fuzz_escape: fuzzing (un)escape functions

Advenam Tacet · elopez · commit adba93df352a · 2022-11-02T12:10:49.000-03:00
It does check if orginal string and unescaped data are same.

Functions fuzzed:
- curl_easy_escape
- curl_easy_unescape
diff --git a/Makefile.am b/Makefile.am
@@ -40,6 +40,7 @@ FUZZPROGS = curl_fuzzer \
  curl_fuzzer_base64 \
  curl_fuzzer_dict \
  curl_fuzzer_doh \
+ curl_fuzzer_escape \
  curl_fuzzer_file \
  curl_fuzzer_ftp \
  curl_fuzzer_gopher \
@@ -151,6 +152,10 @@ curl_fuzzer_doh_SOURCES = fuzz_doh.cc
 curl_fuzzer_doh_CXXFLAGS = $(COMMON_FLAGS) -I$(CURLDIR)
 curl_fuzzer_doh_LDADD = $(COMMON_LDADD)
 
+curl_fuzzer_escape_SOURCES = fuzz_escape.cc
+curl_fuzzer_escape_CXXFLAGS = $(COMMON_FLAGS) -I$(CURLDIR)
+curl_fuzzer_escape_LDADD = $(COMMON_LDADD)
+
 curl_fuzzer_parsedate_SOURCES = fuzz_parsedate.cc
 curl_fuzzer_parsedate_CXXFLAGS = $(COMMON_FLAGS) -I$(CURLDIR)
 curl_fuzzer_parsedate_LDADD = $(COMMON_LDADD)
diff --git a/corpora/curl_fuzzer_escape/simple b/corpora/curl_fuzzer_escape/simple
@@ -0,0 +1 @@
+!@#$%^&*()_+[]\{}|;':",./<>?
diff --git a/fuzz_escape.cc b/fuzz_escape.cc
@@ -0,0 +1,35 @@
+extern "C"
+{
+    #include <stdlib.h>
+    #include <signal.h>
+    #include <string.h>
+    #include <unistd.h>
+    #include <curl/curl.h>
+    #include <cassert>
+
+    char *curl_escape(const char *string, int inlength);
+}
+
+// fuzz_target.cc
+
+extern "C" int LLVMFuzzerTestOneInput(char *data, size_t size) {
+  if(size == 0) return 0;
+  char* terminated_data = (char *)malloc(size+1);
+  memcpy(terminated_data, data, size);
+  terminated_data[size] = '\0';
+
+  int output_len;
+  char *input = (char *)malloc(size);
+  memcpy(input, terminated_data, size);
+
+  char *escaped = curl_easy_escape(NULL, input, size);
+  char *unescaped = curl_easy_unescape(NULL, escaped, 0, &output_len);
+  assert(size == output_len);
+  assert(memcmp(unescaped, terminated_data, size) == 0);
+
+  free(terminated_data);
+  free(input);
+  curl_free(escaped);
+  curl_free(unescaped);
+  return 0;  // Values other than 0 and -1 are reserved for future use.
+}
diff --git a/scripts/fuzz_targets b/scripts/fuzz_targets
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_https curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_mqtt curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer_ws curl_fuzzer fuzz_url curl_fuzzer_altsvc curl_fuzzer_base64 curl_fuzzer_doh curl_fuzzer_parsedate"
+export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_https curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_mqtt curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer_ws curl_fuzzer fuzz_url curl_fuzzer_altsvc curl_fuzzer_base64 curl_fuzzer_doh curl_fuzzer_escape curl_fuzzer_parsedate"

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`#!/bin/bash`
`2`	`2`
`3`		`-export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_https curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_mqtt curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer_ws curl_fuzzer fuzz_url curl_fuzzer_altsvc curl_fuzzer_base64 curl_fuzzer_doh curl_fuzzer_parsedate"`
	`3`	`+export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_https curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_mqtt curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer_ws curl_fuzzer fuzz_url curl_fuzzer_altsvc curl_fuzzer_base64 curl_fuzzer_doh curl_fuzzer_escape curl_fuzzer_parsedate"`