curl/curl_fuzzer.cc b/projects/curl/curl_fuzzer.cc new file mode 100644 index 00000000..b292e346 --- /dev/null +++ b/projects/curl/curl_fuzzer.cc @@ -0,0 +1,117 @@ +/* +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +*/ + +#include <errno.h> +#include <fcntl.h> +#include <netinet/in.h> +#include <stddef.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/select.h> +#include <sys/socket.h> +#include <sys/stat.h> +#include <sys/time.h> +#include <sys/types.h> +#include <unistd.h> + +#include <curl/curl.h> + +static const void *cur_data; +static int cur_size = -1; +static int server_fd = -1; +static int client_fd = -1; +static bool wrote = false; + +static void fail(const char *why) { + perror(why); + exit(1); +} + +static curl_socket_t open_sock(void *ctx, curlsocktype purpose, + struct curl_sockaddr *address) { + if (cur_size == -1) fail("not fuzzing"); + if (server_fd != -1 || client_fd != -1) fail("already connected"); + int fds[2]; + if (socketpair(AF_UNIX, SOCK_STREAM, 0, fds)) fail("socketpair"); + server_fd = fds[0]; + client_fd = fds[1]; + if (write(server_fd, cur_data, cur_size) != cur_size) fail("write"); + if (shutdown(server_fd, SHUT_WR)) fail("shutdown"); + return client_fd; +} + +static int set_opt(void *ctx, curl_socket_t curlfd, curlsocktype purpose) { + return CURL_SOCKOPT_ALREADY_CONNECTED; +} + +static size_t write_callback(char *ptr, size_t size, size_t n, void *ctx) { + return size * n; +} + +static size_t read_callback(char *buf, size_t size, size_t n, void *ctx) { + if (wrote || size * n == 0) return 0; + wrote = true; + buf[0] = 'a'; + return 1; +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + cur_data = Data; + cur_size = Size; + wrote = false; + CURL *curl = curl_easy_init(); + curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback); + curl_easy_setopt(curl, CURLOPT_READFUNCTION, read_callback); + curl_easy_setopt(curl, CURLOPT_OPENSOCKETFUNCTION, open_sock); + curl_easy_setopt(curl, CURLOPT_SOCKOPTFUNCTION, set_opt); +#if defined(FUZZER_FTP) + curl_easy_setopt(curl, CURLOPT_URL, "ftp://user@localhost/file.txt"); +#elif defined(FUZZER_IMAP) + curl_easy_setopt(curl, CURLOPT_USERNAME, "user"); + curl_easy_setopt(curl, CURLOPT_PASSWORD, "secret"); + curl_easy_setopt(curl, CURLOPT_URL, "imap://localhost"); +#elif defined(FUZZER_POP3) + curl_easy_setopt(curl, CURLOPT_USERNAME, "user"); + curl_easy_setopt(curl, CURLOPT_PASSWORD, "secret"); + curl_easy_setopt(curl, CURLOPT_URL, "pop3://localhost"); +#elif defined(FUZZER_HTTP_UPLOAD) + curl_easy_setopt(curl, CURLOPT_URL, "http://localhost/"); + curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1); + curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L); +#elif defined(FUZZER_HTTP2) + curl_easy_setopt(curl, CURLOPT_URL, "http://localhost/"); + curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2_0); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 0L); +#else + curl_easy_setopt(curl, CURLOPT_URL, "http://localhost/"); + curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1); +#endif + curl_easy_perform(curl); + curl_easy_cleanup(curl); + close(server_fd); + close(client_fd); + server_fd = -1; + client_fd = -1; + cur_data = NULL; + cur_size = -1; + return 0; +} diff --git a/projects/curl/curl_fuzzer.options b/projects/curl/curl_fuzzer.options new file mode 100644 index 00000000..e8e81518 --- /dev/null +++ b/projects/curl/curl_fuzzer.options @@ -0,0 +1,3 @@ +[libfuzzer] +max_len = 1000 +dict = http.dict diff --git a/projects/curl/http.dict b/projects/curl/http.dict new file mode 100644 index 00000000..57b7b437 --- /dev/null +++ b/projects/curl/http.dict @@ -0,0 +1,41 @@ +"\x0a\x0d" +"HTTP/1.0" +"HTTP/1.1" +"100" +"200" +"301" +"400" +"Server:" +"Last-Modified:" +"Content-Type:" +"text/html" +"charset=UTF-8" +"Accept-Ranges:" +"bytes" +"Content-Length:" +"Transfer-Encoding:" +"compress" +"exi" +"gzip" +"identity" +"pack200-gzip" +"br" +"deflate" +"bzip2" +"lzma" +"xz" +"Content-Encoding:" +"chunked" +"Connection:" +"close" +"Date:" +"Expires:" +"Fri, 31 Dec 1999 23:59:59 GMT" +"Cache-Control:" +"no-cache" +"no-store" +"must-revalidate" +"Pragma:" +"no-cache" +"Host:" + diff --git a/projects/curl/target.yaml b/projects/curl/target.yaml new file mode 100644 index 00000000..30580bab --- /dev/null +++ b/projects/curl/target.yaml @@ -0,0 +1 @@ +homepage: "https://curl.haxx.se/" diff --git a/projects/expat/Dockerfile b/projects/expat/Dockerfile new file mode 100644 index 00000000..83302cd7 --- /dev/null +++ b/projects/expat/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mike.aizatsky@gmail.com +RUN apt-get install -y make autoconf automake libtool docbook2x + +RUN git clone git://git.code.sf.net/p/expat/code_git expat +WORKDIR expat/expat +COPY build.sh parse_fuzzer.* xml.dict $SRC/ diff --git a/projects/expat/Jenkinsfile b/projects/expat/Jenkinsfile new file mode 100644 index 00000000..8dde3da7 --- /dev/null +++ b/projects/expat/Jenkinsfile @@ -0,0 +1,23 @@ +// Copyright 2016 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +def libfuzzerBuild = fileLoader.fromGit('infra/libfuzzer-pipeline.groovy', + 'https://github.com/google/oss-fuzz.git') + +libfuzzerBuild { + git = "git://git.code.sf.net/p/expat/code_git" + sanitizers = ["address", "undefined"] +} diff --git a/projects/expat/build.sh b/projects/expat/build.sh new file mode 100755 index 00000000..06e03612 --- /dev/null +++ b/projects/expat/build.sh @@ -0,0 +1,27 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +./buildconf.sh +./configure +make clean +make -j$(nproc) all + +$CXX $CXXFLAGS -std=c++11 -Ilib/ \ + $SRC/parse_fuzzer.cc -o $OUT/parse_fuzzer \ + -lfuzzer .libs/libexpat.a + +cp $SRC/*.dict $SRC/*.options $OUT/ diff --git a/projects/expat/parse_fuzzer.cc b/projects/expat/parse_fuzzer.cc new file mode 100644 index 00000000..da464095 --- /dev/null +++ b/projects/expat/parse_fuzzer.cc @@ -0,0 +1,23 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <vector> +#include "expat.h" + +std::vector<const char*> kEncodings = {{"UTF-16", "UTF-8", "ISO-8859-1", + "US-ASCII", "UTF-16BE", "UTF-16LE", + "INVALIDENCODING"}}; +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + const char* dataPtr = reinterpret_cast<const char*>(data); + for (int use_ns = 0; use_ns <= 1; ++use_ns) { + for (auto enc : kEncodings) { + XML_Parser parser = + use_ns ? XML_ParserCreateNS(enc, '\n') : XML_ParserCreate(enc); + XML_Parse(parser, dataPtr, size, true); + XML_ParserFree(parser); + } + } + return 0; +} diff --git a/projects/expat/parse_fuzzer.options b/projects/expat/parse_fuzzer.options new file mode 100644 index 00000000..46f3f567 --- /dev/null +++ b/projects/expat/parse_fuzzer.options @@ -0,0 +1,3 @@ +[libfuzzer] +dict = xml.dict +max_len = 1024 diff --git a/projects/expat/target.yaml b/projects/expat/target.yaml new file mode 100644 index 00000000..b183ac20 --- /dev/null +++ b/projects/expat/target.yaml @@ -0,0 +1,4 @@ +homepage: "http://expat.sourceforge.net/" +sanitizers: + - address + - undefined diff --git a/projects/expat/xml.dict b/projects/expat/xml.dict new file mode 100644 index 00000000..8449cb08 --- /dev/null +++ b/projects/expat/xml.dict @@ -0,0 +1,125 @@ +# +# AFL dictionary for XML +# ---------------------- +# +# Several basic syntax elements and attributes, modeled on libxml2. +# +# Created by Michal Zalewski <lcamtuf@google.com> +# + +attr_encoding=" encoding=\"1\"" +attr_generic=" a=\"1\"" +attr_href=" href=\"1\"" +attr_standalone=" standalone=\"no\"" +attr_version=" version=\"1\"" +attr_xml_base=" xml:base=\"1\"" +attr_xml_id=" xml:id=\"1\"" +attr_xml_lang=" xml:lang=\"1\"" +attr_xml_space=" xml:space=\"1\"" +attr_xmlns=" xmlns=\"1\"" + +entity_builtin="<" +entity_decimal="" +entity_external="&a;" +entity_hex="" + +# keywords +"ANY" +"ATTLIST" +"CDATA" +"DOCTYPE" +"ELEMENT" +"EMPTY" +"ENTITIES" +"ENTITY" +"FIXED" +"ID" +"IDREF" +"IDREFS" +"IGNORE" +"IMPLIED" +"INCLUDE" +"NDATA" +"NMTOKEN" +"NMTOKENS" +"NOTATION" +"PCDATA" +"PUBLIC" +"REQUIRED" +"SYSTEM" + +# Various tag parts +"<" +">" +"/>" +"</" +"<?" +"?>" +"<!" +"!>" +"[]" +"]]" +"<![CDATA[" +"<![CDATA[]]>" +"\"\"" +"''" +"=\"\"" +"=''" + +# DTD +"<!ATTLIST" +"<!DOCTYPE" +"<!ELEMENT" +"<!ENTITY" +"<![IGNORE[" +"<![INCLUDE[" +"<!NOTATION" +"#CDATA" +"#FIXED" +"#IMPLIED" +"#PCDATA" +"#REQUIRED" + +# Encodings +"ISO-8859-1" +"US-ASCII" +"UTF-8" +"UTF-16" +"UTF-16BE" +"UTF-16LE" + +# Namespaces and schemas +"xmlns" +"xmlns:" +"xmlns:xhtml=\"http://www.w3.org/1999/xhtml\"" +"xmlns:xml=\"http://www.w3.org/XML/1998/namespace\"" +"xmlns:xmlns=\"http://www.w3.org/2000/xmlns\"" + +string_col_fallback=":fallback" +string_col_generic=":a" +string_col_include=":include" +string_dashes="--" +string_parentheses="()" +string_percent="%a" +string_schema=":schema" +string_ucs4="UCS-4" +tag_close="</a>" +tag_open="<a>" +tag_open_close="<a />" + + +"<?xml?>" +"http://docboo" +"http://www.w" +"he30" +"he2" +"IET" +"FDF-10" +"aDUCS-4OPveb:" +"a>" +"UT" +"xMl" +"/usr/share/sg" +"ha07" +"http://www.oa" +"cle" diff --git a/projects/ffmpeg/Dockerfile b/projects/ffmpeg/Dockerfile new file mode 100644 index 00000000..6543bc8e --- /dev/null +++ b/projects/ffmpeg/Dockerfile @@ -0,0 +1,43 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mmoroz@chromium.org +RUN apt-get install -y make autoconf automake libtool build-essential \ + libass-dev libfreetype6-dev libsdl1.2-dev \ + libvdpau-dev libxcb1-dev libxcb-shm0-dev \ + pkg-config texinfo libbz2-dev zlib1g-dev nasm yasm cmake mercurial wget \ + xutils-dev libpciaccess-dev + +RUN git clone https://git.ffmpeg.org/ffmpeg.git ffmpeg + +RUN wget ftp://ftp.alsa-project.org/pub/lib/alsa-lib-1.1.0.tar.bz2 +RUN git clone git://anongit.freedesktop.org/mesa/drm +RUN git clone https://github.com/mstorsjo/fdk-aac.git +RUN wget https://sourceforge.net/projects/lame/files/latest/download -O lame.tar.gz +RUN git clone git://anongit.freedesktop.org/xorg/lib/libXext +RUN git clone git://anongit.freedesktop.org/git/xorg/lib/libXfixes +RUN git clone git://anongit.freedesktop.org/git/libva +RUN git clone git://people.freedesktop.org/~aplattner/libvdpau +RUN git clone https://chromium.googlesource.com/webm/libvpx +RUN svn co http://svn.xiph.org/trunk/ogg +RUN git clone git://git.xiph.org/opus.git +RUN git clone git://git.xiph.org/theora.git +RUN git clone git://git.xiph.org/vorbis.git +RUN git clone git://git.videolan.org/git/x264.git +RUN hg clone https://bitbucket.org/multicoreware/x265 + +COPY build.sh group_seed_corpus.py $SRC/ diff --git a/projects/ffmpeg/build.sh b/projects/ffmpeg/build.sh new file mode 100755 index 00000000..87e589dc --- /dev/null +++ b/projects/ffmpeg/build.sh @@ -0,0 +1,291 @@ +#!/bin/bash -eux +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build dependencies. +export FFMPEG_DEPS_PATH=$SRC/ffmpeg_deps +mkdir -p $FFMPEG_DEPS_PATH + +cd $SRC +bzip2 -f -d alsa-lib-* +tar xf alsa-lib-* +cd alsa-lib-* +./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static --disable-shared +make clean +make -j$(nproc) all +make install + +cd $SRC/drm +# Requires xutils-dev libpciaccess-dev +./autogen.sh +./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static +make clean +make -j$(nproc) +make install + +cd $SRC/fdk-aac +autoreconf -fiv +./configure --prefix="$FFMPEG_DEPS_PATH" --disable-shared +make clean +make -j$(nproc) all +make install + +cd $SRC +tar xzf lame.tar.gz +cd lame-* +./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static +make clean +make -j$(nproc) +make install + +cd $SRC/libXext +./autogen.sh +./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static +make clean +make -j$(nproc) +make install + +cd $SRC/libXfixes +./autogen.sh +./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static +make clean +make -j$(nproc) +make install + +cd $SRC/libva +./autogen.sh +./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static --disable-shared +make clean +make -j$(nproc) all +make install + +cd $SRC/libvdpau +./autogen.sh +./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static --disable-shared +make clean +make -j$(nproc) all +make install + +cd $SRC/libvpx +LDFLAGS="$CXXFLAGS $LDFLAGS" ./configure --prefix="$FFMPEG_DEPS_PATH" \ + --disable-examples --disable-unit-tests +make clean +make -j$(nproc) all +make install + +cd $SRC/ogg +./autogen.sh +./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static +make clean +make -j$(nproc) +make install + +cd $SRC/opus +./autogen.sh +./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static +make clean +make -j$(nproc) all +make install + +cd $SRC/theora +# theora requires ogg, need to pass its location to the "configure" script. +CFLAGS="$CFLAGS -fPIC" LDFLAGS="$LDFLAGS -L$FFMPEG_DEPS_PATH/lib/" \ + CPPFLAGS="$CXXFLAGS -I$FFMPEG_DEPS_PATH/include/" \ + LD_LIBRARY_PATH="$FFMPEG_DEPS_PATH/lib/" \ + ./autogen.sh --prefix="$FFMPEG_DEPS_PATH" --enable-static --disable-examples +make clean +make -j$(nproc) +make install + +cd $SRC/vorbis +./autogen.sh +./configure --prefix="$FFMPEG_DEPS_PATH" --enable-static +make clean +make -j$(nproc) +make install + +cd $SRC/x264 +LDFLAGS="$CXXFLAGS $LDFLAGS" ./configure --prefix="$FFMPEG_DEPS_PATH" \ + --enable-static +make clean +make -j$(nproc) +make install + +cd $SRC/x265/build/linux +cmake -G "Unix Makefiles" \ + -DCMAKE_C_COMPILER=$CC -DCMAKE_CXX_COMPILER=$CXX \ + -DCMAKE_C_FLAGS="$CFLAGS" -DCMAKE_CXX_FLAGS="$CXXFLAGS" \ + -DCMAKE_INSTALL_PREFIX="$FFMPEG_DEPS_PATH" -DENABLE_SHARED:bool=off \ + ../../source +make clean +make -j$(nproc) x265-static +make install + +# Remove shared libraries to avoid accidental linking against them. +rm $FFMPEG_DEPS_PATH/lib/*.so +rm $FFMPEG_DEPS_PATH/lib/*.so.* + +# Build the target. +cd $SRC/ffmpeg +PKG_CONFIG_PATH="$FFMPEG_DEPS_PATH/lib/pkgconfig" ./configure \ + --cc=$CC --cxx=$CXX --ld="$CXX $CXXFLAGS -std=c++11" \ + --extra-cflags="-I$FFMPEG_DEPS_PATH/include" \ + --extra-ldflags="-L$FFMPEG_DEPS_PATH/lib" \ + --prefix="$FFMPEG_DEPS_PATH" \ + --pkg-config-flags="--static" \ + --enable-gpl \ + --enable-libass \ + --enable-libfdk-aac \ + --enable-libfreetype \ + --enable-libmp3lame \ + --enable-libopus \ + --enable-libtheora \ + --enable-libvorbis \ + --enable-libvpx \ + --enable-libx264 \ + --enable-libx265 \ + --enable-nonfree \ + --disable-shared +make clean +make -j$(nproc) install + +# Download test sampes, will be used as seed corpus. +export TEST_SAMPLES_PATH=$SRC/ffmpeg/fate-suite/ +make fate-rsync SAMPLES=$TEST_SAMPLES_PATH + +# Build the fuzzers. +cd $SRC/ffmpeg + +export TEMP_VAR_CODEC="AV_CODEC_ID_H264" +export TEMP_VAR_CODEC_TYPE="VIDEO" + +FFMPEG_FUZZERS_COMMON_FLAGS="-lfuzzer /usr/local/lib/libc++.a \ + -L$FFMPEG_DEPS_PATH/lib \ + -Llibavcodec -Llibavdevice -Llibavfilter -Llibavformat -Llibavresample \ + -Llibavutil -Llibpostproc -Llibswscale -Llibswresample \ + -Wl,--as-needed -Wl,-z,noexecstack -Wl,--warn-common \ + -Wl,-rpath-link=libpostproc:libswresample:libswscale:libavfilter:libavdevice:libavformat:libavcodec:libavutil:libavresample \ + -lavdevice -lavfilter -lavformat -lavcodec -lswresample -lswscale \ + -lavutil -ldl -lxcb -lxcb-shm -lxcb -lxcb-xfixes -lxcb -lxcb-shape -lxcb \ + -lX11 -lasound -lm -lbz2 -lz -pthread -lva-x11 -lXext -lXfixes \ + -lx264 -lx265 -lvpx -lva -lvorbis -logg -lvorbisenc -lopus -lmp3lame \ + -lfdk-aac -ltheora -ltheoraenc -ltheoradec -lvdpau -lva-drm -ldrm" + +# Build fuzzers for audio formats. +CODEC_TYPE="AUDIO" +CODEC_NAMES="AV_CODEC_ID_AAC \ + AV_CODEC_ID_AC3 \ + AV_CODEC_ID_ADPCM_ADX \ + AV_CODEC_ID_AMR_NB \ + AV_CODEC_ID_AMR_WB \ + AV_CODEC_ID_DTS \ + AV_CODEC_ID_EAC3 \ + AV_CODEC_ID_FLAC \ + AV_CODEC_ID_GSM_MS \ + AV_CODEC_ID_MP2 \ + AV_CODEC_ID_MP3 \ + AV_CODEC_ID_QCELP \ + AV_CODEC_ID_SIPR \ + AV_CODEC_ID_WAVPACK" + +for codec in $CODEC_NAMES; do + fuzzer_name=ffmpeg_${CODEC_TYPE}_${codec}_fuzzer + + $CC $CFLAGS -I${FFMPEG_DEPS_PATH}/include \ + $SRC/ffmpeg/doc/examples/decoder_targeted.c \ + -o $OUT/${fuzzer_name} \ + -DFFMPEG_CODEC=${codec} -DFUZZ_FFMPEG_${CODEC_TYPE}= \ + ${FFMPEG_FUZZERS_COMMON_FLAGS} + + echo -en "[libfuzzer]\nmax_len = 1000000\n" > $OUT/${fuzzer_name}.options +done + +# Build fuzzers for subtitles formats. +CODEC_TYPE="SUBTITLE" +CODEC_NAMES="AV_CODEC_ID_DVD_SUBTITLE \ + AV_CODEC_ID_MOV_TEXT \ + AV_CODEC_ID_SUBRIP" + +for codec in $CODEC_NAMES; do + fuzzer_name=ffmpeg_${CODEC_TYPE}_${codec}_fuzzer + + $CC $CFLAGS -I${FFMPEG_DEPS_PATH}/include \ + $SRC/ffmpeg/doc/examples/decoder_targeted.c \ + -o $OUT/${fuzzer_name} \ + -DFFMPEG_CODEC=${codec} -DFUZZ_FFMPEG_${CODEC_TYPE}= \ + ${FFMPEG_FUZZERS_COMMON_FLAGS} +done + +# Build fuzzers for video formats. +CODEC_TYPE="VIDEO" +CODEC_NAMES="AV_CODEC_ID_AMV \ + AV_CODEC_ID_BINTEXT \ + AV_CODEC_ID_BMP \ + AV_CODEC_ID_CINEPAK \ + AV_CODEC_ID_DVVIDEO \ + AV_CODEC_ID_ESCAPE130 \ + AV_CODEC_ID_FLIC \ + AV_CODEC_ID_FLV1 \ + AV_CODEC_ID_FRAPS \ + AV_CODEC_ID_GIF \ + AV_CODEC_ID_H263 \ + AV_CODEC_ID_H263I \ + AV_CODEC_ID_H264 \ + AV_CODEC_ID_INDEO2 \ + AV_CODEC_ID_INTERPLAY_VIDEO \ + AV_CODEC_ID_JPEGLS \ + AV_CODEC_ID_KMVC \ + AV_CODEC_ID_MDEC \ + AV_CODEC_ID_MJPEG \ + AV_CODEC_ID_MPEG1VIDEO \ + AV_CODEC_ID_MPEG2VIDEO \ + AV_CODEC_ID_MPEG4 \ + AV_CODEC_ID_MSVIDEO1 \ + AV_CODEC_ID_PCX \ + AV_CODEC_ID_PGM \ + AV_CODEC_ID_PICTOR \ + AV_CODEC_ID_PNG \ + AV_CODEC_ID_RPZA \ + AV_CODEC_ID_RV40 \ + AV_CODEC_ID_SANM \ + AV_CODEC_ID_SMC \ + AV_CODEC_ID_SUNRAST \ + AV_CODEC_ID_SVQ1 \ + AV_CODEC_ID_SVQ3 \ + AV_CODEC_ID_TARGA \ + AV_CODEC_ID_TIFF \ + AV_CODEC_ID_VP3 \ + AV_CODEC_ID_VP5 \ + AV_CODEC_ID_VP6 \ + AV_CODEC_ID_VP6F \ + AV_CODEC_ID_VP8 \ + AV_CODEC_ID_ZMBV" + +for codec in $CODEC_NAMES; do + fuzzer_name=ffmpeg_${CODEC_TYPE}_${codec}_fuzzer + + $CC $CFLAGS -I${FFMPEG_DEPS_PATH}/include \ + $SRC/ffmpeg/doc/examples/decoder_targeted.c \ + -o $OUT/${fuzzer_name} \ + -DFFMPEG_CODEC=${codec} -DFUZZ_FFMPEG_${CODEC_TYPE}= \ + ${FFMPEG_FUZZERS_COMMON_FLAGS} + + echo -en "[libfuzzer]\nmax_len = 1000000\n" > $OUT/${fuzzer_name}.options +done + +# Find relevant corpus in test samples and archive them for every fuzzer. +cd $SRC +python group_seed_corpus.py $TEST_SAMPLES_PATH $OUT/ diff --git a/projects/ffmpeg/group_seed_corpus.py b/projects/ffmpeg/group_seed_corpus.py new file mode 100755 index 00000000..1e1d51cd --- /dev/null +++ b/projects/ffmpeg/group_seed_corpus.py @@ -0,0 +1,138 @@ +#!/usr/bin/env python +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +from __future__ import print_function +import logging +import os +import re +import sys +import zipfile + + +logging.basicConfig(level=logging.INFO, format='INFO: %(message)s') +CODEC_NAME_REGEXP = re.compile(r'codec_id_(.+?)_fuzzer') + + +def get_fuzzer_tags(fuzzer_name): + """Extract tags (are used to filter samples) from the given fuzzer name.""" + tags = [] + fuzzer_name = fuzzer_name.lower() + # All subtitle samples are in 'sub' directory, need to add 'sub' tag manually. + if 'subtitle' in fuzzer_name: + tags.append('sub') + m = CODEC_NAME_REGEXP.search(fuzzer_name) + if m: + codec_name = m.group(1) + # Some names are complex, need to split them and filter common strings. + codec_name_parts = codec_name.split('_') + for codec in codec_name_parts: + # Remove common strings from codec names like 'mpeg1video' or 'msvideo1'. + codec = codec.split('video')[0] + codec = codec.split('audio')[0] + codec = codec.split('subtitle')[0] + codec = codec.split('text')[0] + if codec: + # Some codec names have trailing characters: 'VP6F','FLV1', 'JPEGLS'. + # Use only first 3 characters for long enough codec names. + if len(codec) > 3: + tags.append(codec[:3]) + else: + tags.append(codec) + + return tags + + +def parse_corpus(corpus_directory): + """Recursively list all files in the given directory and ignore checksums.""" + all_corpus_files = [] + for root, dirs, files in os.walk(corpus_directory): + for filename in files: + # Skip checksum files, they are useless in corpus. + if 'md5sum' in filename: + continue + path = os.path.join(root, filename) + all_corpus_files.append(path) + + logging.info('Parsed %d corpus files from %s' % (len(all_corpus_files), + corpus_directory)) + return all_corpus_files + + +def parse_fuzzers(fuzzers_directory): + """Recursively list all fuzzers in the given directory.""" + all_fuzzers = [] + for filename in os.listdir(fuzzers_directory): + # Skip non-ffmpeg and non-fuzzer files in the given directory, + if not filename.startswith('ffmpeg_') or not filename.endswith('_fuzzer'): + continue + fuzzer_path = os.path.join(fuzzers_directory, filename) + all_fuzzers.append(fuzzer_path) + + logging.info('Parsed %d fuzzers from %s' % (len(all_fuzzers), + fuzzers_directory)) + return all_fuzzers + + +def zip_relevant_corpus(corpus_files, fuzzers): + """Find relevant corpus files and archive them for every fuzzer given.""" + for fuzzer in fuzzers: + fuzzer_name = os.path.basename(fuzzer) + fuzzer_directory = os.path.dirname(fuzzer) + fuzzer_tags = get_fuzzer_tags(fuzzer_name) + relevant_corpus_files = set() + for filename in corpus_files: + # Remove 'ffmpeg' substring to do not use everything for 'MPEG' codec. + sanitized_filename = filename.replace('ffmpeg', '').lower() + for tag in fuzzer_tags: + if tag in sanitized_filename: + relevant_corpus_files.add(filename) + + if not relevant_corpus_files: + # Strip last symbol from tags if we haven't found relevant corpus. + # It helps for such codecs as 'RV40' ('RV4' -> 'RV') or 'PCX' (-> 'PC'). + for tag in fuzzer_tags: + if tag[:-1] in sanitized_filename: + relevant_corpus_files.add(filename) + + logging.info( + 'Found %d relevant samples for %s' % (len(relevant_corpus_files), + fuzzer_name)) + + if not relevant_corpus_files: + continue + + zip_archive_name = fuzzer + "_seed_corpus.zip" + with zipfile.ZipFile(zip_archive_name, 'w') as archive: + for filename in relevant_corpus_files: + archive.write(filename) + + +def main(): + if len(sys.argv) < 3: + print('Usage: %s <seed_corpus_directory> <fuzzers_directory>' % __file__) + sys.exit(1) + + seed_corpus_directory = sys.argv[1] + fuzzers_directory = sys.argv[2] + + corpus_files = parse_corpus(seed_corpus_directory) + fuzzers = parse_fuzzers(fuzzers_directory) + zip_relevant_corpus(corpus_files, fuzzers) + + +if __name__ == '__main__': + sys.exit(main()) diff --git a/projects/ffmpeg/target.yaml b/projects/ffmpeg/target.yaml new file mode 100644 index 00000000..1a0131c9 --- /dev/null +++ b/projects/ffmpeg/target.yaml @@ -0,0 +1 @@ +homepage: "https://www.ffmpeg.org/" diff --git a/projects/file/Dockerfile b/projects/file/Dockerfile new file mode 100644 index 00000000..663f9874 --- /dev/null +++ b/projects/file/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mike.aizatsky@gmail.com +RUN apt-get install -y make autoconf automake libtool shtool +RUN git clone https://github.com/file/file.git +WORKDIR file +COPY build.sh magic_fuzzer.cc $SRC/ diff --git a/projects/file/build.sh b/projects/file/build.sh new file mode 100755 index 00000000..6a5867a5 --- /dev/null +++ b/projects/file/build.sh @@ -0,0 +1,27 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +autoreconf -i +./configure --enable-static +make V=1 all + +$CXX $CXXFLAGS -std=c++11 -Isrc/ \ + $SRC/magic_fuzzer.cc -o $OUT/magic_fuzzer \ + -lfuzzer ./src/.libs/libmagic.a + +cp ./magic/magic.mgc $OUT/ + diff --git a/projects/file/magic_fuzzer.cc b/projects/file/magic_fuzzer.cc new file mode 100644 index 00000000..1f5b5f09 --- /dev/null +++ b/projects/file/magic_fuzzer.cc @@ -0,0 +1,51 @@ +// Copyright 2016 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include <libgen.h> +#include <stddef.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string> + +#include <magic.h> + +struct Environment { + Environment(std::string data_dir) { + magic = magic_open(MAGIC_NONE); + std::string magic_path = data_dir + "/magic"; + if (magic_load(magic, magic_path.c_str())) { + fprintf(stderr, "error loading magic file: %s\n", magic_error(magic)); + exit(1); + } + } + + magic_t magic; +}; + +static Environment* env; + +extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) { + char* exe_path = (*argv)[0]; + char* dir = dirname(exe_path); + env = new Environment(dir); + return 0; +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + if (size < 1) + return 0; + magic_buffer(env->magic, data, size); + return 0; +} diff --git a/projects/file/target.yaml b/projects/file/target.yaml new file mode 100644 index 00000000..a7ee8e58 --- /dev/null +++ b/projects/file/target.yaml @@ -0,0 +1,2 @@ +homepage: "http://www.darwinsys.com/file/" +primary_contact: "emaste@freebsd.org" diff --git a/projects/freetype2/Dockerfile b/projects/freetype2/Dockerfile new file mode 100644 index 00000000..d324066d --- /dev/null +++ b/projects/freetype2/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mike.aizatsky@gmail.com +RUN apt-get install -y make autoconf libtool libarchive-dev + +RUN git clone git://git.sv.nongnu.org/freetype/freetype2.git +WORKDIR freetype2 +COPY build.sh $SRC/ diff --git a/projects/freetype2/build.sh b/projects/freetype2/build.sh new file mode 100755 index 00000000..710f533d --- /dev/null +++ b/projects/freetype2/build.sh @@ -0,0 +1,28 @@ +#!/bin/bash -eux +# +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +./autogen.sh +./configure +make -j$(nproc) clean all + +$CXX $CXXFLAGS -std=c++11 \ + -I./include -I. \ + ./src/tools/ftfuzzer/ftfuzzer.cc -o $OUT/ftfuzzer \ + ./objs/*.o -lfuzzer \ + /usr/lib/x86_64-linux-gnu/libarchive.a \ + ./objs/.libs/libfreetype.a diff --git a/projects/freetype2/target.yaml b/projects/freetype2/target.yaml new file mode 100644 index 00000000..46400ddf --- /dev/null +++ b/projects/freetype2/target.yaml @@ -0,0 +1 @@ +homepage: "https://www.freetype.org/" diff --git a/projects/harfbuzz/Dockerfile b/projects/harfbuzz/Dockerfile new file mode 100644 index 00000000..19bbb9d9 --- /dev/null +++ b/projects/harfbuzz/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mmoroz@chromium.org +RUN apt-get install -y make autoconf automake libtool ragel pkg-config + +RUN git clone https://anongit.freedesktop.org/git/harfbuzz.git +WORKDIR harfbuzz +COPY build.sh harfbuzz_fuzzer.cc $SRC/ diff --git a/projects/harfbuzz/build.sh b/projects/harfbuzz/build.sh new file mode 100755 index 00000000..463234a0 --- /dev/null +++ b/projects/harfbuzz/build.sh @@ -0,0 +1,25 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build the library. +./autogen.sh +./configure +make -j$(nproc) clean all + +$CXX $CXXFLAGS -std=c++11 -Isrc \ + $SRC/harfbuzz_fuzzer.cc -o $OUT/harfbuzz_fuzzer \ + -lfuzzer src/.libs/*.o src/hb-ucdn/.libs/*.o diff --git a/projects/harfbuzz/harfbuzz_fuzzer.cc b/projects/harfbuzz/harfbuzz_fuzzer.cc new file mode 100644 index 00000000..771c9b2c --- /dev/null +++ b/projects/harfbuzz/harfbuzz_fuzzer.cc @@ -0,0 +1,46 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> +#include <string.h> + +#include <hb.h> +#include <hb-ot.h> + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + const char* dataPtr = reinterpret_cast<const char*>(data); + hb_blob_t* blob = hb_blob_create(dataPtr, size, HB_MEMORY_MODE_READONLY, NULL, + NULL); + hb_face_t* face = hb_face_create(blob, 0); + hb_font_t* font = hb_font_create(face); + hb_ot_font_set_funcs(font); + hb_font_set_scale(font, 12, 12); + + { + const char text[] = "ABCDEXYZ123@_%&)*$!"; + hb_buffer_t* buffer = hb_buffer_create(); + hb_buffer_add_utf8(buffer, text, -1, 0, -1); + hb_buffer_guess_segment_properties(buffer); + hb_shape(font, buffer, NULL, 0); + hb_buffer_destroy(buffer); + } + + uint32_t text32[16] = { 0 }; + if (size > sizeof(text32)) { + memcpy(text32, data + size - sizeof(text32), sizeof(text32)); + hb_buffer_t* buffer = hb_buffer_create(); + size_t text32len = sizeof(text32) / sizeof(text32[0]); + hb_buffer_add_utf32(buffer, text32, text32len, 0, -1); + hb_buffer_guess_segment_properties(buffer); + hb_shape(font, buffer, NULL, 0); + hb_buffer_destroy(buffer); + } + + hb_font_destroy(font); + hb_face_destroy(face); + hb_blob_destroy(blob); + return 0; +} diff --git a/projects/harfbuzz/target.yaml b/projects/harfbuzz/target.yaml new file mode 100644 index 00000000..6af32a01 --- /dev/null +++ b/projects/harfbuzz/target.yaml @@ -0,0 +1 @@ +homepage: "http://www.harfbuzz.org/" diff --git a/projects/icu/Dockerfile b/projects/icu/Dockerfile new file mode 100644 index 00000000..e420bc5b --- /dev/null +++ b/projects/icu/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mike.aizatsky@gmail.com +RUN apt-get install -y make + +RUN svn co http://source.icu-project.org/repos/icu/trunk/icu4c/ icu +COPY build.sh *.cc *.h *.dict *.options $SRC/ diff --git a/projects/icu/break_iterator_fuzzer.cc b/projects/icu/break_iterator_fuzzer.cc new file mode 100644 index 00000000..143a74da --- /dev/null +++ b/projects/icu/break_iterator_fuzzer.cc @@ -0,0 +1,46 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> +#include <memory> +#include "fuzzer_utils.h" +#include "unicode/brkiter.h" + +IcuEnvironment* env = new IcuEnvironment(); + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + UErrorCode status = U_ZERO_ERROR; + icu::UnicodeString str(UnicodeStringFromUtf8(data, size)); + + auto rng = CreateRng(data, size); + const icu::Locale& locale = GetRandomLocale(&rng); + + std::unique_ptr<icu::BreakIterator> bi; + + switch (rng() % 5) { + case 0: + bi.reset(icu::BreakIterator::createWordInstance(locale, status)); + break; + case 1: + bi.reset(icu::BreakIterator::createLineInstance(locale, status)); + break; + case 2: + bi.reset(icu::BreakIterator::createCharacterInstance(locale, status)); + break; + case 3: + bi.reset(icu::BreakIterator::createSentenceInstance(locale, status)); + break; + case 4: + bi.reset(icu::BreakIterator::createTitleInstance(locale, status)); + break; + } + if (U_FAILURE(status)) return 0; + + for (int32_t p = bi->first(); p != icu::BreakIterator::DONE; p = bi->next()) + if (U_FAILURE(status)) return 0; + + return 0; +} + diff --git a/projects/icu/break_iterator_utf32_fuzzer.cc b/projects/icu/break_iterator_utf32_fuzzer.cc new file mode 100644 index 00000000..544e5f6d --- /dev/null +++ b/projects/icu/break_iterator_utf32_fuzzer.cc @@ -0,0 +1,47 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> +#include <memory> +#include "fuzzer_utils.h" +#include "unicode/brkiter.h" + +IcuEnvironment* env = new IcuEnvironment(); + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + UErrorCode status = U_ZERO_ERROR; + icu::UnicodeString str(UnicodeStringFromUtf32(data, size)); + + auto rng = CreateRng(data, size); + const icu::Locale& locale = GetRandomLocale(&rng); + + std::unique_ptr<icu::BreakIterator> bi; + + switch (rng() % 5) { + case 0: + bi.reset(icu::BreakIterator::createWordInstance(locale, status)); + break; + case 1: + bi.reset(icu::BreakIterator::createLineInstance(locale, status)); + break; + case 2: + bi.reset(icu::BreakIterator::createCharacterInstance(locale, status)); + break; + case 3: + bi.reset(icu::BreakIterator::createSentenceInstance(locale, status)); + break; + case 4: + bi.reset(icu::BreakIterator::createTitleInstance(locale, status)); + break; + } + if (U_FAILURE(status)) + return 0; + + for (int32_t p = bi->first(); p != icu::BreakIterator::DONE; p = bi->next()) + if (U_FAILURE(status)) + return 0; + + return 0; +} diff --git a/projects/icu/build.sh b/projects/icu/build.sh new file mode 100755 index 00000000..9cca5484 --- /dev/null +++ b/projects/icu/build.sh @@ -0,0 +1,48 @@ +#!/bin/bash -eux +# +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +mkdir $WORK/icu +cd $WORK/icu + +# TODO: icu build failes without -DU_USE_STRTOD_L=0 +DEFINES="-DU_CHARSET_IS_UTF8=1 -DU_USING_ICU_NAMESPACE=0 -DU_ENABLE_DYLOAD=0 -DU_USE_STRTOD_L=0" +CFLAGS="$CFLAGS $DEFINES" +CXXFLAGS="$CXXFLAGS $DEFINES" + +CFLAGS=$CFLAGS CXXFLAGS=$CXXFLAGS CC=$CC CXX=$CXX \ + /bin/bash $SRC/icu/source/runConfigureICU Linux \ + --with-library-bits=64 --with-data-packaging=static --enable-static --disable-shared + +make -j$(nproc) + +FUZZERS="break_iterator_fuzzer \ + break_iterator_utf32_fuzzer \ + converter_fuzzer \ + number_format_fuzzer \ + ucasemap_fuzzer \ + unicode_string_codepage_create_fuzzer \ + uregex_open_fuzzer + " +for fuzzer in $FUZZERS; do + $CXX $CXXFLAGS -std=c++11 \ + $SRC/$fuzzer.cc -o $OUT/$fuzzer \ + -I$SRC/icu/source/common -I$SRC/icu/source/i18n -L$WORK/icu/lib \ + -lfuzzer -licui18n -licuuc -licutu -licudata +done + +cp $SRC/*.dict $SRC/*.options $OUT/ diff --git a/projects/icu/converter_fuzzer.cc b/projects/icu/converter_fuzzer.cc new file mode 100644 index 00000000..cfbdebf6 --- /dev/null +++ b/projects/icu/converter_fuzzer.cc @@ -0,0 +1,45 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include <algorithm> +#include <array> +#include <memory> +#include <vector> + +#include "fuzzer_utils.h" +#include "unicode/unistr.h" +#include "unicode/ucnv.h" + +IcuEnvironment* env = new IcuEnvironment(); + +template <typename T> +using deleted_unique_ptr = std::unique_ptr<T, std::function<void(T*)>>; + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + UErrorCode status = U_ZERO_ERROR; + auto rng = CreateRng(data, size); + icu::UnicodeString str(UnicodeStringFromUtf8(data, size)); + + const char* converter_name = + ucnv_getAvailableName(rng() % ucnv_countAvailable()); + + deleted_unique_ptr<UConverter> converter(ucnv_open(converter_name, &status), + &ucnv_close); + + if (U_FAILURE(status)) + return 0; + + static const size_t dest_buffer_size = 1024 * 1204; + static const std::unique_ptr<char[]> dest_buffer(new char[dest_buffer_size]); + + str.extract(dest_buffer.get(), dest_buffer_size, converter.get(), status); + + if (U_FAILURE(status)) + return 0; + + return 0; +} diff --git a/projects/icu/fuzzer_utils.h b/projects/icu/fuzzer_utils.h new file mode 100644 index 00000000..d879bc39 --- /dev/null +++ b/projects/icu/fuzzer_utils.h @@ -0,0 +1,53 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef FUZZER_UTILS_H_ +#define FUZZER_UTILS_H_ + +#include <assert.h> +#include <algorithm> +#include <random> + +#include "unicode/locid.h" +#include "unicode/uchar.h" + +struct IcuEnvironment { + IcuEnvironment() { + // nothing to initialize yet; + } +}; + +// Create RNG and seed it from data. +std::mt19937_64 CreateRng(const uint8_t* data, size_t size) { + std::mt19937_64 rng; + std::string str = std::string(reinterpret_cast<const char*>(data), size); + std::size_t data_hash = std::hash<std::string>()(str); + rng.seed(data_hash); + return rng; +} + +const icu::Locale& GetRandomLocale(std::mt19937_64* rng) { + int32_t num_locales = 0; + const icu::Locale* locales = icu::Locale::getAvailableLocales(num_locales); + assert(num_locales > 0); + return locales[(*rng)() % num_locales]; +} + +icu::UnicodeString UnicodeStringFromUtf8(const uint8_t* data, size_t size) { + return icu::UnicodeString::fromUTF8( + icu::StringPiece(reinterpret_cast<const char*>(data), size)); +} + +icu::UnicodeString UnicodeStringFromUtf32(const uint8_t* data, size_t size) { + std::vector<UChar32> uchars; + uchars.resize(size * sizeof(uint8_t) / (sizeof(UChar32))); + memcpy(uchars.data(), data, uchars.size() * sizeof(UChar32)); + for (size_t i = 0; i < uchars.size(); ++i) { + uchars[i] = std::min(uchars[i], UCHAR_MAX_VALUE); + } + + return icu::UnicodeString::fromUTF32(uchars.data(), uchars.size()); +} + +#endif // FUZZER_UTILS_H_ diff --git a/projects/icu/number_format_fuzzer.cc b/projects/icu/number_format_fuzzer.cc new file mode 100644 index 00000000..88df77b7 --- /dev/null +++ b/projects/icu/number_format_fuzzer.cc @@ -0,0 +1,30 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Fuzzer for NumberFormat::parse. + +#include <stddef.h> +#include <stdint.h> +#include <memory> +#include "fuzzer_utils.h" +#include "unicode/numfmt.h" + +IcuEnvironment* env = new IcuEnvironment(); + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + UErrorCode status = U_ZERO_ERROR; + + auto rng = CreateRng(data, size); + const icu::Locale& locale = GetRandomLocale(&rng); + + std::unique_ptr<icu::NumberFormat> fmt( + icu::NumberFormat::createInstance(locale, status)); + if (U_FAILURE(status)) return 0; + + icu::UnicodeString str(UnicodeStringFromUtf8(data, size)); + icu::Formattable result; + fmt->parse(str, result, status); + + return 0; +} diff --git a/projects/icu/regex.dict b/projects/icu/regex.dict new file mode 100644 index 00000000..b0456e6d --- /dev/null +++ b/projects/icu/regex.dict @@ -0,0 +1,103 @@ +# Copyright 2016 The Chromium Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +"\\a" +"\\A" +"\\b" +"\\B" +"\\cX" +"\\cC" +"\\cZ" +"\\d" +"\\D" +"\\e" +"\\u001B" +"\\E" +"\\f" +"\\u000C" +"\\G" +"\\h" +"\\u0009" +"\\H" +"\\k" +"\\n" +"\\N" +"\\p" +"\\P" +"{" +"}" +"\\Q" +"\\r" +"\\u000D" +"\\R" +"\\u000a" +"\\u000b" +"\\u000c" +"\\u000d" +"\\u0085" +"\\u2028" +"\\u2029" +"\\s" +"[\\t\\n\\f\\r\\p{Z}]" +"\\S" +"\\t" +"\\u0009" +"\\u" +"\\uf0ff" +"\\U" +"\\U0010ffff." +"\\v" +"\\V" +"\\w" +"\\W" +"\\x" +"\\xhh" +"\\X" +"\\Z" +"\\z" +"\\n" +"\\0" +"\\0ooo" +"." +"^" +"$" +"\\" +"|" +"*" +"+" +"?" +"," +"*?" +"+?" +"??" +"*+" +"++" +"?+" +"(" +"(?:" +"(?>" +"(?#" +"(?=" +"(?!" +"(?<=" +"(?<!" +"(?" +"-" +")" +":" +"(?ismwx-ismwx:" +"(?ismwx-ismwx)" +"(?i)" +"[" +"]" +"[\\u0000-\\U0010ffff]" +"[:script=Greek:]" +"{script=Greek}" +"gC" +"sc" +"scx" +"WB" +"Nd" +"d" +"MN" diff --git a/projects/icu/target.yaml b/projects/icu/target.yaml new file mode 100644 index 00000000..288124f8 --- /dev/null +++ b/projects/icu/target.yaml @@ -0,0 +1 @@ +homepage: "http://site.icu-project.org/" diff --git a/projects/icu/ucasemap_fuzzer.cc b/projects/icu/ucasemap_fuzzer.cc new file mode 100644 index 00000000..32ff8c4c --- /dev/null +++ b/projects/icu/ucasemap_fuzzer.cc @@ -0,0 +1,53 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Fuzzer for ucasemap. + +#include <stddef.h> +#include <stdint.h> +#include <memory> +#include "fuzzer_utils.h" +#include "unicode/ucasemap.h" + +IcuEnvironment* env = new IcuEnvironment(); + +template<typename T> +using deleted_unique_ptr = std::unique_ptr<T,std::function<void(T*)>>; + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + UErrorCode status = U_ZERO_ERROR; + + auto rng = CreateRng(data, size); + const icu::Locale& locale = GetRandomLocale(&rng); + uint32_t open_flags = static_cast<uint32_t>(rng()); + + deleted_unique_ptr<UCaseMap> csm( + ucasemap_open(locale.getName(), open_flags, &status), + [](UCaseMap* map) { ucasemap_close(map); }); + + if (U_FAILURE(status)) + return 0; + + int32_t dst_size = size * 2; + std::unique_ptr<char[]> dst(new char[dst_size]); + auto src = reinterpret_cast<const char*>(data); + + switch (rng() % 4) { + case 0: ucasemap_utf8ToLower(csm.get(), dst.get(), dst_size, src, size, + &status); + break; + case 1: ucasemap_utf8ToUpper(csm.get(), dst.get(), dst_size, src, size, + &status); + break; + case 2: ucasemap_utf8ToTitle(csm.get(), dst.get(), dst_size, src, size, + &status); + break; + case 3: ucasemap_utf8FoldCase(csm.get(), dst.get(), dst_size, src, size, + &status); + break; + } + + return 0; +} + diff --git a/projects/icu/unicode_string_codepage_create_fuzzer.cc b/projects/icu/unicode_string_codepage_create_fuzzer.cc new file mode 100644 index 00000000..bb0489ca --- /dev/null +++ b/projects/icu/unicode_string_codepage_create_fuzzer.cc @@ -0,0 +1,73 @@ +// Copyright 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include <algorithm> +#include <array> +#include <vector> + +#include "fuzzer_utils.h" +#include "unicode/unistr.h" + +// Taken from third_party/icu/source/data/mappings/convrtrs.txt file. +static const std::array<const char*, 45> kConverters = { + { + "UTF-8", + "utf-16be", + "utf-16le", + "UTF-32", + "UTF-32BE", + "UTF-32LE", + "ibm866-html", + "iso-8859-2-html", + "iso-8859-3-html", + "iso-8859-4-html", + "iso-8859-5-html", + "iso-8859-6-html", + "iso-8859-7-html", + "iso-8859-8-html", + "ISO-8859-8-I", + "iso-8859-10-html", + "iso-8859-13-html", + "iso-8859-14-html", + "iso-8859-15-html", + "iso-8859-16-html", + "koi8-r-html", + "koi8-u-html", + "macintosh-html", + "windows-874-html", + "windows-1250-html", + "windows-1251-html", + "windows-1252-html", + "windows-1253-html", + "windows-1254-html", + "windows-1255-html", + "windows-1256-html", + "windows-1257-html", + "windows-1258-html", + "x-mac-cyrillic-html", + "windows-936-2000", + "gb18030", + "big5-html", + "euc-jp-html", + "ISO_2022,locale=ja,version=0", + "shift_jis-html", + "euc-kr-html", + "ISO-2022-KR", + "ISO-2022-CN", + "ISO-2022-CN-EXT", + "HZ-GB-2312" + } +}; + +IcuEnvironment* env = new IcuEnvironment(); + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + auto rng = CreateRng(data, size); + icu::UnicodeString str(reinterpret_cast<const char*>(data), size, + kConverters[rng() % kConverters.size()]); + return 0; +} diff --git a/projects/icu/uregex_open_fuzzer.cc b/projects/icu/uregex_open_fuzzer.cc new file mode 100644 index 00000000..7e2744c6 --- /dev/null +++ b/projects/icu/uregex_open_fuzzer.cc @@ -0,0 +1,23 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "fuzzer_utils.h" +#include "unicode/regex.h" + +IcuEnvironment* env = new IcuEnvironment(); + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + UParseError pe = { 0 }; + UErrorCode status = U_ZERO_ERROR; + URegularExpression* re = uregex_open(reinterpret_cast<const UChar*>(data), + static_cast<int>(size) / sizeof(UChar), + 0, &pe, &status); + if (re) + uregex_close(re); + + return 0; +} diff --git a/projects/icu/uregex_open_fuzzer.options b/projects/icu/uregex_open_fuzzer.options new file mode 100644 index 00000000..0e5d596d --- /dev/null +++ b/projects/icu/uregex_open_fuzzer.options @@ -0,0 +1,2 @@ +[libfuzzer] +dict = regex.dict diff --git a/projects/json/Dockerfile b/projects/json/Dockerfile new file mode 100644 index 00000000..3d5c6c1a --- /dev/null +++ b/projects/json/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER vitalybuka@gmail.com +RUN apt-get install -y binutils gcc + +RUN git clone https://github.com/nlohmann/json.git +WORKDIR json/ +COPY build.sh parse_fuzzer.* $SRC/ diff --git a/projects/json/build.sh b/projects/json/build.sh new file mode 100755 index 00000000..304b7320 --- /dev/null +++ b/projects/json/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +$CXX $CXXFLAGS -std=c++11 -Isrc/ \ + $SRC/parse_fuzzer.cc -o $OUT/parse_fuzzer \ + -lfuzzer + +cp $SRC/*.options $OUT/ diff --git a/projects/json/parse_fuzzer.cc b/projects/json/parse_fuzzer.cc new file mode 100644 index 00000000..bb8b3d37 --- /dev/null +++ b/projects/json/parse_fuzzer.cc @@ -0,0 +1,36 @@ +// Copyright 2016 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include <iostream> +#include <sstream> +#include <json.hpp> + +using json = nlohmann::json; + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + try { + std::stringstream s; + s << json::parse(data, data + size); + try { + auto j = json::parse(s.str()); + std::stringstream s2; + s2 << j; + assert(s.str() == s2.str()); + assert(j == json::parse(s.str())); + } catch (const std::invalid_argument&) { + assert(0); + } + } catch (const std::invalid_argument&) { } + return 0; +} diff --git a/projects/json/parse_fuzzer.options b/projects/json/parse_fuzzer.options new file mode 100644 index 00000000..393dd174 --- /dev/null +++ b/projects/json/parse_fuzzer.options @@ -0,0 +1,3 @@ +[libfuzzer] +max_len = 456 +timeout = 10 diff --git a/projects/json/target.yaml b/projects/json/target.yaml new file mode 100644 index 00000000..e5c6f8c3 --- /dev/null +++ b/projects/json/target.yaml @@ -0,0 +1 @@ +homepage: "https://github.com/nlohmann/json" diff --git a/projects/lcms/Dockerfile b/projects/lcms/Dockerfile new file mode 100644 index 00000000..85d94ee5 --- /dev/null +++ b/projects/lcms/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER kcwu@google.com +RUN apt-get install -y make autoconf automake libtool +RUN git clone https://github.com/mm2/Little-CMS.git lcms +WORKDIR lcms +COPY build.sh cmsIT8_load_fuzzer.* cms_transform_fuzzer.* icc.dict $SRC/ diff --git a/projects/lcms/build.sh b/projects/lcms/build.sh new file mode 100755 index 00000000..6591267b --- /dev/null +++ b/projects/lcms/build.sh @@ -0,0 +1,32 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build the target. +./configure +make -j$(nproc) all + +# build your fuzzer(s) +FUZZERS="cmsIT8_load_fuzzer cms_transform_fuzzer" +for F in $FUZZERS; do + $CC $CFLAGS -c -Iinclude \ + $SRC/$F.c -o $SRC/$F.o + $CXX $CXXFLAGS \ + $SRC/$F.o -o $OUT/$F \ + -lfuzzer src/.libs/liblcms2.a +done + +cp $SRC/icc.dict $SRC/*.options $OUT/ diff --git a/projects/lcms/cmsIT8_load_fuzzer.c b/projects/lcms/cmsIT8_load_fuzzer.c new file mode 100644 index 00000000..b336eaff --- /dev/null +++ b/projects/lcms/cmsIT8_load_fuzzer.c @@ -0,0 +1,31 @@ +// Copyright 2016 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#include <stdint.h> + +#include "lcms2.h" + +// The main sink +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + if (size == 0) + return 0; + + cmsHANDLE handle = cmsIT8LoadFromMem(0, (void *)data, size); + if (handle) + cmsIT8Free(handle); + + return 0; +} diff --git a/projects/lcms/cmsIT8_load_fuzzer.options b/projects/lcms/cmsIT8_load_fuzzer.options new file mode 100644 index 00000000..beabdc2b --- /dev/null +++ b/projects/lcms/cmsIT8_load_fuzzer.options @@ -0,0 +1,2 @@ +[libfuzzer] +dict = icc.dict diff --git a/projects/lcms/cms_transform_fuzzer.c b/projects/lcms/cms_transform_fuzzer.c new file mode 100644 index 00000000..6653f61d --- /dev/null +++ b/projects/lcms/cms_transform_fuzzer.c @@ -0,0 +1,50 @@ +// Copyright 2016 The PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. +#include <stdint.h> + +#include "lcms2.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + cmsHPROFILE srcProfile = cmsOpenProfileFromMem(data, size); + if (!srcProfile) return 0; + + cmsHPROFILE dstProfile = cmsCreate_sRGBProfile(); + if (!dstProfile) { + cmsCloseProfile(srcProfile); + return 0; + } + + cmsColorSpaceSignature srcCS = cmsGetColorSpace(srcProfile); + cmsUInt32Number nSrcComponents = cmsChannelsOf(srcCS); + cmsUInt32Number srcFormat; + if (srcCS == cmsSigLabData) { + srcFormat = + COLORSPACE_SH(PT_Lab) | CHANNELS_SH(nSrcComponents) | BYTES_SH(0); + } else { + srcFormat = + COLORSPACE_SH(PT_ANY) | CHANNELS_SH(nSrcComponents) | BYTES_SH(1); + } + + cmsUInt32Number intent = 0; + cmsUInt32Number flags = 0; + cmsHTRANSFORM hTransform = cmsCreateTransform( + srcProfile, srcFormat, dstProfile, TYPE_BGR_8, intent, flags); + cmsCloseProfile(srcProfile); + cmsCloseProfile(dstProfile); + if (!hTransform) return 0; + + uint8_t output[4]; + if (T_BYTES(srcFormat) == 0) { // 0 means double + double input[nSrcComponents]; + for (uint32_t i = 0; i < nSrcComponents; i++) input[i] = 0.5f; + cmsDoTransform(hTransform, input, output, 1); + } else { + uint8_t input[nSrcComponents]; + for (uint32_t i = 0; i < nSrcComponents; i++) input[i] = 128; + cmsDoTransform(hTransform, input, output, 1); + } + cmsDeleteTransform(hTransform); + + return 0; +} diff --git a/projects/lcms/cms_transform_fuzzer.options b/projects/lcms/cms_transform_fuzzer.options new file mode 100644 index 00000000..beabdc2b --- /dev/null +++ b/projects/lcms/cms_transform_fuzzer.options @@ -0,0 +1,2 @@ +[libfuzzer] +dict = icc.dict diff --git a/projects/lcms/icc.dict b/projects/lcms/icc.dict new file mode 100644 index 00000000..f21711ce --- /dev/null +++ b/projects/lcms/icc.dict @@ -0,0 +1,251 @@ +# Fuzzing dictionary for icc +# Extracted from lcms2.h of Little-CMS project 2.8. + +magic="acsp" +sig="lcms" + +# Base ICC type definitions +"chrm" +"clro" +"clrt" +"crdi" +"curv" +"data" +"dict" +"dtim" +"devs" +"mft2" +"mft1" +"mAB " +"mBA " +"meas" +"mluc" +"mpet" +"ncol" +"ncl2" +"para" +"pseq" +"psid" +"rcs2" +"sf32" +"scrn" +"sig " +"text" +"desc" +"uf32" +"bfd " +"ui16" +"ui32" +"ui64" +"ui08" +"vcgt" +"view" +"XYZ " + +# Base ICC tag definitions +"A2B0" +"A2B1" +"A2B2" +"bXYZ" +"bXYZ" +"bTRC" +"B2A0" +"B2A1" +"B2A2" +"calt" +"targ" +"chad" +"chrm" +"clro" +"clrt" +"clot" +"ciis" +"cprt" +"crdi" +"data" +"dtim" +"dmnd" +"dmdd" +"devs" +"D2B0" +"D2B1" +"D2B2" +"D2B3" +"B2D0" +"B2D1" +"B2D2" +"B2D3" +"gamt" +"kTRC" +"gXYZ" +"gXYZ" +"gTRC" +"lumi" +"meas" +"bkpt" +"wtpt" +"ncol" +"ncl2" +"resp" +"rig0" +"pre0" +"pre1" +"pre2" +"desc" +"dscm" +"pseq" +"psid" +"psd0" +"psd1" +"psd2" +"psd3" +"ps2s" +"ps2i" +"rXYZ" +"rXYZ" +"rTRC" +"rig2" +"scrd" +"scrn" +"tech" +"bfd " +"vued" +"view" +"vcgt" +"meta" +"arts" + +# ICC Technology tag +"dcam" +"fscn" +"rscn" +"ijet" +"twax" +"epho" +"esta" +"dsub" +"rpho" +"fprn" +"vidm" +"vidc" +"pjtv" +"CRT " +"PMD " +"AMD " +"KPCD" +"imgs" +"grav" +"offs" +"silk" +"flex" +"mpfs" +"mpfr" +"dmpc" +"dcpj" + +# ICC Color spaces +"XYZ " +"Lab " +"Luv " +"YCbr" +"Yxy " +"RGB " +"GRAY" +"HSV " +"HLS " +"CMYK" +"CMY " +"MCH1" +"MCH2" +"MCH3" +"MCH4" +"MCH5" +"MCH6" +"MCH7" +"MCH8" +"MCH9" +"MCHA" +"MCHB" +"MCHC" +"MCHD" +"MCHE" +"MCHF" +"nmcl" +"1CLR" +"2CLR" +"3CLR" +"4CLR" +"5CLR" +"6CLR" +"7CLR" +"8CLR" +"9CLR" +"ACLR" +"BCLR" +"CCLR" +"DCLR" +"ECLR" +"FCLR" +"LuvK" + +# ICC Profile Class +"scnr" +"mntr" +"prtr" +"link" +"abst" +"spac" +"nmcl" + +# ICC Platforms +"APPL" +"MSFT" +"SUNW" +"SGI " +"TGNT" +"*nix" + +# Reference gamut +"prmg" + +# For cmsSigColorimetricIntentImageStateTag +"scoe" +"sape" +"fpce" +"rhoc" +"rpoc" + +# Multi process elements types +"cvst" +"matf" +"clut" +"bACS" +"eACS" +"l2x " +"x2l " +"ncl " +"2 4 " +"4 2 " +"idn " +"d2l " +"l2d " +"d2x " +"x2d " +"clp " + +# Types of CurveElements +"parf" +"samf" +"curf" + +# Used in ResponseCurveType +"StaA" +"StaE" +"StaI" +"StaT" +"StaM" +"DN " +"DN P" +"DNN " +"DNNP" + diff --git a/projects/lcms/target.yaml b/projects/lcms/target.yaml new file mode 100644 index 00000000..a30635b3 --- /dev/null +++ b/projects/lcms/target.yaml @@ -0,0 +1 @@ +homepage: "https://github.com/mm2/Little-CMS" diff --git a/projects/libarchive/Dockerfile b/projects/libarchive/Dockerfile new file mode 100644 index 00000000..d10fa0fd --- /dev/null +++ b/projects/libarchive/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER kcwu@google.com + +# Installing optional libraries can utilize more code path and/or improve +# performance (avoid calling external programs). +RUN apt-get install -y make autoconf automake libtool pkg-config \ + libbz2-dev liblzo2-dev liblzma-dev liblz4-dev libz-dev \ + libxml2-dev libssl-dev +RUN git clone https://github.com/libarchive/libarchive.git +WORKDIR libarchive +COPY build.sh libarchive_fuzzer.cc $SRC/ diff --git a/projects/libarchive/build.sh b/projects/libarchive/build.sh new file mode 100755 index 00000000..275fd68a --- /dev/null +++ b/projects/libarchive/build.sh @@ -0,0 +1,28 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build the target. +./build/autogen.sh +./configure +make -j$(nproc) all + +# build your fuzzer(s) +$CXX $CXXFLAGS -Ilibarchive \ + $SRC/libarchive_fuzzer.cc -o $OUT/libarchive_fuzzer \ + -lfuzzer .libs/libarchive.a \ + -Wl,-Bstatic -lbz2 -llzo2 -lxml2 -llzma -lz -lcrypto -llz4 -licuuc \ + -licudata -Wl,-Bdynamic diff --git a/projects/libarchive/libarchive_fuzzer.cc b/projects/libarchive/libarchive_fuzzer.cc new file mode 100644 index 00000000..fb6fb5a5 --- /dev/null +++ b/projects/libarchive/libarchive_fuzzer.cc @@ -0,0 +1,54 @@ +// Copyright 2016 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// +#include <stddef.h> +#include <stdint.h> +#include <vector> + +#include "archive.h" + +struct Buffer { + const uint8_t *buf; + size_t len; +}; + +ssize_t reader_callback(struct archive *a, void *client_data, + const void **block) { + Buffer *buffer = reinterpret_cast<Buffer *>(client_data); + *block = buffer->buf; + ssize_t len = buffer->len; + buffer->len = 0; + return len; +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { + struct archive *a = archive_read_new(); + + archive_read_support_filter_all(a); + archive_read_support_format_all(a); + + Buffer buffer = {buf, len}; + archive_read_open(a, &buffer, NULL, reader_callback, NULL); + + std::vector<uint8_t> data_buffer(getpagesize(), 0); + struct archive_entry *entry; + while (archive_read_next_header(a, &entry) == ARCHIVE_OK) { + while (archive_read_data(a, data_buffer.data(), data_buffer.size()) > 0) + ; + } + + archive_read_free(a); + return 0; +} diff --git a/projects/libarchive/target.yaml b/projects/libarchive/target.yaml new file mode 100644 index 00000000..7b0161ba --- /dev/null +++ b/projects/libarchive/target.yaml @@ -0,0 +1 @@ +homepage: "https://github.com/libarchive/libarchive" diff --git a/projects/libass/Dockerfile b/projects/libass/Dockerfile new file mode 100644 index 00000000..1fd7c92e --- /dev/null +++ b/projects/libass/Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER eugeni.stepanov@gmail.com +RUN apt-get install -y make autoconf automake libtool pkg-config libfreetype6-dev libfontconfig1-dev + +RUN git clone https://github.com/libass/libass.git +RUN git clone https://github.com/behdad/fribidi.git + +COPY build.sh libass_fuzzer.cc *.dict *.options $SRC/ diff --git a/projects/libass/ass.dict b/projects/libass/ass.dict new file mode 100644 index 00000000..aa4f9b43 --- /dev/null +++ b/projects/libass/ass.dict @@ -0,0 +1,112 @@ +"0x" +"\\1a" +"\\2a" +"\\2c" +"\\3a" +"\\3c" +"\\4a" +"\\4c" +"\\a" +"\\alpha" +"\\an" +"Arial" +"\\b" +"Banner;" +"\\be" +"\\blur" +"\\bord" +"\\c" +"CFF" +"CID Type 1" +"\\clip" +"clip" +"Courier" +"Courier New" +"Default" +"Dialogue:" +"[Events]" +"\\fade" +"\\fax" +"\\fay" +"\\fe" +"\\fn" +"fontname:" +"[Fonts]" +"Format:" +"\\frx" +"\\fry" +"\\frz" +"\\fs" +"\\fsc" +"\\fscx" +"\\fscy" +"\\fsp" +"&h" +"Helvetica" +"\\i" +"\\iclip" +"iclip" +"\\k" +"Kerning:" +"Kerning" +"\\kf" +"\\ko" +"Language:" +"monospace" +"\\move" +"move" +"none" +"\\org" +"org" +"OverrideStyle" +"\\p" +"p" +"\\pbo" +"pbo" +"pc.240m" +"pc.601" +"pc.709" +"pc.fcc" +"PlayResX:" +"PlayResX" +"PlayResY:" +"PlayResY" +"\\pos" +"pos" +"\\q" +"\\r" +"\\s" +"sans-serif" +"ScaledBorderAndShadow:" +"ScaledBorderAndShadow" +"[Script Info]" +"Scroll down;" +"Scroll up;" +"serif" +"\\shad" +"Style:" +"\\t" +"Text" +"Timer:" +"Timer" +"Times" +"Times New Roman" +"tv.240m" +"tv.601" +"tv.709" +"tv.fcc" +"Type 1" +"Type 42" +"\\u" +"UTF-8" +"[V4 Styles]" +"[V4+ Styles]" +"WrapStyle:" +"WrapStyle" +"\\xbord" +"\\xshad" +"\\ybord" +"YCbCr Matrix:" +"YCbCr Matrix" +"yes" +"\\yshad" diff --git a/projects/libass/build.sh b/projects/libass/build.sh new file mode 100755 index 00000000..07db7d05 --- /dev/null +++ b/projects/libass/build.sh @@ -0,0 +1,36 @@ +#!/bin/bash -eux +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC/fribidi +./bootstrap +./configure --enable-static=yes --enable-shared=no --with-pic=yes +# Don't run "make": it's broken. Run "make install". +make install + +cd $SRC/libass + +./autogen.sh +./configure --disable-asm +make -j$(nproc) + +$CXX $CXXFLAGS -std=c++11 -I$SRC/libass \ + $SRC/libass_fuzzer.cc -o $OUT/libass_fuzzer \ + -lfuzzer libass/.libs/libass.a \ + -Wl,-Bstatic -lfontconfig -lfribidi -lfreetype -lz -lpng12 \ + -lexpat -Wl,-Bdynamic + +cp $SRC/*.dict $SRC/*.options $OUT/ diff --git a/projects/libass/libass_fuzzer.cc b/projects/libass/libass_fuzzer.cc new file mode 100644 index 00000000..5254faff --- /dev/null +++ b/projects/libass/libass_fuzzer.cc @@ -0,0 +1,49 @@ +#include <stdio.h> +#include <stdlib.h> + +#include <libass/ass.h> + +static ASS_Library *ass_library; +static ASS_Renderer *ass_renderer; + +void msg_callback(int level, const char *fmt, va_list va, void *data) { +} + +static const int kFrameWidth = 1280; +static const int kFrameHeight = 720; + +static bool init(int frame_w, int frame_h) { + ass_library = ass_library_init(); + if (!ass_library) { + printf("ass_library_init failed!\n"); + exit(1); + } + + ass_set_message_cb(ass_library, msg_callback, NULL); + + ass_renderer = ass_renderer_init(ass_library); + if (!ass_renderer) { + printf("ass_renderer_init failed!\n"); + exit(1); + } + + ass_set_frame_size(ass_renderer, frame_w, frame_h); + ass_set_fonts(ass_renderer, nullptr, "sans-serif", + ASS_FONTPROVIDER_AUTODETECT, nullptr, 1); + return true; +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + static bool initialized = init(kFrameWidth, kFrameHeight); + + ASS_Track *track = ass_read_memory(ass_library, (char *)data, size, nullptr); + if (!track) return 0; + + for (int i = 0; i < track->n_events; ++i) { + ASS_Event &ev = track->events[i]; + long long tm = ev.Start + ev.Duration / 2; + ass_render_frame(ass_renderer, track, tm, nullptr); + } + ass_free_track(track); + return 0; +} diff --git a/projects/libass/libass_fuzzer.options b/projects/libass/libass_fuzzer.options new file mode 100644 index 00000000..6a3e33bc --- /dev/null +++ b/projects/libass/libass_fuzzer.options @@ -0,0 +1,2 @@ +[libfuzzer] +dict = ass.dict diff --git a/projects/libass/target.yaml b/projects/libass/target.yaml new file mode 100644 index 00000000..6289bce1 --- /dev/null +++ b/projects/libass/target.yaml @@ -0,0 +1 @@ +homepage: "https://github.com/libass/libass" diff --git a/projects/libchewing/Dockerfile b/projects/libchewing/Dockerfile new file mode 100644 index 00000000..50fb6939 --- /dev/null +++ b/projects/libchewing/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER kcwu@csie.org +RUN apt-get install -y make autoconf automake libtool texinfo + +RUN git clone https://github.com/chewing/libchewing.git +WORKDIR libchewing +COPY build.sh chewing_fuzzer_common.[ch] chewing_*_fuzzer.c $SRC/ diff --git a/projects/libchewing/build.sh b/projects/libchewing/build.sh new file mode 100755 index 00000000..96f295ff --- /dev/null +++ b/projects/libchewing/build.sh @@ -0,0 +1,39 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build the library. +./autogen.sh +./configure --disable-shared --enable-static --without-sqlite3 +make clean +make -j$(nproc) all + +# build your fuzzer(s) +make -C test CFLAGS="$CFLAGS -Dmain=stress_main -Drand=get_fuzz_input" stress.o + +$CC $CFLAGS -c $SRC/chewing_fuzzer_common.c -o $WORK/chewing_fuzzer_common.o + +for variant in default random_init dynamic_config; do + $CC $CFLAGS -c $SRC/chewing_${variant}_fuzzer.c -o $WORK/chewing_${variant}_fuzzer.o + $CXX $CXXFLAGS \ + -o $OUT/chewing_${variant}_fuzzer \ + $WORK/chewing_${variant}_fuzzer.o $WORK/chewing_fuzzer_common.o \ + test/stress.o test/.libs/libtesthelper.a src/.libs/libchewing.a \ + -lfuzzer +done + +# install data files +make -j$(nproc) -C data pkgdatadir=$OUT install diff --git a/projects/libchewing/chewing_default_fuzzer.c b/projects/libchewing/chewing_default_fuzzer.c new file mode 100644 index 00000000..dd6fc7a8 --- /dev/null +++ b/projects/libchewing/chewing_default_fuzzer.c @@ -0,0 +1,15 @@ +#include <stdio.h> + +#include "chewing_fuzzer_common.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + fuzz_input = fuzz_ptr = data; + fuzz_size = size; + + const char* stress_argv[] = { + "./chewing_fuzzer", "-loop", "1", NULL, + }; + stress_main(sizeof(stress_argv) / sizeof(stress_argv[0]) - 1, + (char**)stress_argv); + return 0; +} diff --git a/projects/libchewing/chewing_dynamic_config_fuzzer.c b/projects/libchewing/chewing_dynamic_config_fuzzer.c new file mode 100644 index 00000000..5479c1ee --- /dev/null +++ b/projects/libchewing/chewing_dynamic_config_fuzzer.c @@ -0,0 +1,15 @@ +#include <stdio.h> + +#include "chewing_fuzzer_common.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + fuzz_input = fuzz_ptr = data; + fuzz_size = size; + + const char* stress_argv[] = { + "./chewing_fuzzer", "-loop", "1", "-extra", NULL, + }; + stress_main(sizeof(stress_argv) / sizeof(stress_argv[0]) - 1, + (char**)stress_argv); + return 0; +} diff --git a/projects/libchewing/chewing_fuzzer_common.c b/projects/libchewing/chewing_fuzzer_common.c new file mode 100644 index 00000000..de249df6 --- /dev/null +++ b/projects/libchewing/chewing_fuzzer_common.c @@ -0,0 +1,26 @@ +#include "chewing_fuzzer_common.h" + +#include <libgen.h> +#include <stdio.h> +#include <stdlib.h> + +static char userphrase_path[] = "/tmp/chewing_userphrase.db.XXXXXX"; + +int LLVMFuzzerInitialize(int* argc, char*** argv) { + char* exe_path = (*argv)[0]; + char* dir = dirname(exe_path); + // Assume data files are at the same location as executable. + setenv("CHEWING_PATH", dir, 0); + + // Specify user db of this process. So we can run multiple fuzzers at the + // same time. + mktemp(userphrase_path); + setenv("TEST_USERPHRASE_PATH", userphrase_path, 0); + return 0; +} + +int get_fuzz_input() { + if (fuzz_ptr - fuzz_input >= fuzz_size) + return EOF; + return *fuzz_ptr++; +} diff --git a/projects/libchewing/chewing_fuzzer_common.h b/projects/libchewing/chewing_fuzzer_common.h new file mode 100644 index 00000000..5032d655 --- /dev/null +++ b/projects/libchewing/chewing_fuzzer_common.h @@ -0,0 +1,13 @@ +#ifndef CHEWING_FUZZER_COMMON_H +#define CHEWING_FUZZER_COMMON_H + +#include <stddef.h> +#include <stdint.h> + +const uint8_t* fuzz_ptr; +const uint8_t* fuzz_input; +size_t fuzz_size; + +int stress_main(int argc, char** argv); + +#endif diff --git a/projects/libchewing/chewing_random_init_fuzzer.c b/projects/libchewing/chewing_random_init_fuzzer.c new file mode 100644 index 00000000..e0d755f7 --- /dev/null +++ b/projects/libchewing/chewing_random_init_fuzzer.c @@ -0,0 +1,15 @@ +#include <stdio.h> + +#include "chewing_fuzzer_common.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + fuzz_input = fuzz_ptr = data; + fuzz_size = size; + + const char* stress_argv[] = { + "./chewing_fuzzer", "-loop", "1", "-init", NULL, + }; + stress_main(sizeof(stress_argv) / sizeof(stress_argv[0]) - 1, + (char**)stress_argv); + return 0; +} diff --git a/projects/libchewing/target.yaml b/projects/libchewing/target.yaml new file mode 100644 index 00000000..ef62bfe3 --- /dev/null +++ b/projects/libchewing/target.yaml @@ -0,0 +1 @@ +homepage: "http://chewing.im/" diff --git a/projects/libjpeg-turbo/Dockerfile b/projects/libjpeg-turbo/Dockerfile new file mode 100644 index 00000000..94a4c349 --- /dev/null +++ b/projects/libjpeg-turbo/Dockerfile @@ -0,0 +1,28 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER alex.gaynor@gmail.com +RUN apt-get install -y make autoconf automake libtool nasm curl +RUN git clone https://github.com/libjpeg-turbo/libjpeg-turbo + +RUN mkdir afl-testcases +RUN curl -o afl-testcases/afl_testcases.tgz http://lcamtuf.coredump.cx/afl/demo/afl_testcases.tgz +RUN cd afl-testcases/ && tar -xf afl_testcases.tgz +RUN zip libjpeg_turbo_fuzzer_seed_corpus.zip afl-testcases/jpeg/full/images/* + +WORKDIR libjpeg-turbo +COPY build.sh libjpeg_turbo_fuzzer.cc $SRC/ diff --git a/projects/libjpeg-turbo/build.sh b/projects/libjpeg-turbo/build.sh new file mode 100755 index 00000000..99213429 --- /dev/null +++ b/projects/libjpeg-turbo/build.sh @@ -0,0 +1,26 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +autoreconf -fiv +./configure +make "-j$(nproc)" + +$CXX $CXXFLAGS -std=c++11 -I. \ + $SRC/libjpeg_turbo_fuzzer.cc -o $OUT/libjpeg_turbo_fuzzer \ + -lfuzzer ./.libs/libturbojpeg.a + +cp $SRC/libjpeg_turbo_fuzzer_seed_corpus.zip $OUT/ diff --git a/projects/libjpeg-turbo/libjpeg_turbo_fuzzer.cc b/projects/libjpeg-turbo/libjpeg_turbo_fuzzer.cc new file mode 100644 index 00000000..1cee173d --- /dev/null +++ b/projects/libjpeg-turbo/libjpeg_turbo_fuzzer.cc @@ -0,0 +1,48 @@ +/* +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +*/ + +#include <stdint.h> +#include <stdlib.h> + +#include <memory> + +#include <turbojpeg.h> + + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + tjhandle jpegDecompressor = tjInitDecompress(); + + int width, height, subsamp, colorspace; + int res = tjDecompressHeader3( + jpegDecompressor, data, size, &width, &height, &subsamp, &colorspace); + + // Bail out if decompressing the headers failed, the width or height is 0, + // or the image is too large (avoids slowing down too much) + if (res != 0 || width == 0 || height == 0 || (width * height > (1024 * 1024))) { + tjDestroy(jpegDecompressor); + return 0; + } + + std::unique_ptr<unsigned char[]> buf(new unsigned char[width * height * 3]); + tjDecompress2( + jpegDecompressor, data, size, buf.get(), width, 0, height, TJPF_RGB, 0); + + tjDestroy(jpegDecompressor); + + return 0; +} diff --git a/projects/libjpeg-turbo/target.yaml b/projects/libjpeg-turbo/target.yaml new file mode 100644 index 00000000..d75b6589 --- /dev/null +++ b/projects/libjpeg-turbo/target.yaml @@ -0,0 +1 @@ +homepage: "https://github.com/libjpeg-turbo/libjpeg-turbo" diff --git a/projects/libpng/Dockerfile b/projects/libpng/Dockerfile new file mode 100644 index 00000000..04a73b8a --- /dev/null +++ b/projects/libpng/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mmoroz@chromium.org +RUN apt-get install -y make autoconf automake libtool zlib1g-dev + +RUN git clone git://git.code.sf.net/p/libpng/code libpng +WORKDIR libpng +COPY build.sh libpng_read_fuzzer.* png.dict $SRC/ diff --git a/projects/libpng/build.sh b/projects/libpng/build.sh new file mode 100755 index 00000000..a5d4760f --- /dev/null +++ b/projects/libpng/build.sh @@ -0,0 +1,33 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Disable logging via library build configuration control. +cat scripts/pnglibconf.dfa | sed -e "s/option STDIO/option STDIO disabled/" \ +> scripts/pnglibconf.dfa.temp +mv scripts/pnglibconf.dfa.temp scripts/pnglibconf.dfa + +# build the library. +autoreconf -f -i +./configure +make -j$(nproc) clean all + +# build libpng_read_fuzzer +$CXX $CXXFLAGS -std=c++11 -I. -lz \ + $SRC/libpng_read_fuzzer.cc -o $OUT/libpng_read_fuzzer \ + -lfuzzer .libs/libpng16.a + +cp $SRC/*.dict $SRC/*.options $OUT/ diff --git a/projects/libpng/libpng_read_fuzzer.cc b/projects/libpng/libpng_read_fuzzer.cc new file mode 100644 index 00000000..ca489b09 --- /dev/null +++ b/projects/libpng/libpng_read_fuzzer.cc @@ -0,0 +1,123 @@ +// Copyright 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include <vector> + +#define PNG_INTERNAL +#include "png.h" + +struct BufState { + const uint8_t* data; + size_t bytes_left; +}; + +struct PngObjectHandler { + png_infop info_ptr = nullptr; + png_structp png_ptr = nullptr; + png_voidp row_ptr = nullptr; + BufState* buf_state = nullptr; + + ~PngObjectHandler() { + if (row_ptr && png_ptr) { + png_free(png_ptr, row_ptr); + } + if (png_ptr && info_ptr) { + png_destroy_read_struct(&png_ptr, &info_ptr, nullptr); + } + delete buf_state; + } +}; + +void user_read_data(png_structp png_ptr, png_bytep data, png_size_t length) { + BufState* buf_state = static_cast<BufState*>(png_get_io_ptr(png_ptr)); + if (length > buf_state->bytes_left) { + png_error(png_ptr, "read error"); + } + memcpy(data, buf_state->data, length); + buf_state->bytes_left -= length; + buf_state->data += length; +} + +static const int kPngHeaderSize = 8; + +// Entry point for LibFuzzer. +// Roughly follows the libpng book example: +// http://www.libpng.org/pub/png/book/chapter13.html +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + if (size < kPngHeaderSize) { + return 0; + } + + std::vector<unsigned char> v(data, data + size); + if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) { + // not a PNG. + return 0; + } + + PngObjectHandler png_handler; + png_handler.png_ptr = png_create_read_struct + (PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr); + if (!png_handler.png_ptr) { + return 0; + } + + png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE); + + png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr); + if (!png_handler.info_ptr) { + return 0; + } + + // Setting up reading from buffer. + png_handler.buf_state = new BufState(); + png_handler.buf_state->data = data + kPngHeaderSize; + png_handler.buf_state->bytes_left = size - kPngHeaderSize; + png_set_read_fn(png_handler.png_ptr, png_handler.buf_state, user_read_data); + png_set_sig_bytes(png_handler.png_ptr, kPngHeaderSize); + + // libpng error handling. + if (setjmp(png_jmpbuf(png_handler.png_ptr))) { + return 0; + } + + // Reading. + png_read_info(png_handler.png_ptr, png_handler.info_ptr); + png_handler.row_ptr = png_malloc( + png_handler.png_ptr, png_get_rowbytes(png_handler.png_ptr, + png_handler.info_ptr)); + + // reset error handler to put png_deleter into scope. + if (setjmp(png_jmpbuf(png_handler.png_ptr))) { + return 0; + } + + png_uint_32 width, height; + int bit_depth, color_type, interlace_type, compression_type; + int filter_type; + + if (!png_get_IHDR(png_handler.png_ptr, png_handler.info_ptr, &width, + &height, &bit_depth, &color_type, &interlace_type, + &compression_type, &filter_type)) { + return 0; + } + + // This is going to be too slow. + if (width && height > 100000000 / width) + return 0; + + int passes = png_set_interlace_handling(png_handler.png_ptr); + png_start_read_image(png_handler.png_ptr); + + for (int pass = 0; pass < passes; ++pass) { + for (png_uint_32 y = 0; y < height; ++y) { + png_read_row(png_handler.png_ptr, + static_cast<png_bytep>(png_handler.row_ptr), NULL); + } + } + + return 0; +} diff --git a/projects/libpng/libpng_read_fuzzer.options b/projects/libpng/libpng_read_fuzzer.options new file mode 100644 index 00000000..2005291a --- /dev/null +++ b/projects/libpng/libpng_read_fuzzer.options @@ -0,0 +1,2 @@ +[libfuzzer] +dict = png.dict diff --git a/projects/libpng/png.dict b/projects/libpng/png.dict new file mode 100644 index 00000000..ea12d19e --- /dev/null +++ b/projects/libpng/png.dict @@ -0,0 +1,38 @@ +# +# AFL dictionary for PNG images +# ----------------------------- +# +# Just the basic, standard-originating sections; does not include vendor +# extensions. +# +# Created by Michal Zalewski <lcamtuf@google.com> +# + +header_png="\x89PNG\x0d\x0a\x1a\x0a" + +section_IDAT="IDAT" +section_IEND="IEND" +section_IHDR="IHDR" +section_PLTE="PLTE" +section_bKGD="bKGD" +section_cHRM="cHRM" +section_fRAc="fRAc" +section_gAMA="gAMA" +section_gIFg="gIFg" +section_gIFt="gIFt" +section_gIFx="gIFx" +section_hIST="hIST" +section_iCCP="iCCP" +section_iTXt="iTXt" +section_oFFs="oFFs" +section_pCAL="pCAL" +section_pHYs="pHYs" +section_sBIT="sBIT" +section_sCAL="sCAL" +section_sPLT="sPLT" +section_sRGB="sRGB" +section_sTER="sTER" +section_tEXt="tEXt" +section_tIME="tIME" +section_tRNS="tRNS" +section_zTXt="zTXt" diff --git a/projects/libpng/target.yaml b/projects/libpng/target.yaml new file mode 100644 index 00000000..2f64de3a --- /dev/null +++ b/projects/libpng/target.yaml @@ -0,0 +1 @@ +homepage: "http://www.libpng.org/pub/png/libpng.html" diff --git a/projects/libteken/Dockerfile b/projects/libteken/Dockerfile new file mode 100644 index 00000000..82d5a97e --- /dev/null +++ b/projects/libteken/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER kcwu@csie.org +RUN apt-get install -y pmake +RUN svn co https://svn.freebsd.org/base/head/sys/teken +WORKDIR teken +COPY build.sh libteken_fuzzer.c $SRC/ diff --git a/projects/libteken/build.sh b/projects/libteken/build.sh new file mode 100755 index 00000000..c5f4a00c --- /dev/null +++ b/projects/libteken/build.sh @@ -0,0 +1,25 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build the library. +pmake -C libteken teken_state.h +CFLAGS="$CFLAGS -D__unused=" pmake -C libteken libteken.a + +$CC $CFLAGS -c $SRC/libteken_fuzzer.c -o $SRC/libteken_fuzzer.o -I. +$CXX $CXXFLAGS $SRC/libteken_fuzzer.o \ + -o $OUT/libteken_fuzzer \ + -lfuzzer libteken/libteken.a diff --git a/projects/libteken/libteken_fuzzer.c b/projects/libteken/libteken_fuzzer.c new file mode 100644 index 00000000..9335003b --- /dev/null +++ b/projects/libteken/libteken_fuzzer.c @@ -0,0 +1,31 @@ +#include <stdint.h> +#include <stdio.h> + +#include <teken.h> + +static void dummy_bell(void *s) {} +static void dummy_cursor(void *s, const teken_pos_t *p) {} +static void dummy_putchar(void *s, const teken_pos_t *p, teken_char_t c, + const teken_attr_t *a) {} +static void dummy_fill(void *s, const teken_rect_t *r, teken_char_t c, + const teken_attr_t *a) {} +static void dummy_copy(void *s, const teken_rect_t *r, const teken_pos_t *p) {} +static void dummy_param(void *s, int cmd, unsigned int value) {} +static void dummy_respond(void *s, const void *buf, size_t len) {} + +static teken_funcs_t tf = { + .tf_bell = dummy_bell, + .tf_cursor = dummy_cursor, + .tf_putchar = dummy_putchar, + .tf_fill = dummy_fill, + .tf_copy = dummy_copy, + .tf_param = dummy_param, + .tf_respond = dummy_respond, +}; + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + teken_t t; + teken_init(&t, &tf, NULL); + teken_input(&t, data, size); + return 0; +} diff --git a/projects/libteken/target.yaml b/projects/libteken/target.yaml new file mode 100644 index 00000000..d3438309 --- /dev/null +++ b/projects/libteken/target.yaml @@ -0,0 +1 @@ +homepage: "http://80386.nl/projects/libteken/" diff --git a/projects/libtsm/Dockerfile b/projects/libtsm/Dockerfile new file mode 100644 index 00000000..c69cb1a8 --- /dev/null +++ b/projects/libtsm/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER kcwu@csie.org +RUN apt-get install -y make autoconf automake libtool pkg-config + +RUN git clone git://people.freedesktop.org/~dvdhrm/libtsm +WORKDIR libtsm +COPY build.sh libtsm_fuzzer.c $SRC/ diff --git a/projects/libtsm/build.sh b/projects/libtsm/build.sh new file mode 100755 index 00000000..0369dd48 --- /dev/null +++ b/projects/libtsm/build.sh @@ -0,0 +1,28 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build the library. +./autogen.sh +make -j$(nproc) clean all + +# build your fuzzer(s) +$CC $CCFLAGS -c $SRC/libtsm_fuzzer.c -Isrc/tsm -o $SRC/libtsm_fuzzer.o +$CXX $CXXFLAGS \ + -o $OUT/libtsm_fuzzer \ + $SRC/libtsm_fuzzer.o \ + .libs/libtsm.a \ + -lfuzzer diff --git a/projects/libtsm/libtsm_fuzzer.c b/projects/libtsm/libtsm_fuzzer.c new file mode 100644 index 00000000..dd5f63b0 --- /dev/null +++ b/projects/libtsm/libtsm_fuzzer.c @@ -0,0 +1,50 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "libtsm.h" + +#define WIDTH 80 +#define HEIGHT 24 + +static void terminal_write_fn(struct tsm_vte *vte, + const char *u8, + size_t len, + void *data) +{ + // try to access the written data + static char out[4096]; + while (len--) + out[len % sizeof(out)] = u8[len]; +} + +static int term_draw_cell(struct tsm_screen *screen, uint32_t id, + const uint32_t *ch, size_t len, + unsigned int cwidth, unsigned int posx, + unsigned int posy, + const struct tsm_screen_attr *attr, + tsm_age_t age, void *data) +{ + if (posx >= WIDTH || posy >= HEIGHT) + abort(); + return 0; +} + +// Entry point for LibFuzzer. +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + struct tsm_screen *screen; + struct tsm_vte *vte; + const int scrollback_size = 200; // frecon use 200 + + tsm_screen_new(&screen, NULL, NULL); + tsm_screen_set_max_sb(screen, scrollback_size); + tsm_vte_new(&vte, screen, terminal_write_fn, NULL, NULL, NULL); + tsm_screen_resize(screen, WIDTH, HEIGHT); + + tsm_vte_input(vte, (const char*) data, size); + tsm_screen_draw(screen, term_draw_cell, NULL); + + tsm_vte_unref(vte); + tsm_screen_unref(screen); + return 0; +} diff --git a/projects/libtsm/target.yaml b/projects/libtsm/target.yaml new file mode 100644 index 00000000..a1eb5dca --- /dev/null +++ b/projects/libtsm/target.yaml @@ -0,0 +1 @@ +homepage: "https://www.freedesktop.org/wiki/Software/kmscon/libtsm/" diff --git a/projects/libxml2/Dockerfile b/projects/libxml2/Dockerfile new file mode 100644 index 00000000..078379b4 --- /dev/null +++ b/projects/libxml2/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER ochang@chromium.org +RUN apt-get install -y make autoconf automake libtool pkg-config + +RUN git clone git://git.gnome.org/libxml2 +WORKDIR libxml2 + +COPY build.sh $SRC/ +COPY libxml2_xml_read_memory_fuzzer.* \ + libxml2_xml_regexp_compile_fuzzer.* \ + xml.dict $SRC/ diff --git a/projects/libxml2/build.sh b/projects/libxml2/build.sh new file mode 100755 index 00000000..12cb3ad1 --- /dev/null +++ b/projects/libxml2/build.sh @@ -0,0 +1,29 @@ +#!/bin/bash -eu +# +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +./autogen.sh +./configure +make -j$(nproc) clean all + +for fuzzer in libxml2_xml_read_memory_fuzzer libxml2_xml_regexp_compile_fuzzer; do + $CXX $CXXFLAGS -std=c++11 -Iinclude/ \ + $SRC/$fuzzer.cc -o $OUT/$fuzzer \ + -lfuzzer .libs/libxml2.a +done + +cp $SRC/*.dict $SRC/*.options $OUT/ diff --git a/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc b/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc new file mode 100644 index 00000000..464a6e95 --- /dev/null +++ b/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc @@ -0,0 +1,23 @@ +// Copyright 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "libxml/parser.h" + +void ignore (void* ctx, const char* msg, ...) { + // Error handler to avoid spam of error messages from libxml parser. +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + xmlSetGenericErrorFunc(NULL, &ignore); + + if (auto doc = xmlReadMemory(reinterpret_cast<const char*>(data), + static_cast<int>(size), "noname.xml", NULL, 0)) { + xmlFreeDoc(doc); + } + + return 0; +} diff --git a/projects/libxml2/libxml2_xml_read_memory_fuzzer.options b/projects/libxml2/libxml2_xml_read_memory_fuzzer.options new file mode 100644 index 00000000..6335e163 --- /dev/null +++ b/projects/libxml2/libxml2_xml_read_memory_fuzzer.options @@ -0,0 +1,2 @@ +[libfuzzer] +dict = xml.dict diff --git a/projects/libxml2/libxml2_xml_regexp_compile_fuzzer.cc b/projects/libxml2/libxml2_xml_regexp_compile_fuzzer.cc new file mode 100644 index 00000000..65aba296 --- /dev/null +++ b/projects/libxml2/libxml2_xml_regexp_compile_fuzzer.cc @@ -0,0 +1,34 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include <algorithm> +#include <string> +#include <vector> + +#include "libxml/parser.h" +#include "libxml/tree.h" +#include "libxml/xmlversion.h" + + +void ignore (void * ctx, const char * msg, ...) { + // Error handler to avoid spam of error messages from libxml parser. +} + + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + xmlSetGenericErrorFunc(NULL, &ignore); + + std::vector<uint8_t> buffer(size + 1, 0); + std::copy(data, data + size, buffer.data()); + + xmlRegexpPtr x = xmlRegexpCompile(buffer.data()); + if (x) + xmlRegFreeRegexp(x); + + return 0; +} diff --git a/projects/libxml2/libxml2_xml_regexp_compile_fuzzer.options b/projects/libxml2/libxml2_xml_regexp_compile_fuzzer.options new file mode 100644 index 00000000..6335e163 --- /dev/null +++ b/projects/libxml2/libxml2_xml_regexp_compile_fuzzer.options @@ -0,0 +1,2 @@ +[libfuzzer] +dict = xml.dict diff --git a/projects/libxml2/target.yaml b/projects/libxml2/target.yaml new file mode 100644 index 00000000..3ac2e323 --- /dev/null +++ b/projects/libxml2/target.yaml @@ -0,0 +1 @@ +homepage: "http://www.xmlsoft.org/" diff --git a/projects/libxml2/xml.dict b/projects/libxml2/xml.dict new file mode 100644 index 00000000..4ffa6c80 --- /dev/null +++ b/projects/libxml2/xml.dict @@ -0,0 +1,87 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +# +# AFL dictionary for XML +# ---------------------- +# +# Several basic syntax elements and attributes, modeled on libxml2. +# +# Created by Michal Zalewski <lcamtuf@google.com> +# + +attr_encoding=" encoding=\"1\"" +attr_generic=" a=\"1\"" +attr_href=" href=\"1\"" +attr_standalone=" standalone=\"no\"" +attr_version=" version=\"1\"" +attr_xml_base=" xml:base=\"1\"" +attr_xml_id=" xml:id=\"1\"" +attr_xml_lang=" xml:lang=\"1\"" +attr_xml_space=" xml:space=\"1\"" +attr_xmlns=" xmlns=\"1\"" + +entity_builtin="<" +entity_decimal="" +entity_external="&a;" +entity_hex="" + +string_any="ANY" +string_brackets="[]" +string_cdata="CDATA" +string_col_fallback=":fallback" +string_col_generic=":a" +string_col_include=":include" +string_dashes="--" +string_empty="EMPTY" +string_empty_dblquotes="\"\"" +string_empty_quotes="''" +string_entities="ENTITIES" +string_entity="ENTITY" +string_fixed="#FIXED" +string_id="ID" +string_idref="IDREF" +string_idrefs="IDREFS" +string_implied="#IMPLIED" +string_nmtoken="NMTOKEN" +string_nmtokens="NMTOKENS" +string_notation="NOTATION" +string_parentheses="()" +string_pcdata="#PCDATA" +string_percent="%a" +string_public="PUBLIC" +string_required="#REQUIRED" +string_schema=":schema" +string_system="SYSTEM" +string_ucs4="UCS-4" +string_utf16="UTF-16" +string_utf8="UTF-8" +string_xmlns="xmlns:" + +tag_attlist="<!ATTLIST" +tag_cdata="<![CDATA[" +tag_close="</a>" +tag_doctype="<!DOCTYPE" +tag_element="<!ELEMENT" +tag_entity="<!ENTITY" +tag_ignore="<![IGNORE[" +tag_include="<![INCLUDE[" +tag_notation="<!NOTATION" +tag_open="<a>" +tag_open_close="<a />" +tag_open_exclamation="<!" +tag_open_q="<?" +tag_sq2_close="]]>" +tag_xml_q="<?xml?>" diff --git a/projects/nss/Dockerfile b/projects/nss/Dockerfile new file mode 100644 index 00000000..e3a621ec --- /dev/null +++ b/projects/nss/Dockerfile @@ -0,0 +1,26 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mmoroz@chromium.org +RUN apt-get install -y make autoconf automake libtool mercurial zlib1g-dev + +RUN hg clone https://hg.mozilla.org/projects/nspr nspr +RUN hg clone https://hg.mozilla.org/projects/nss nss +RUN git clone https://github.com/mozilla/nss-fuzzing-corpus.git nss-corpus + +WORKDIR nss +COPY build.sh fuzzers/* $SRC/ diff --git a/projects/nss/build.sh b/projects/nss/build.sh new file mode 100755 index 00000000..d2a126ed --- /dev/null +++ b/projects/nss/build.sh @@ -0,0 +1,68 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build the library. +make CCC="$CXX" XCFLAGS="$CXXFLAGS" SANITIZER_CFLAGS="$CXXFLAGS" \ + BUILD_OPT=1 USE_64=1 NSS_DISABLE_GTESTS=1 ZDEFS_FLAG= \ + nss_clean_all nss_build_all +cd .. + +# Copy libraries and some objects to $WORK/nss/lib. +mkdir -p $WORK/nss/lib +cp dist/Linux*/lib/*.a $WORK/nss/lib +cp nspr/Linux*/pr/src/misc/prlog2.o $WORK/nss/lib + +# Copy includes to $WORK/nss/include. +mkdir -p $WORK/nss/include +cp -rL dist/Linux*/include/* $WORK/nss/include +cp -rL dist/{public,private}/nss/* $WORK/nss/include + + +# Build the fuzzers. +FUZZERS="asn1_algorithmid_fuzzer \ + asn1_any_fuzzer \ + asn1_bitstring_fuzzer \ + asn1_bmpstring_fuzzer \ + asn1_boolean_fuzzer \ + asn1_generalizedtime_fuzzer \ + asn1_ia5string_fuzzer \ + asn1_integer_fuzzer \ + asn1_null_fuzzer \ + asn1_objectid_fuzzer \ + asn1_octetstring_fuzzer \ + asn1_utctime_fuzzer \ + asn1_utf8string_fuzzer" + +# The following fuzzers are currently disabled due to linking issues: +# cert_certificate_fuzzer, seckey_privatekeyinfo_fuzzer + + +for fuzzer in $FUZZERS; do + $CXX $CXXFLAGS -std=c++11 $SRC/$fuzzer.cc \ + -I$WORK/nss/include \ + -lfuzzer \ + $WORK/nss/lib/libnss.a $WORK/nss/lib/libnssutil.a \ + $WORK/nss/lib/libnspr4.a $WORK/nss/lib/libplc4.a $WORK/nss/lib/libplds4.a \ + $WORK/nss/lib/prlog2.o -o $OUT/$fuzzer +done + +# Archive and copy to $OUT seed corpus if the build succeeded. +zip $WORK/nss/all_nss_seed_corpus.zip $SRC/nss-corpus/*/* + +for fuzzer in $FUZZERS; do + cp $WORK/nss/all_nss_seed_corpus.zip $OUT/${fuzzer}_seed_corpus.zip +done diff --git a/projects/nss/fuzzers/asn1_algorithmid_fuzzer.cc b/projects/nss/fuzzers/asn1_algorithmid_fuzzer.cc new file mode 100644 index 00000000..ec244184 --- /dev/null +++ b/projects/nss/fuzzers/asn1_algorithmid_fuzzer.cc @@ -0,0 +1,19 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <secoid.h> +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECAlgorithmID, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), data, size); + NSSFuzzOneInput<SECAlgorithmID, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/asn1_any_fuzzer.cc b/projects/nss/fuzzers/asn1_any_fuzzer.cc new file mode 100644 index 00000000..06a0c090 --- /dev/null +++ b/projects/nss/fuzzers/asn1_any_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SEC_AnyTemplate), data, size); + NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SEC_AnyTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/asn1_bitstring_fuzzer.cc b/projects/nss/fuzzers/asn1_bitstring_fuzzer.cc new file mode 100644 index 00000000..26543c10 --- /dev/null +++ b/projects/nss/fuzzers/asn1_bitstring_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SEC_BitStringTemplate), data, size); + NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SEC_BitStringTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/asn1_bmpstring_fuzzer.cc b/projects/nss/fuzzers/asn1_bmpstring_fuzzer.cc new file mode 100644 index 00000000..a3776409 --- /dev/null +++ b/projects/nss/fuzzers/asn1_bmpstring_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SEC_BMPStringTemplate), data, size); + NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SEC_BMPStringTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/asn1_boolean_fuzzer.cc b/projects/nss/fuzzers/asn1_boolean_fuzzer.cc new file mode 100644 index 00000000..6e178ee0 --- /dev/null +++ b/projects/nss/fuzzers/asn1_boolean_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SEC_BooleanTemplate), data, size); + NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SEC_BooleanTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/asn1_fuzzer_template.h b/projects/nss/fuzzers/asn1_fuzzer_template.h new file mode 100644 index 00000000..416b707e --- /dev/null +++ b/projects/nss/fuzzers/asn1_fuzzer_template.h @@ -0,0 +1,45 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef ASN1_FUZZER_TEMPLATE_H_ +#define ASN1_FUZZER_TEMPLATE_H_ + +#include <nspr.h> +#include <nss.h> +#include <secasn1.h> +#include <secder.h> +#include <secitem.h> +#include <secport.h> +#include <stddef.h> +#include <stdint.h> + +template <typename DestinationType, + SECStatus (*DecodeFunction)(PLArenaPool*, + void*, + const SEC_ASN1Template*, + const SECItem*)> +void NSSFuzzOneInput(const SEC_ASN1Template* the_template, + const uint8_t* data, + size_t size) { + DestinationType* destination = new DestinationType(); + memset(destination, 0, sizeof(DestinationType)); + + PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + delete destination; + return; + } + + SECItem source; + source.type = siBuffer; + source.data = static_cast<unsigned char*>(const_cast<uint8_t*>(data)); + source.len = static_cast<unsigned int>(size); + + DecodeFunction(arena, destination, the_template, &source); + + PORT_FreeArena(arena, PR_FALSE); + delete destination; +} + +#endif // ASN1_FUZZER_TEMPLATE_H_ diff --git a/projects/nss/fuzzers/asn1_generalizedtime_fuzzer.cc b/projects/nss/fuzzers/asn1_generalizedtime_fuzzer.cc new file mode 100644 index 00000000..1faf586f --- /dev/null +++ b/projects/nss/fuzzers/asn1_generalizedtime_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), data, size); + NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/asn1_ia5string_fuzzer.cc b/projects/nss/fuzzers/asn1_ia5string_fuzzer.cc new file mode 100644 index 00000000..2a33255a --- /dev/null +++ b/projects/nss/fuzzers/asn1_ia5string_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SEC_IA5StringTemplate), data, size); + NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SEC_IA5StringTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/asn1_integer_fuzzer.cc b/projects/nss/fuzzers/asn1_integer_fuzzer.cc new file mode 100644 index 00000000..4e08fec0 --- /dev/null +++ b/projects/nss/fuzzers/asn1_integer_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SEC_IntegerTemplate), data, size); + NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SEC_IntegerTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/asn1_null_fuzzer.cc b/projects/nss/fuzzers/asn1_null_fuzzer.cc new file mode 100644 index 00000000..4af7afb7 --- /dev/null +++ b/projects/nss/fuzzers/asn1_null_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SEC_NullTemplate), data, size); + NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SEC_NullTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/asn1_objectid_fuzzer.cc b/projects/nss/fuzzers/asn1_objectid_fuzzer.cc new file mode 100644 index 00000000..bdc8288b --- /dev/null +++ b/projects/nss/fuzzers/asn1_objectid_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SEC_ObjectIDTemplate), data, size); + NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SEC_ObjectIDTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/asn1_octetstring_fuzzer.cc b/projects/nss/fuzzers/asn1_octetstring_fuzzer.cc new file mode 100644 index 00000000..71b25776 --- /dev/null +++ b/projects/nss/fuzzers/asn1_octetstring_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SEC_OctetStringTemplate), data, size); + NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SEC_OctetStringTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/asn1_utctime_fuzzer.cc b/projects/nss/fuzzers/asn1_utctime_fuzzer.cc new file mode 100644 index 00000000..604e2609 --- /dev/null +++ b/projects/nss/fuzzers/asn1_utctime_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SEC_UTCTimeTemplate), data, size); + NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SEC_UTCTimeTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/asn1_utf8string_fuzzer.cc b/projects/nss/fuzzers/asn1_utf8string_fuzzer.cc new file mode 100644 index 00000000..f4a3a6ac --- /dev/null +++ b/projects/nss/fuzzers/asn1_utf8string_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SEC_UTF8StringTemplate), data, size); + NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SEC_UTF8StringTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/cert_certificate_fuzzer.cc b/projects/nss/fuzzers/cert_certificate_fuzzer.cc new file mode 100644 index 00000000..ce1efc73 --- /dev/null +++ b/projects/nss/fuzzers/cert_certificate_fuzzer.cc @@ -0,0 +1,19 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <cert.h> +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<CERTCertificate, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(CERT_CertificateTemplate), data, size); + NSSFuzzOneInput<CERTCertificate, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(CERT_CertificateTemplate), data, size); + + return 0; +} diff --git a/projects/nss/fuzzers/seckey_privatekeyinfo_fuzzer.cc b/projects/nss/fuzzers/seckey_privatekeyinfo_fuzzer.cc new file mode 100644 index 00000000..a6dd802e --- /dev/null +++ b/projects/nss/fuzzers/seckey_privatekeyinfo_fuzzer.cc @@ -0,0 +1,19 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <secmod.h> +#include <stddef.h> +#include <stdint.h> + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput<SECKEYPrivateKeyInfo, SEC_QuickDERDecodeItem>( + SEC_ASN1_GET(SECKEY_PrivateKeyInfoTemplate), data, size); + NSSFuzzOneInput<SECKEYPrivateKeyInfo, SEC_ASN1DecodeItem>( + SEC_ASN1_GET(SECKEY_PrivateKeyInfoTemplate), data, size); + + return 0; +} diff --git a/projects/nss/target.yaml b/projects/nss/target.yaml new file mode 100644 index 00000000..1a0af5d7 --- /dev/null +++ b/projects/nss/target.yaml @@ -0,0 +1 @@ +homepage: "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS" diff --git a/projects/openssl/Dockerfile b/projects/openssl/Dockerfile new file mode 100644 index 00000000..0487f13c --- /dev/null +++ b/projects/openssl/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER kurt@roeckx.be +RUN apt-get install -y make +RUN git clone https://github.com/openssl/openssl.git +WORKDIR openssl +COPY build.sh $SRC/ diff --git a/projects/openssl/build.sh b/projects/openssl/build.sh new file mode 100755 index 00000000..73ee3ede --- /dev/null +++ b/projects/openssl/build.sh @@ -0,0 +1,27 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +./config enable-fuzz-libfuzzer -DPEDANTIC no-shared --with-fuzzer-lib=/usr/lib/libfuzzer $CFLAGS +make -j$(nproc) EX_LIBS="-ldl /usr/local/lib/libc++.a" + +fuzzers=$(find fuzz -executable -type f '!' -name \*.py '!' -name \*-test) +for f in $fuzzers; do + fuzzer=$(basename $f) + cp $f $OUT/ + zip -j $OUT/${fuzzer}_seed_corpus.zip fuzz/corpora/${fuzzer}/* +done + diff --git a/projects/openssl/target.yaml b/projects/openssl/target.yaml new file mode 100644 index 00000000..b38c82b2 --- /dev/null +++ b/projects/openssl/target.yaml @@ -0,0 +1 @@ +homepage: "https://www.openssl.org/" diff --git a/projects/ots/Dockerfile b/projects/ots/Dockerfile new file mode 100644 index 00000000..8d33b582 --- /dev/null +++ b/projects/ots/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mmoroz@chromium.org +RUN apt-get install -y make autoconf automake libtool pkg-config zlib1g-dev +RUN git clone https://github.com/khaledhosny/ots.git +WORKDIR ots +COPY build.sh ots_fuzzer.* $SRC/ +COPY seed_corpus $SRC/seed_corpus diff --git a/projects/ots/build.sh b/projects/ots/build.sh new file mode 100755 index 00000000..9b516f89 --- /dev/null +++ b/projects/ots/build.sh @@ -0,0 +1,30 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build the target. +./autogen.sh +./configure + +make libots.a libwoff2.a libbrotli.a + +# Build the fuzzer. +$CXX $CXXFLAGS -std=c++11 -Iinclude \ + $SRC/ots_fuzzer.cc -o $OUT/ots_fuzzer \ + -lfuzzer -lz $SRC/ots/libots.a $SRC/ots/libwoff2.a $SRC/ots/libbrotli.a + +cp $SRC/ots_fuzzer.options $OUT/ +zip $OUT/ots_fuzzer_seed_corpus.zip $SRC/seed_corpus/* diff --git a/projects/ots/ots_fuzzer.cc b/projects/ots/ots_fuzzer.cc new file mode 100644 index 00000000..3d4bd254 --- /dev/null +++ b/projects/ots/ots_fuzzer.cc @@ -0,0 +1,19 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "opentype-sanitiser.h" +#include "ots-memory-stream.h" + +static uint8_t buffer[256 * 1024] = { 0 }; + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + ots::OTSContext context; + ots::MemoryStream stream(static_cast<void*>(buffer), sizeof(buffer)); + context.Process(&stream, data, size); + return 0; +} diff --git a/projects/ots/ots_fuzzer.options b/projects/ots/ots_fuzzer.options new file mode 100644 index 00000000..dc3492cb --- /dev/null +++ b/projects/ots/ots_fuzzer.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 16800 diff --git a/projects/ots/seed_corpus/0509e80afb379d16560e9e47bdd7d888bebdebc6.ttf b/projects/ots/seed_corpus/0509e80afb379d16560e9e47bdd7d888bebdebc6.ttf Binary files differnew file mode 100644 index 00000000..20360311 --- /dev/null +++ b/projects/ots/seed_corpus/0509e80afb379d16560e9e47bdd7d888bebdebc6.ttf diff --git a/projects/ots/seed_corpus/051d92f8bc6ff724511b296c27623f824de256e9.ttf b/projects/ots/seed_corpus/051d92f8bc6ff724511b296c27623f824de256e9.ttf Binary files differnew file mode 100644 index 00000000..419f8f3d --- /dev/null +++ b/projects/ots/seed_corpus/051d92f8bc6ff724511b296c27623f824de256e9.ttf diff --git a/projects/ots/seed_corpus/07f054357ff8638bac3711b422a1e31180bba863.ttf b/projects/ots/seed_corpus/07f054357ff8638bac3711b422a1e31180bba863.ttf Binary files differnew file mode 100644 index 00000000..fcd4f323 --- /dev/null +++ b/projects/ots/seed_corpus/07f054357ff8638bac3711b422a1e31180bba863.ttf diff --git a/projects/ots/seed_corpus/191826b9643e3f124d865d617ae609db6a2ce203.ttf b/projects/ots/seed_corpus/191826b9643e3f124d865d617ae609db6a2ce203.ttf Binary files differnew file mode 100644 index 00000000..dbc6e268 --- /dev/null +++ b/projects/ots/seed_corpus/191826b9643e3f124d865d617ae609db6a2ce203.ttf diff --git a/projects/ots/seed_corpus/1a6f1687b7a221f9f2c834b0b360d3c8463b6daf.ttf b/projects/ots/seed_corpus/1a6f1687b7a221f9f2c834b0b360d3c8463b6daf.ttf Binary files differnew file mode 100644 index 00000000..c71e85a8 --- /dev/null +++ b/projects/ots/seed_corpus/1a6f1687b7a221f9f2c834b0b360d3c8463b6daf.ttf diff --git a/projects/ots/seed_corpus/1c04a16f32a39c26c851b7fc014d2e8d298ba2b8.ttf b/projects/ots/seed_corpus/1c04a16f32a39c26c851b7fc014d2e8d298ba2b8.ttf Binary files differnew file mode 100644 index 00000000..26d19ade --- /dev/null +++ b/projects/ots/seed_corpus/1c04a16f32a39c26c851b7fc014d2e8d298ba2b8.ttf diff --git a/projects/ots/seed_corpus/1c2c3fc37b2d4c3cb2ef726c6cdaaabd4b7f3eb9.ttf b/projects/ots/seed_corpus/1c2c3fc37b2d4c3cb2ef726c6cdaaabd4b7f3eb9.ttf Binary files differnew file mode 100644 index 00000000..213e7ced --- /dev/null +++ b/projects/ots/seed_corpus/1c2c3fc37b2d4c3cb2ef726c6cdaaabd4b7f3eb9.ttf diff --git a/projects/ots/seed_corpus/1c2fb74c1b2aa173262734c1f616148f1648cfd6.ttf b/projects/ots/seed_corpus/1c2fb74c1b2aa173262734c1f616148f1648cfd6.ttf Binary files differnew file mode 100644 index 00000000..72106585 --- /dev/null +++ b/projects/ots/seed_corpus/1c2fb74c1b2aa173262734c1f616148f1648cfd6.ttf diff --git a/projects/ots/seed_corpus/205edd09bd3d141cc9580f650109556cc28b22cb.ttf b/projects/ots/seed_corpus/205edd09bd3d141cc9580f650109556cc28b22cb.ttf Binary files differnew file mode 100644 index 00000000..4e0ce0a4 --- /dev/null +++ b/projects/ots/seed_corpus/205edd09bd3d141cc9580f650109556cc28b22cb.ttf diff --git a/projects/ots/seed_corpus/226bc2deab3846f1a682085f70c67d0421014144.ttf b/projects/ots/seed_corpus/226bc2deab3846f1a682085f70c67d0421014144.ttf Binary files differnew file mode 100644 index 00000000..70c0c0a8 --- /dev/null +++ b/projects/ots/seed_corpus/226bc2deab3846f1a682085f70c67d0421014144.ttf diff --git a/projects/ots/seed_corpus/270b89df543a7e48e206a2d830c0e10e5265c630.ttf b/projects/ots/seed_corpus/270b89df543a7e48e206a2d830c0e10e5265c630.ttf Binary files differnew file mode 100644 index 00000000..fc226491 --- /dev/null +++ b/projects/ots/seed_corpus/270b89df543a7e48e206a2d830c0e10e5265c630.ttf diff --git a/projects/ots/seed_corpus/298c9e1d955f10f6f72c6915c3c6ff9bf9695cec.ttf b/projects/ots/seed_corpus/298c9e1d955f10f6f72c6915c3c6ff9bf9695cec.ttf Binary files differnew file mode 100644 index 00000000..0d677a87 --- /dev/null +++ b/projects/ots/seed_corpus/298c9e1d955f10f6f72c6915c3c6ff9bf9695cec.ttf diff --git a/projects/ots/seed_corpus/3511ff5c1647150595846ac414c595cccac34f18.ttf b/projects/ots/seed_corpus/3511ff5c1647150595846ac414c595cccac34f18.ttf Binary files differnew file mode 100644 index 00000000..789abf7a --- /dev/null +++ b/projects/ots/seed_corpus/3511ff5c1647150595846ac414c595cccac34f18.ttf diff --git a/projects/ots/seed_corpus/37033cc5cf37bb223d7355153016b6ccece93b28.ttf b/projects/ots/seed_corpus/37033cc5cf37bb223d7355153016b6ccece93b28.ttf Binary files differnew file mode 100644 index 00000000..14defeb7 --- /dev/null +++ b/projects/ots/seed_corpus/37033cc5cf37bb223d7355153016b6ccece93b28.ttf diff --git a/projects/ots/seed_corpus/375d6ae32a3cbe52fbf81a4e5777e3377675d5a3.ttf b/projects/ots/seed_corpus/375d6ae32a3cbe52fbf81a4e5777e3377675d5a3.ttf Binary files differnew file mode 100644 index 00000000..b284c986 --- /dev/null +++ b/projects/ots/seed_corpus/375d6ae32a3cbe52fbf81a4e5777e3377675d5a3.ttf diff --git a/projects/ots/seed_corpus/43979b90b2dd929723cf4fe1715990bcb9c9a56b.ttf b/projects/ots/seed_corpus/43979b90b2dd929723cf4fe1715990bcb9c9a56b.ttf Binary files differnew file mode 100644 index 00000000..a5c0156c --- /dev/null +++ b/projects/ots/seed_corpus/43979b90b2dd929723cf4fe1715990bcb9c9a56b.ttf diff --git a/projects/ots/seed_corpus/43ef465752be9af900745f72fe29cb853a1401a5.ttf b/projects/ots/seed_corpus/43ef465752be9af900745f72fe29cb853a1401a5.ttf Binary files differnew file mode 100644 index 00000000..649c156a --- /dev/null +++ b/projects/ots/seed_corpus/43ef465752be9af900745f72fe29cb853a1401a5.ttf diff --git a/projects/ots/seed_corpus/45855bc8d46332b39c4ab9e2ee1a26b1f896da6b.ttf b/projects/ots/seed_corpus/45855bc8d46332b39c4ab9e2ee1a26b1f896da6b.ttf Binary files differnew file mode 100644 index 00000000..6ef470c8 --- /dev/null +++ b/projects/ots/seed_corpus/45855bc8d46332b39c4ab9e2ee1a26b1f896da6b.ttf diff --git a/projects/ots/seed_corpus/49c9f7485c1392fa09a1b801bc2ffea79275f22e.ttf b/projects/ots/seed_corpus/49c9f7485c1392fa09a1b801bc2ffea79275f22e.ttf Binary files differnew file mode 100644 index 00000000..ea1326d2 --- /dev/null +++ b/projects/ots/seed_corpus/49c9f7485c1392fa09a1b801bc2ffea79275f22e.ttf diff --git a/projects/ots/seed_corpus/4cce528e99f600ed9c25a2b69e32eb94a03b4ae8.ttf b/projects/ots/seed_corpus/4cce528e99f600ed9c25a2b69e32eb94a03b4ae8.ttf Binary files differnew file mode 100644 index 00000000..dfaead72 --- /dev/null +++ b/projects/ots/seed_corpus/4cce528e99f600ed9c25a2b69e32eb94a03b4ae8.ttf diff --git a/projects/ots/seed_corpus/5028afb650b1bb718ed2131e872fbcce57828fff.ttf b/projects/ots/seed_corpus/5028afb650b1bb718ed2131e872fbcce57828fff.ttf Binary files differnew file mode 100644 index 00000000..8fb2f162 --- /dev/null +++ b/projects/ots/seed_corpus/5028afb650b1bb718ed2131e872fbcce57828fff.ttf diff --git a/projects/ots/seed_corpus/56cfd0e18d07f41c38e9598545a6d369127fc6f9.ttf b/projects/ots/seed_corpus/56cfd0e18d07f41c38e9598545a6d369127fc6f9.ttf Binary files differnew file mode 100644 index 00000000..4795238b --- /dev/null +++ b/projects/ots/seed_corpus/56cfd0e18d07f41c38e9598545a6d369127fc6f9.ttf diff --git a/projects/ots/seed_corpus/57a9d9f83020155cbb1d2be1f43d82388cbecc88.ttf b/projects/ots/seed_corpus/57a9d9f83020155cbb1d2be1f43d82388cbecc88.ttf Binary files differnew file mode 100644 index 00000000..746fc603 --- /dev/null +++ b/projects/ots/seed_corpus/57a9d9f83020155cbb1d2be1f43d82388cbecc88.ttf diff --git a/projects/ots/seed_corpus/5a5daf5eb5a4db77a2baa3ad9c7a6ed6e0655fa8.ttf b/projects/ots/seed_corpus/5a5daf5eb5a4db77a2baa3ad9c7a6ed6e0655fa8.ttf Binary files differnew file mode 100644 index 00000000..9b4d23f5 --- /dev/null +++ b/projects/ots/seed_corpus/5a5daf5eb5a4db77a2baa3ad9c7a6ed6e0655fa8.ttf diff --git a/projects/ots/seed_corpus/641bd9db850193064d17575053ae2bf8ec149ddc.ttf b/projects/ots/seed_corpus/641bd9db850193064d17575053ae2bf8ec149ddc.ttf Binary files differnew file mode 100644 index 00000000..66cefd4d --- /dev/null +++ b/projects/ots/seed_corpus/641bd9db850193064d17575053ae2bf8ec149ddc.ttf diff --git a/projects/ots/seed_corpus/6466d38c62e73a39202435a4f73bf5d6acbb73c0.ttf b/projects/ots/seed_corpus/6466d38c62e73a39202435a4f73bf5d6acbb73c0.ttf Binary files differnew file mode 100644 index 00000000..33c4229c --- /dev/null +++ b/projects/ots/seed_corpus/6466d38c62e73a39202435a4f73bf5d6acbb73c0.ttf diff --git a/projects/ots/seed_corpus/6ff0fbead4462d9f229167b4e6839eceb8465058.ttf b/projects/ots/seed_corpus/6ff0fbead4462d9f229167b4e6839eceb8465058.ttf Binary files differnew file mode 100644 index 00000000..67be5258 --- /dev/null +++ b/projects/ots/seed_corpus/6ff0fbead4462d9f229167b4e6839eceb8465058.ttf diff --git a/projects/ots/seed_corpus/706c5d7b625f207bc0d874c67237aad6f1e9cd6f.ttf b/projects/ots/seed_corpus/706c5d7b625f207bc0d874c67237aad6f1e9cd6f.ttf Binary files differnew file mode 100644 index 00000000..eb5c50c6 --- /dev/null +++ b/projects/ots/seed_corpus/706c5d7b625f207bc0d874c67237aad6f1e9cd6f.ttf diff --git a/projects/ots/seed_corpus/757ebd573617a24aa9dfbf0b885c54875c6fe06b.ttf b/projects/ots/seed_corpus/757ebd573617a24aa9dfbf0b885c54875c6fe06b.ttf Binary files differnew file mode 100644 index 00000000..bbe22370 --- /dev/null +++ b/projects/ots/seed_corpus/757ebd573617a24aa9dfbf0b885c54875c6fe06b.ttf diff --git a/projects/ots/seed_corpus/7a37dc4d5bf018456aea291cee06daf004c0221c.ttf b/projects/ots/seed_corpus/7a37dc4d5bf018456aea291cee06daf004c0221c.ttf Binary files differnew file mode 100644 index 00000000..a5787a8c --- /dev/null +++ b/projects/ots/seed_corpus/7a37dc4d5bf018456aea291cee06daf004c0221c.ttf diff --git a/projects/ots/seed_corpus/7e14e7883ed152baa158b80e207b66114c823a8b.ttf b/projects/ots/seed_corpus/7e14e7883ed152baa158b80e207b66114c823a8b.ttf Binary files differnew file mode 100644 index 00000000..27efd7c9 --- /dev/null +++ b/projects/ots/seed_corpus/7e14e7883ed152baa158b80e207b66114c823a8b.ttf diff --git a/projects/ots/seed_corpus/7ef276fc886ea502a03b9b0e5c8b547d5dc2b61c.ttf b/projects/ots/seed_corpus/7ef276fc886ea502a03b9b0e5c8b547d5dc2b61c.ttf Binary files differnew file mode 100644 index 00000000..fb4534ab --- /dev/null +++ b/projects/ots/seed_corpus/7ef276fc886ea502a03b9b0e5c8b547d5dc2b61c.ttf diff --git a/projects/ots/seed_corpus/8099955657a54e9ee38a6ba1d6f950ce58e3cc25.ttf b/projects/ots/seed_corpus/8099955657a54e9ee38a6ba1d6f950ce58e3cc25.ttf Binary files differnew file mode 100644 index 00000000..6bb13bd5 --- /dev/null +++ b/projects/ots/seed_corpus/8099955657a54e9ee38a6ba1d6f950ce58e3cc25.ttf diff --git a/projects/ots/seed_corpus/813c2f8e5512187fd982417a7fb4286728e6f4a8.ttf b/projects/ots/seed_corpus/813c2f8e5512187fd982417a7fb4286728e6f4a8.ttf Binary files differnew file mode 100644 index 00000000..b728b277 --- /dev/null +++ b/projects/ots/seed_corpus/813c2f8e5512187fd982417a7fb4286728e6f4a8.ttf diff --git a/projects/ots/seed_corpus/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf b/projects/ots/seed_corpus/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf Binary files differnew file mode 100644 index 00000000..8eed14d9 --- /dev/null +++ b/projects/ots/seed_corpus/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf diff --git a/projects/ots/seed_corpus/8454d22037f892e76614e1645d066689a0200e61.ttf b/projects/ots/seed_corpus/8454d22037f892e76614e1645d066689a0200e61.ttf Binary files differnew file mode 100644 index 00000000..2cbb67a4 --- /dev/null +++ b/projects/ots/seed_corpus/8454d22037f892e76614e1645d066689a0200e61.ttf diff --git a/projects/ots/seed_corpus/8a9fea2a7384f2116e5b84a9b31f83be7850ce21.ttf b/projects/ots/seed_corpus/8a9fea2a7384f2116e5b84a9b31f83be7850ce21.ttf Binary files differnew file mode 100644 index 00000000..875c6998 --- /dev/null +++ b/projects/ots/seed_corpus/8a9fea2a7384f2116e5b84a9b31f83be7850ce21.ttf diff --git a/projects/ots/seed_corpus/a34a7b00f22ffb5fd7eef6933b81c7e71bc2cdfb.ttf b/projects/ots/seed_corpus/a34a7b00f22ffb5fd7eef6933b81c7e71bc2cdfb.ttf Binary files differnew file mode 100644 index 00000000..74fceec8 --- /dev/null +++ b/projects/ots/seed_corpus/a34a7b00f22ffb5fd7eef6933b81c7e71bc2cdfb.ttf diff --git a/projects/ots/seed_corpus/a919b33197965846f21074b24e30250d67277bce.ttf b/projects/ots/seed_corpus/a919b33197965846f21074b24e30250d67277bce.ttf Binary files differnew file mode 100644 index 00000000..d2f116ef --- /dev/null +++ b/projects/ots/seed_corpus/a919b33197965846f21074b24e30250d67277bce.ttf diff --git a/projects/ots/seed_corpus/a98e908e2ed21b22228ea59ebcc0f05034c86f2e.ttf b/projects/ots/seed_corpus/a98e908e2ed21b22228ea59ebcc0f05034c86f2e.ttf Binary files differnew file mode 100644 index 00000000..8bbddb12 --- /dev/null +++ b/projects/ots/seed_corpus/a98e908e2ed21b22228ea59ebcc0f05034c86f2e.ttf diff --git a/projects/ots/seed_corpus/b9e2aaa0d75fcef6971ec3a96d806ba4a6b31fe2.ttf b/projects/ots/seed_corpus/b9e2aaa0d75fcef6971ec3a96d806ba4a6b31fe2.ttf Binary files differnew file mode 100644 index 00000000..500276df --- /dev/null +++ b/projects/ots/seed_corpus/b9e2aaa0d75fcef6971ec3a96d806ba4a6b31fe2.ttf diff --git a/projects/ots/seed_corpus/bb0c53752e85c3d28973ebc913287b8987d3dfe8.ttf b/projects/ots/seed_corpus/bb0c53752e85c3d28973ebc913287b8987d3dfe8.ttf Binary files differnew file mode 100644 index 00000000..3b7c4707 --- /dev/null +++ b/projects/ots/seed_corpus/bb0c53752e85c3d28973ebc913287b8987d3dfe8.ttf diff --git a/projects/ots/seed_corpus/bb9473d2403488714043bcfb946c9f78b86ad627.ttf b/projects/ots/seed_corpus/bb9473d2403488714043bcfb946c9f78b86ad627.ttf Binary files differnew file mode 100644 index 00000000..b16dae6c --- /dev/null +++ b/projects/ots/seed_corpus/bb9473d2403488714043bcfb946c9f78b86ad627.ttf diff --git a/projects/ots/seed_corpus/c4e48b0886ef460f532fb49f00047ec92c432ec0.ttf b/projects/ots/seed_corpus/c4e48b0886ef460f532fb49f00047ec92c432ec0.ttf Binary files differnew file mode 100644 index 00000000..99cda169 --- /dev/null +++ b/projects/ots/seed_corpus/c4e48b0886ef460f532fb49f00047ec92c432ec0.ttf diff --git a/projects/ots/seed_corpus/cc5f3d2d717fb6bd4dfae1c16d48a2cb8e12233b.ttf b/projects/ots/seed_corpus/cc5f3d2d717fb6bd4dfae1c16d48a2cb8e12233b.ttf Binary files differnew file mode 100644 index 00000000..a48d2a68 --- /dev/null +++ b/projects/ots/seed_corpus/cc5f3d2d717fb6bd4dfae1c16d48a2cb8e12233b.ttf diff --git a/projects/ots/seed_corpus/d629e7fedc0b350222d7987345fe61613fa3929a.ttf b/projects/ots/seed_corpus/d629e7fedc0b350222d7987345fe61613fa3929a.ttf Binary files differnew file mode 100644 index 00000000..e674a78b --- /dev/null +++ b/projects/ots/seed_corpus/d629e7fedc0b350222d7987345fe61613fa3929a.ttf diff --git a/projects/ots/seed_corpus/df768b9c257e0c9c35786c47cae15c46571d56be.ttf b/projects/ots/seed_corpus/df768b9c257e0c9c35786c47cae15c46571d56be.ttf Binary files differnew file mode 100644 index 00000000..c6d8b18e --- /dev/null +++ b/projects/ots/seed_corpus/df768b9c257e0c9c35786c47cae15c46571d56be.ttf diff --git a/projects/ots/seed_corpus/e207635780b42f898d58654b65098763e340f5c7.ttf b/projects/ots/seed_corpus/e207635780b42f898d58654b65098763e340f5c7.ttf Binary files differnew file mode 100644 index 00000000..d91df572 --- /dev/null +++ b/projects/ots/seed_corpus/e207635780b42f898d58654b65098763e340f5c7.ttf diff --git a/projects/ots/seed_corpus/ef86fe710cfea877bbe0dbb6946a1f88d0661031.ttf b/projects/ots/seed_corpus/ef86fe710cfea877bbe0dbb6946a1f88d0661031.ttf Binary files differnew file mode 100644 index 00000000..629c470c --- /dev/null +++ b/projects/ots/seed_corpus/ef86fe710cfea877bbe0dbb6946a1f88d0661031.ttf diff --git a/projects/ots/seed_corpus/f22416c692720a7d46fadf4af99f4c9e094f00b9.ttf b/projects/ots/seed_corpus/f22416c692720a7d46fadf4af99f4c9e094f00b9.ttf Binary files differnew file mode 100644 index 00000000..1dbadde4 --- /dev/null +++ b/projects/ots/seed_corpus/f22416c692720a7d46fadf4af99f4c9e094f00b9.ttf diff --git a/projects/ots/seed_corpus/f499fbc23865022234775c43503bba2e63978fe1.ttf b/projects/ots/seed_corpus/f499fbc23865022234775c43503bba2e63978fe1.ttf Binary files differnew file mode 100644 index 00000000..3c605934 --- /dev/null +++ b/projects/ots/seed_corpus/f499fbc23865022234775c43503bba2e63978fe1.ttf diff --git a/projects/ots/seed_corpus/f518eb6f6b5eec2946c9fbbbde44e45d46f5e2ac.ttf b/projects/ots/seed_corpus/f518eb6f6b5eec2946c9fbbbde44e45d46f5e2ac.ttf Binary files differnew file mode 100644 index 00000000..039f5e8a --- /dev/null +++ b/projects/ots/seed_corpus/f518eb6f6b5eec2946c9fbbbde44e45d46f5e2ac.ttf diff --git a/projects/ots/seed_corpus/fab39d60d758cb586db5a504f218442cd1395725.ttf b/projects/ots/seed_corpus/fab39d60d758cb586db5a504f218442cd1395725.ttf Binary files differnew file mode 100644 index 00000000..451ed047 --- /dev/null +++ b/projects/ots/seed_corpus/fab39d60d758cb586db5a504f218442cd1395725.ttf diff --git a/projects/ots/seed_corpus/fbb6c84c9e1fe0c39e152fbe845e51fd81f6748e.ttf b/projects/ots/seed_corpus/fbb6c84c9e1fe0c39e152fbe845e51fd81f6748e.ttf Binary files differnew file mode 100644 index 00000000..d49432dd --- /dev/null +++ b/projects/ots/seed_corpus/fbb6c84c9e1fe0c39e152fbe845e51fd81f6748e.ttf diff --git a/projects/ots/seed_corpus/fcdcffbdf1c4c97c05308d7600e4c283eb47dbca.ttf b/projects/ots/seed_corpus/fcdcffbdf1c4c97c05308d7600e4c283eb47dbca.ttf Binary files differnew file mode 100644 index 00000000..c4e0253c --- /dev/null +++ b/projects/ots/seed_corpus/fcdcffbdf1c4c97c05308d7600e4c283eb47dbca.ttf diff --git a/projects/ots/seed_corpus/ffa0f5d2d9025486d8469d8b1fdd983e7632499b.ttf b/projects/ots/seed_corpus/ffa0f5d2d9025486d8469d8b1fdd983e7632499b.ttf Binary files differnew file mode 100644 index 00000000..224dbc63 --- /dev/null +++ b/projects/ots/seed_corpus/ffa0f5d2d9025486d8469d8b1fdd983e7632499b.ttf diff --git a/projects/ots/target.yaml b/projects/ots/target.yaml new file mode 100644 index 00000000..0a12f123 --- /dev/null +++ b/projects/ots/target.yaml @@ -0,0 +1 @@ +homepage: "https://github.com/khaledhosny/ots" diff --git a/projects/pcre2/Dockerfile b/projects/pcre2/Dockerfile new file mode 100644 index 00000000..a9fb74de --- /dev/null +++ b/projects/pcre2/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER kcc@google.com +RUN apt-get install -y make autoconf automake libtool subversion + +RUN svn co svn://vcs.exim.org/pcre2/code/trunk pcre2 +COPY build.sh $SRC/ diff --git a/projects/pcre2/build.sh b/projects/pcre2/build.sh new file mode 100755 index 00000000..fdcec503 --- /dev/null +++ b/projects/pcre2/build.sh @@ -0,0 +1,27 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd pcre2 + +# build the library. +./autogen.sh +./configure --enable-fuzz-support --enable-never-backslash-C --with-match-limit=1000 --with-match-limit-recursion=1000 +make -j$(nproc) clean all + +# Build the target. +$CXX $CXXFLAGS -o $OUT/pcre2_fuzzer \ + -lfuzzer .libs/libpcre2-fuzzsupport.a .libs/libpcre2-8.a diff --git a/projects/pcre2/target.yaml b/projects/pcre2/target.yaml new file mode 100644 index 00000000..fa9c01a0 --- /dev/null +++ b/projects/pcre2/target.yaml @@ -0,0 +1,2 @@ +homepage: "http://www.pcre.org/" +primary_contact: "philip.hazel@gmail.com" diff --git a/projects/re2/Dockerfile b/projects/re2/Dockerfile new file mode 100644 index 00000000..13893cb3 --- /dev/null +++ b/projects/re2/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER wrengr@chromium.org +RUN apt-get install -y make autoconf automake libtool + +RUN git clone https://code.googlesource.com/re2 +WORKDIR re2 +COPY build.sh re2_fuzzer.* $SRC/ diff --git a/projects/re2/build.sh b/projects/re2/build.sh new file mode 100755 index 00000000..066049dc --- /dev/null +++ b/projects/re2/build.sh @@ -0,0 +1,35 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# First, build the re2 library. +# N.B., we don't follow the standard incantation for building re2 +# (i.e., `make && make test && make install && make testinstall`), +# because some of the targets doesn't use $CXXFLAGS properly, which +# causes compilation to fail. The obj/libre2.a target is all we +# really need for our fuzzer, so that's all we build. Hopefully +# this won't cause the fuzzer to fail erroneously due to not running +# upstream's tests first to be sure things compiled correctly. +make clean +make -j$(nproc) obj/libre2.a + + +# Second, build our fuzzers. +$CXX $CXXFLAGS -std=c++11 -I. \ + $SRC/re2_fuzzer.cc -o $OUT/re2_fuzzer \ + -lfuzzer ./obj/libre2.a + +cp $SRC/*.options $OUT/ diff --git a/projects/re2/re2_fuzzer.cc b/projects/re2/re2_fuzzer.cc new file mode 100644 index 00000000..9c16462a --- /dev/null +++ b/projects/re2/re2_fuzzer.cc @@ -0,0 +1,87 @@ +// Copyright (c) 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include <string> + +#include "re2/re2.h" +#include "util/logging.h" + +using std::string; + +void Test(const string& buffer, const string& pattern, + const RE2::Options& options) { + RE2 re(pattern, options); + if (!re.ok()) + return; + + string m1, m2; + int i1, i2; + double d1; + + if (re.NumberOfCapturingGroups() == 0) { + RE2::FullMatch(buffer, re); + RE2::PartialMatch(buffer, re); + } else if (re.NumberOfCapturingGroups() == 1) { + RE2::FullMatch(buffer, re, &m1); + RE2::PartialMatch(buffer, re, &i1); + } else if (re.NumberOfCapturingGroups() == 2) { + RE2::FullMatch(buffer, re, &i1, &i2); + RE2::PartialMatch(buffer, re, &m1, &m2); + } + + re2::StringPiece input(buffer); + RE2::Consume(&input, re, &m1); + RE2::FindAndConsume(&input, re, &d1); + string tmp1(buffer); + RE2::Replace(&tmp1, re, "zz"); + string tmp2(buffer); + RE2::GlobalReplace(&tmp2, re, "xx"); + RE2::QuoteMeta(re2::StringPiece(pattern)); +} + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + if (size < 1) + return 0; + + RE2::Options options; + + size_t options_randomizer = 0; + for (size_t i = 0; i < size; i++) + options_randomizer += data[i]; + + if (options_randomizer & 1) + options.set_encoding(RE2::Options::EncodingLatin1); + + options.set_posix_syntax(options_randomizer & 2); + options.set_longest_match(options_randomizer & 4); + options.set_literal(options_randomizer & 8); + options.set_never_nl(options_randomizer & 16); + options.set_dot_nl(options_randomizer & 32); + options.set_never_capture(options_randomizer & 64); + options.set_case_sensitive(options_randomizer & 128); + options.set_perl_classes(options_randomizer & 256); + options.set_word_boundary(options_randomizer & 512); + options.set_one_line(options_randomizer & 1024); + + options.set_log_errors(false); + + const char* data_input = reinterpret_cast<const char*>(data); + { + string pattern(data_input, size); + string buffer(data_input, size); + Test(buffer, pattern, options); + } + + if (size >= 3) { + string pattern(data_input, size / 3); + string buffer(data_input + size / 3, size - size / 3); + Test(buffer, pattern, options); + } + + return 0; +} diff --git a/projects/re2/re2_fuzzer.options b/projects/re2/re2_fuzzer.options new file mode 100644 index 00000000..ea2785e1 --- /dev/null +++ b/projects/re2/re2_fuzzer.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 32 diff --git a/projects/re2/target.yaml b/projects/re2/target.yaml new file mode 100644 index 00000000..e35d7154 --- /dev/null +++ b/projects/re2/target.yaml @@ -0,0 +1 @@ +homepage: "https://code.googlesource.com/re2" diff --git a/projects/sqlite3/Dockerfile b/projects/sqlite3/Dockerfile new file mode 100644 index 00000000..32a74419 --- /dev/null +++ b/projects/sqlite3/Dockerfile @@ -0,0 +1,31 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER tanin@google.com +RUN apt-get install -y make autoconf automake libtool fossil tcl + +# We won't be able to poll fossil for changes, so this will build +# only once a day. +RUN mkdir $SRC/sqlite3 && \ + cd $SRC/sqlite3 && \ + fossil clone https://www.sqlite.org/src sqlite --user `whoami` && \ + fossil open sqlite + +RUN find $SRC/sqlite3 -name "*.test" | xargs zip $SRC/ossfuzz_seed_corpus.zip + +WORKDIR sqlite3 +COPY build.sh *.dict *.options $SRC/ diff --git a/projects/sqlite3/build.sh b/projects/sqlite3/build.sh new file mode 100755 index 00000000..5a0bbbf1 --- /dev/null +++ b/projects/sqlite3/build.sh @@ -0,0 +1,38 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +mkdir bld +cd bld + +export ASAN_OPTIONS=detect_leaks=0 +# Limit max length of data blobs and sql queries to prevent irrelevant OOMs. +export CFLAGS="$CFLAGS -DSQLITE_MAX_LENGTH=128000000 \ + -DSQLITE_MAX_SQL_LENGTH=128000000 \ + -DSQLITE_PRINTF_PRECISION_LIMIT=128000000" +../configure +make -j$(nproc) +make sqlite3.c + +$CC $CCFLAGS -I. -c \ + $SRC/sqlite3/test/ossfuzz.c -o $SRC/sqlite3/test/ossfuzz.o + +$CXX $CXXFLAGS \ + $SRC/sqlite3/test/ossfuzz.o -o $OUT/ossfuzz \ + -lfuzzer ./sqlite3.o + +cp $SRC/*.options $SRC/*.dict $SRC/*.zip $OUT/ + diff --git a/projects/sqlite3/ossfuzz.options b/projects/sqlite3/ossfuzz.options new file mode 100644 index 00000000..c1b50658 --- /dev/null +++ b/projects/sqlite3/ossfuzz.options @@ -0,0 +1,2 @@ +[libfuzzer] +dict = sql.dict diff --git a/projects/sqlite3/sql.dict b/projects/sqlite3/sql.dict new file mode 100644 index 00000000..bf522cc4 --- /dev/null +++ b/projects/sqlite3/sql.dict @@ -0,0 +1,282 @@ +# +# AFL dictionary for SQL +# ---------------------- +# +# Modeled based on SQLite documentation, contains some number of SQLite +# extensions. Other dialects of SQL may benefit from customized dictionaries. +# +# If you append @1 to the file name when loading this dictionary, afl-fuzz +# will also additionally load a selection of pragma keywords that are very +# specific to SQLite (and are probably less interesting from the security +# standpoint, because they are usually not allowed in non-privileged +# contexts). +# +# Created by Michal Zalewski <lcamtuf@google.com> +# + +function_abs=" abs(1)" +function_avg=" avg(1)" +function_changes=" changes()" +function_char=" char(1)" +function_coalesce=" coalesce(1,1)" +function_count=" count(1)" +function_date=" date(1,1,1)" +function_datetime=" datetime(1,1,1)" +function_decimal=" decimal(1,1)" +function_glob=" glob(1,1)" +function_group_concat=" group_concat(1,1)" +function_hex=" hex(1)" +function_ifnull=" ifnull(1,1)" +function_instr=" instr(1,1)" +function_julianday=" julianday(1,1,1)" +function_last_insert_rowid=" last_insert_rowid()" +function_length=" length(1)" +function_like=" like(1,1)" +function_likelihood=" likelihood(1,1)" +function_likely=" likely(1)" +function_load_extension=" load_extension(1,1)" +function_lower=" lower(1)" +function_ltrim=" ltrim(1,1)" +function_max=" max(1,1)" +function_min=" min(1,1)" +function_nullif=" nullif(1,1)" +function_printf=" printf(1,1)" +function_quote=" quote(1)" +function_random=" random()" +function_randomblob=" randomblob(1)" +function_replace=" replace(1,1,1)" +function_round=" round(1,1)" +function_rtrim=" rtrim(1,1)" +function_soundex=" soundex(1)" +function_sqlite_compileoption_get=" sqlite_compileoption_get(1)" +function_sqlite_compileoption_used=" sqlite_compileoption_used(1)" +function_sqlite_source_id=" sqlite_source_id()" +function_sqlite_version=" sqlite_version()" +function_strftime=" strftime(1,1,1,1)" +function_substr=" substr(1,1,1)" +function_sum=" sum(1)" +function_time=" time(1,1,1)" +function_total=" total(1)" +function_total_changes=" total_changes()" +function_trim=" trim(1,1)" +function_typeof=" typeof(1)" +function_unicode=" unicode(1)" +function_unlikely=" unlikely(1)" +function_upper=" upper(1)" +function_varchar=" varchar(1)" +function_zeroblob=" zeroblob(1)" + +keyword_ABORT="ABORT" +keyword_ACTION="ACTION" +keyword_ADD="ADD" +keyword_AFTER="AFTER" +keyword_ALL="ALL" +keyword_ALTER="ALTER" +keyword_ANALYZE="ANALYZE" +keyword_AND="AND" +keyword_AS="AS" +keyword_ASC="ASC" +keyword_ATTACH="ATTACH" +keyword_AUTOINCREMENT="AUTOINCREMENT" +keyword_BEFORE="BEFORE" +keyword_BEGIN="BEGIN" +keyword_BETWEEN="BETWEEN" +keyword_BY="BY" +keyword_CASCADE="CASCADE" +keyword_CASE="CASE" +keyword_CAST="CAST" +keyword_CHECK="CHECK" +keyword_COLLATE="COLLATE" +keyword_COLUMN="COLUMN" +keyword_COMMIT="COMMIT" +keyword_CONFLICT="CONFLICT" +keyword_CONSTRAINT="CONSTRAINT" +keyword_CREATE="CREATE" +keyword_CROSS="CROSS" +keyword_CURRENT_DATE="CURRENT_DATE" +keyword_CURRENT_TIME="CURRENT_TIME" +keyword_CURRENT_TIMESTAMP="CURRENT_TIMESTAMP" +keyword_DATABASE="DATABASE" +keyword_DEFAULT="DEFAULT" +keyword_DEFERRABLE="DEFERRABLE" +keyword_DEFERRED="DEFERRED" +keyword_DELETE="DELETE" +keyword_DESC="DESC" +keyword_DETACH="DETACH" +keyword_DISTINCT="DISTINCT" +keyword_DROP="DROP" +keyword_EACH="EACH" +keyword_ELSE="ELSE" +keyword_END="END" +keyword_ESCAPE="ESCAPE" +keyword_EXCEPT="EXCEPT" +keyword_EXCLUSIVE="EXCLUSIVE" +keyword_EXISTS="EXISTS" +keyword_EXPLAIN="EXPLAIN" +keyword_FAIL="FAIL" +keyword_FOR="FOR" +keyword_FOREIGN="FOREIGN" +keyword_FROM="FROM" +keyword_FULL="FULL" +keyword_GLOB="GLOB" +keyword_GROUP="GROUP" +keyword_HAVING="HAVING" +keyword_IF="IF" +keyword_IGNORE="IGNORE" +keyword_IMMEDIATE="IMMEDIATE" +keyword_IN="IN" +keyword_INDEX="INDEX" +keyword_INDEXED="INDEXED" +keyword_INITIALLY="INITIALLY" +keyword_INNER="INNER" +keyword_INSERT="INSERT" +keyword_INSTEAD="INSTEAD" +keyword_INTERSECT="INTERSECT" +keyword_INTO="INTO" +keyword_IS="IS" +keyword_ISNULL="ISNULL" +keyword_JOIN="JOIN" +keyword_KEY="KEY" +keyword_LEFT="LEFT" +keyword_LIKE="LIKE" +keyword_LIMIT="LIMIT" +keyword_MATCH="MATCH" +keyword_NATURAL="NATURAL" +keyword_NO="NO" +keyword_NOT="NOT" +keyword_NOTNULL="NOTNULL" +keyword_NULL="NULL" +keyword_OF="OF" +keyword_OFFSET="OFFSET" +keyword_ON="ON" +keyword_OR="OR" +keyword_ORDER="ORDER" +keyword_OUTER="OUTER" +keyword_PLAN="PLAN" +keyword_PRAGMA="PRAGMA" +keyword_PRIMARY="PRIMARY" +keyword_QUERY="QUERY" +keyword_RAISE="RAISE" +keyword_RECURSIVE="RECURSIVE" +keyword_REFERENCES="REFERENCES" +#keyword_REGEXP="REGEXP" +keyword_REINDEX="REINDEX" +keyword_RELEASE="RELEASE" +keyword_RENAME="RENAME" +keyword_REPLACE="REPLACE" +keyword_RESTRICT="RESTRICT" +keyword_RIGHT="RIGHT" +keyword_ROLLBACK="ROLLBACK" +keyword_ROW="ROW" +keyword_SAVEPOINT="SAVEPOINT" +keyword_SELECT="SELECT" +keyword_SET="SET" +keyword_TABLE="TABLE" +keyword_TEMP="TEMP" +keyword_TEMPORARY="TEMPORARY" +keyword_THEN="THEN" +keyword_TO="TO" +keyword_TRANSACTION="TRANSACTION" +keyword_TRIGGER="TRIGGER" +keyword_UNION="UNION" +keyword_UNIQUE="UNIQUE" +keyword_UPDATE="UPDATE" +keyword_USING="USING" +keyword_VACUUM="VACUUM" +keyword_VALUES="VALUES" +keyword_VIEW="VIEW" +keyword_VIRTUAL="VIRTUAL" +keyword_WHEN="WHEN" +keyword_WHERE="WHERE" +keyword_WITH="WITH" +keyword_WITHOUT="WITHOUT" + +operator_concat=" || " +operator_ebove_eq=" >=" + +snippet_1eq1=" 1=1" +snippet_at=" @1" +snippet_backticks=" `a`" +snippet_blob=" blob" +snippet_brackets=" [a]" +snippet_colon=" :1" +snippet_comment=" /* */" +snippet_date="2001-01-01" +snippet_dollar=" $1" +snippet_dotref=" a.b" +snippet_fmtY="%Y" +snippet_int=" int" +snippet_neg1=" -1" +snippet_pair=" a,b" +snippet_parentheses=" (1)" +snippet_plus2days="+2 days" +snippet_qmark=" ?1" +snippet_semicolon=" ;" +snippet_star=" *" +snippet_string_pair=" \"a\",\"b\"" + +string_dbl_q=" \"a\"" +string_escaped_q=" 'a''b'" +string_single_q=" 'a'" + +pragma_application_id@1=" application_id" +pragma_auto_vacuum@1=" auto_vacuum" +pragma_automatic_index@1=" automatic_index" +pragma_busy_timeout@1=" busy_timeout" +pragma_cache_size@1=" cache_size" +pragma_cache_spill@1=" cache_spill" +pragma_case_sensitive_like@1=" case_sensitive_like" +pragma_checkpoint_fullfsync@1=" checkpoint_fullfsync" +pragma_collation_list@1=" collation_list" +pragma_compile_options@1=" compile_options" +pragma_count_changes@1=" count_changes" +pragma_data_store_directory@1=" data_store_directory" +pragma_database_list@1=" database_list" +pragma_default_cache_size@1=" default_cache_size" +pragma_defer_foreign_keys@1=" defer_foreign_keys" +pragma_empty_result_callbacks@1=" empty_result_callbacks" +pragma_encoding@1=" encoding" +pragma_foreign_key_check@1=" foreign_key_check" +pragma_foreign_key_list@1=" foreign_key_list" +pragma_foreign_keys@1=" foreign_keys" +pragma_freelist_count@1=" freelist_count" +pragma_full_column_names@1=" full_column_names" +pragma_fullfsync@1=" fullfsync" +pragma_ignore_check_constraints@1=" ignore_check_constraints" +pragma_incremental_vacuum@1=" incremental_vacuum" +pragma_index_info@1=" index_info" +pragma_index_list@1=" index_list" +pragma_integrity_check@1=" integrity_check" +pragma_journal_mode@1=" journal_mode" +pragma_journal_size_limit@1=" journal_size_limit" +pragma_legacy_file_format@1=" legacy_file_format" +pragma_locking_mode@1=" locking_mode" +pragma_max_page_count@1=" max_page_count" +pragma_mmap_size@1=" mmap_size" +pragma_page_count@1=" page_count" +pragma_page_size@1=" page_size" +pragma_parser_trace@1=" parser_trace" +pragma_query_only@1=" query_only" +pragma_quick_check@1=" quick_check" +pragma_read_uncommitted@1=" read_uncommitted" +pragma_recursive_triggers@1=" recursive_triggers" +pragma_reverse_unordered_selects@1=" reverse_unordered_selects" +pragma_schema_version@1=" schema_version" +pragma_secure_delete@1=" secure_delete" +pragma_short_column_names@1=" short_column_names" +pragma_shrink_memory@1=" shrink_memory" +pragma_soft_heap_limit@1=" soft_heap_limit" +pragma_stats@1=" stats" +pragma_synchronous@1=" synchronous" +pragma_table_info@1=" table_info" +pragma_temp_store@1=" temp_store" +pragma_temp_store_directory@1=" temp_store_directory" +pragma_threads@1=" threads" +pragma_user_version@1=" user_version" +pragma_vdbe_addoptrace@1=" vdbe_addoptrace" +pragma_vdbe_debug@1=" vdbe_debug" +pragma_vdbe_listing@1=" vdbe_listing" +pragma_vdbe_trace@1=" vdbe_trace" +pragma_wal_autocheckpoint@1=" wal_autocheckpoint" +pragma_wal_checkpoint@1=" wal_checkpoint" +pragma_writable_schema@1=" writable_schema" diff --git a/projects/sqlite3/target.yaml b/projects/sqlite3/target.yaml new file mode 100644 index 00000000..ee53bbe4 --- /dev/null +++ b/projects/sqlite3/target.yaml @@ -0,0 +1,5 @@ +homepage: "https://sqlite.org/" +sanitizers: + - address + - undefined + diff --git a/projects/tpm2/Jenkinsfile b/projects/tpm2/Jenkinsfile new file mode 100644 index 00000000..deb8716a --- /dev/null +++ b/projects/tpm2/Jenkinsfile @@ -0,0 +1,26 @@ +// Copyright 2016 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +def libfuzzerBuild = fileLoader.fromGit( + 'infra/libfuzzer-pipeline.groovy', + 'https://github.com/google/oss-fuzz.git') + +libfuzzerBuild { + git = "https://chromium.googlesource.com/chromiumos/third_party/tpm2/" + // tpm2/ will contain checkout + dockerfile = "tpm2/fuzz/Dockerfile" + dockerContextDir = "tpm2/" +} diff --git a/projects/tpm2/target.yaml b/projects/tpm2/target.yaml new file mode 100644 index 00000000..d3be9026 --- /dev/null +++ b/projects/tpm2/target.yaml @@ -0,0 +1,4 @@ +homepage: "https://chromium.googlesource.com/chromiumos/third_party/tpm2" +dockerfile: + git: "https://chromium.googlesource.com/chromiumos/third_party/tpm2/" + path: "fuzz/Dockerfile" diff --git a/projects/woff2/Dockerfile b/projects/woff2/Dockerfile new file mode 100644 index 00000000..cf7066fd --- /dev/null +++ b/projects/woff2/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mmoroz@chromium.org +RUN apt-get install -y make autoconf automake libtool + +RUN git clone --recursive https://github.com/google/woff2 +WORKDIR woff2 +COPY build.sh convert_woff2ttf_fuzzer.* $SRC/ diff --git a/projects/woff2/build.sh b/projects/woff2/build.sh new file mode 100755 index 00000000..6d113559 --- /dev/null +++ b/projects/woff2/build.sh @@ -0,0 +1,40 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build the library. Actually there is no 'library' target, so we use .o files. +# '-no-canonical-prefixes' flag makes clang crazy. Need to avoid it. +cat brotli/shared.mk | sed -e "s/-no-canonical-prefixes//" \ +> brotli/shared.mk.temp +mv brotli/shared.mk.temp brotli/shared.mk + +cat Makefile | sed -e "s/-no-canonical-prefixes//" \ +> Makefile.temp +mv Makefile.temp Makefile + +# woff2 uses LFLAGS instead of LDFLAGS. +make -j$(nproc) CC="$CC $CFLAGS" CXX="$CXX $CXXFLAGS" clean all + +# To avoid multiple main() definitions. +rm src/woff2_compress.o src/woff2_decompress.o + +# Build the fuzzer. +fuzzer=convert_woff2ttf_fuzzer +$CXX $CXXFLAGS -std=c++11 -Isrc \ + $SRC/$fuzzer.cc -o $OUT/$fuzzer \ + -lfuzzer src/*.o brotli/dec/*.o brotli/enc/*.o + +cp $SRC/*.options $OUT/ diff --git a/projects/woff2/convert_woff2ttf_fuzzer.cc b/projects/woff2/convert_woff2ttf_fuzzer.cc new file mode 100644 index 00000000..1c81e32e --- /dev/null +++ b/projects/woff2/convert_woff2ttf_fuzzer.cc @@ -0,0 +1,17 @@ +// Copyright 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> + +#include "woff2_dec.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + std::string buf; + woff2::WOFF2StringOut out(&buf); + out.SetMaxSize(30 * 1024 * 1024); + woff2::ConvertWOFF2ToTTF(data, size, &out); + return 0; +} diff --git a/projects/woff2/convert_woff2ttf_fuzzer.options b/projects/woff2/convert_woff2ttf_fuzzer.options new file mode 100644 index 00000000..e5ae71b9 --- /dev/null +++ b/projects/woff2/convert_woff2ttf_fuzzer.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 1000000 diff --git a/projects/woff2/target.yaml b/projects/woff2/target.yaml new file mode 100644 index 00000000..403d2536 --- /dev/null +++ b/projects/woff2/target.yaml @@ -0,0 +1 @@ +homepage: "https://github.com/google/woff2" diff --git a/projects/zlib/Dockerfile b/projects/zlib/Dockerfile new file mode 100644 index 00000000..ee844922 --- /dev/null +++ b/projects/zlib/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER inferno@chromium.org +RUN apt-get install -y make autoconf automake libtool + +RUN git clone https://github.com/madler/zlib.git +WORKDIR zlib +COPY build.sh zlib_uncompress_fuzzer.cc $SRC/ diff --git a/projects/zlib/build.sh b/projects/zlib/build.sh new file mode 100755 index 00000000..50f5cbd9 --- /dev/null +++ b/projects/zlib/build.sh @@ -0,0 +1,8 @@ +#!/bin/bash -eu + +./configure +make -j$(nproc) clean all + +$CXX $CXXFLAGS -std=c++11 -I. \ + $SRC/zlib_uncompress_fuzzer.cc -o $OUT/zlib_uncompress_fuzzer \ + -lfuzzer ./libz.a diff --git a/projects/zlib/target.yaml b/projects/zlib/target.yaml new file mode 100644 index 00000000..df8c92fe --- /dev/null +++ b/projects/zlib/target.yaml @@ -0,0 +1 @@ +homepage: "http://www.zlib.net/" diff --git a/projects/zlib/zlib_uncompress_fuzzer.cc b/projects/zlib/zlib_uncompress_fuzzer.cc new file mode 100644 index 00000000..808793b8 --- /dev/null +++ b/projects/zlib/zlib_uncompress_fuzzer.cc @@ -0,0 +1,21 @@ +// Copyright 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stddef.h> +#include <stdint.h> +#include <string.h> + +#include "zlib.h" + +static Bytef buffer[256 * 1024] = { 0 }; + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + uLongf buffer_length = static_cast<uLongf>(sizeof(buffer)); + if (Z_OK != uncompress(buffer, &buffer_length, data, + static_cast<uLong>(size))) { + return 0; + } + return 0; +} |