fuzz_parsedate: fuzz date parsing with Curl_getdate_capped

Advenam Tacet · elopez · commit 2ccbc1185106 · 2022-11-02T12:10:49.000-03:00
Real target is function parsedate from parsedate.c
The harness was written by Peter Goodman.
diff --git a/Makefile.am b/Makefile.am
@@ -48,6 +48,7 @@ FUZZPROGS = curl_fuzzer \
  curl_fuzzer_imap \
  curl_fuzzer_ldap \
  curl_fuzzer_mqtt \
+ curl_fuzzer_parsedate \
  curl_fuzzer_pop3 \
  curl_fuzzer_rtmp \
  curl_fuzzer_rtsp \
@@ -150,6 +151,10 @@ curl_fuzzer_doh_SOURCES = fuzz_doh.cc
 curl_fuzzer_doh_CXXFLAGS = $(COMMON_FLAGS) -I$(CURLDIR)
 curl_fuzzer_doh_LDADD = $(COMMON_LDADD)
 
+curl_fuzzer_parsedate_SOURCES = fuzz_parsedate.cc
+curl_fuzzer_parsedate_CXXFLAGS = $(COMMON_FLAGS) -I$(CURLDIR)
+curl_fuzzer_parsedate_LDADD = $(COMMON_LDADD)
+
 # Create the seed corpora zip files.
 zip:
 	BUILD_ROOT=$(PWD) scripts/create_zip.sh
diff --git a/corpora/curl_fuzzer_parsedate/simple b/corpora/curl_fuzzer_parsedate/simple
@@ -0,0 +1 @@
+123456789
diff --git a/fuzz_parsedate.cc b/fuzz_parsedate.cc
@@ -0,0 +1,18 @@
+extern "C"
+{
+  #include <string.h>
+  #include <curl/curl.h>
+  #include <lib/parsedate.h>
+}
+
+// fuzz_target.cc
+
+extern "C" int LLVMFuzzerTestOneInput(char *data, size_t size) {
+  time_t output = 0;
+  char date[100];
+  size_t len = size >= 100 ? 99 : size;
+  memcpy(date, data, len);
+  date[len] = 0;
+  Curl_getdate_capped(date);
+  return 0;  // Values other than 0 and -1 are reserved for future use.
+}
diff --git a/scripts/fuzz_targets b/scripts/fuzz_targets
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_https curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_mqtt curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer_ws curl_fuzzer fuzz_url curl_fuzzer_altsvc curl_fuzzer_base64 curl_fuzzer_doh"
+export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_https curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_mqtt curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer_ws curl_fuzzer fuzz_url curl_fuzzer_altsvc curl_fuzzer_base64 curl_fuzzer_doh curl_fuzzer_parsedate"

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`#!/bin/bash`
`2`	`2`
`3`		`-export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_https curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_mqtt curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer_ws curl_fuzzer fuzz_url curl_fuzzer_altsvc curl_fuzzer_base64 curl_fuzzer_doh"`
	`3`	`+export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_https curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_mqtt curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer_ws curl_fuzzer fuzz_url curl_fuzzer_altsvc curl_fuzzer_base64 curl_fuzzer_doh curl_fuzzer_parsedate"`