fuzz_url.cc: fuzz the URL parser

Closes #59

Author: bagder

Makefile.am

@@ -36,24 +36,26 @@ LIBS = -lpthread -lm
 LIB_FUZZING_ENGINE ?= libstandaloneengine.a
 
 FUZZPROGS = curl_fuzzer \
-			curl_fuzzer_dict \
-			curl_fuzzer_file \
-			curl_fuzzer_ftp \
-			curl_fuzzer_gopher \
-			curl_fuzzer_http \
-			curl_fuzzer_https \
-			curl_fuzzer_imap \
-			curl_fuzzer_ldap \
-			curl_fuzzer_mqtt \
-			curl_fuzzer_pop3 \
-			curl_fuzzer_rtmp \
-			curl_fuzzer_rtsp \
-			curl_fuzzer_scp \
-			curl_fuzzer_sftp \
-			curl_fuzzer_smb \
-			curl_fuzzer_smtp \
-			curl_fuzzer_ws \
-			curl_fuzzer_tftp
+ curl_fuzzer_dict \
+ curl_fuzzer_file \
+ curl_fuzzer_ftp \
+ curl_fuzzer_gopher \
+ curl_fuzzer_http \
+ curl_fuzzer_https \
+ curl_fuzzer_imap \
+ curl_fuzzer_ldap \
+ curl_fuzzer_mqtt \
+ curl_fuzzer_pop3 \
+ curl_fuzzer_rtmp \
+ curl_fuzzer_rtsp \
+ curl_fuzzer_scp \
+ curl_fuzzer_sftp \
+ curl_fuzzer_smb \
+ curl_fuzzer_smtp \
+ curl_fuzzer_ws \
+ curl_fuzzer_tftp \
+ fuzz_url
+
 FUZZLIBS = libstandaloneengine.a
 
 COMMON_SOURCES = curl_fuzzer.cc curl_fuzzer_tlv.cc curl_fuzzer_callback.cc
@@ -124,6 +126,10 @@ curl_fuzzer_ws_SOURCES = $(COMMON_SOURCES)
 curl_fuzzer_ws_CXXFLAGS = $(COMMON_FLAGS) -DFUZZ_PROTOCOLS_WS
 curl_fuzzer_ws_LDADD = $(COMMON_LDADD)
 
+fuzz_url_SOURCES = fuzz_url.cc
+fuzz_url_CXXFLAGS = $(COMMON_FLAGS)
+fuzz_url_LDADD = $(COMMON_LDADD)
+
 # Unit test fuzzers
 curl_fuzzer_fnmatch_SOURCES = fuzz_fnmatch.cc
 curl_fuzzer_fnmatch_CXXFLAGS = $(COMMON_FLAGS)

corpora/fuzz_url/basictest

@@ -0,0 +1 @@
+http://localhost

fuzz_url.cc

@@ -0,0 +1,56 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2017 - 2022, Max Dymond, <[email protected]>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#include <stdlib.h>
+#include <stdlib.h>
+#include <string.h>
+#include <curl/curl.h>
+#include "curl_fuzzer.h"
+
+/**
+ * Fuzzing entry point. This function is passed a buffer containing a test
+ * case.  This test case should drive the CURL URL API.
+ */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+  CURLU *uh;
+  char *newp;
+
+  uh = curl_url();
+
+  /* it works on a null-terminated string */
+  if(size) {
+    newp = (char *)malloc(size + 1);
+    if(newp) {
+      memcpy(newp, data, size);
+      /* make sure it is zero terminated */
+      newp[size] = 0;
+      curl_url_set(uh, CURLUPART_URL, newp, CURLU_GUESS_SCHEME);
+      free(newp);
+    }
+  }
+  curl_url_cleanup(uh);
+
+  /* This function must always return 0. Non-zero codes are reserved. */
+  return 0;
+}
+

scripts/fuzz_targets

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_https curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_mqtt curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer_ws curl_fuzzer"
+export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_https curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_mqtt curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer_ws curl_fuzzer fuzz_url"