fuzz_{base64,altsvc}: fuzz base64 decoder/encoder and Alt-Svc parsing

Author: elopez

.gitignore

@@ -26,6 +26,10 @@ m4/
 Makefile
 Makefile.in
 missing
+/curl_fuzzer_altsvc
+/curl_fuzzer_altsvc_seed_corpus.zip
+/curl_fuzzer_base64
+/curl_fuzzer_base64_seed_corpus.zip
 /curl_fuzzer_dict
 /curl_fuzzer_dict_seed_corpus.zip
 /curl_fuzzer_file

Makefile.am

@@ -36,6 +36,8 @@ LIBS = -lpthread -lm
 LIB_FUZZING_ENGINE ?= libstandaloneengine.a
 
 FUZZPROGS = curl_fuzzer \
+ curl_fuzzer_altsvc \
+ curl_fuzzer_base64 \
  curl_fuzzer_dict \
  curl_fuzzer_file \
  curl_fuzzer_ftp \
@@ -135,6 +137,14 @@ curl_fuzzer_fnmatch_SOURCES = fuzz_fnmatch.cc
 curl_fuzzer_fnmatch_CXXFLAGS = $(COMMON_FLAGS)
 curl_fuzzer_fnmatch_LDADD = $(COMMON_LDADD)
 
+curl_fuzzer_altsvc_SOURCES = fuzz_altsvc.cc
+curl_fuzzer_altsvc_CXXFLAGS = $(COMMON_FLAGS)
+curl_fuzzer_altsvc_LDADD = $(COMMON_LDADD)
+
+curl_fuzzer_base64_SOURCES = fuzz_base64.cc
+curl_fuzzer_base64_CXXFLAGS = $(COMMON_FLAGS)
+curl_fuzzer_base64_LDADD = $(COMMON_LDADD)
+
 # Create the seed corpora zip files.
 zip:
 	BUILD_ROOT=$(PWD) scripts/create_zip.sh

fuzz_altsvc.cc

@@ -0,0 +1,83 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2017, Max Dymond, <[email protected]>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+extern "C"
+{
+  #define HAVE_STRUCT_TIMEVAL // HACK to let it compile
+  #include <stdlib.h>
+  #include <signal.h>
+  #include <string.h>
+  #include <unistd.h>
+  #include <inttypes.h>
+  #include <curl/curl.h>
+  #include <assert.h>
+
+  enum alpnid {
+    ALPN_none = 0,
+    ALPN_h1 = CURLALTSVC_H1,
+    ALPN_h2 = CURLALTSVC_H2,
+    ALPN_h3 = CURLALTSVC_H3
+  };
+
+  struct altsvcinfo *Curl_altsvc_init(void);
+  CURLcode Curl_altsvc_parse(struct Curl_easy *data,
+                            struct altsvcinfo *altsvc, const char *value,
+                            enum alpnid srcalpn, const char *srchost,
+                            unsigned short srcport);
+  void Curl_altsvc_cleanup(struct altsvcinfo **altsvc);
+
+}
+
+#include <string>
+
+/* #define DEBUG(STMT)  STMT */
+#define DEBUG(STMT)
+
+
+/**
+ * Fuzzing entry point. This function is passed a buffer containing a test
+ * case.  This test case should drive the CURL fnmatch function.
+ */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+  std::string s(reinterpret_cast<const char*>(data), size);
+
+  struct Curl_easy *curl;
+  CURLcode fnrc;
+  struct altsvcinfo *asi;
+
+  asi = Curl_altsvc_init();
+  curl_global_init(CURL_GLOBAL_ALL);
+  curl = (Curl_easy*)curl_easy_init();
+
+  fnrc = Curl_altsvc_parse(curl, asi, s.c_str(), ALPN_h1, "example.com", 1234);
+  (void)fnrc;
+
+  DEBUG(printf("Curl_altsvc_parse returned %d with %s\n", fnrc, s.c_str()));
+  assert(fnrc == CURLE_OK);
+
+  curl_easy_cleanup(curl);
+  Curl_altsvc_cleanup(&asi);
+  curl_global_cleanup();
+
+  return 0;
+}

fuzz_base64.cc

@@ -0,0 +1,98 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2017, Max Dymond, <[email protected]>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+extern "C"
+{
+  #include <stdlib.h>
+  #include <signal.h>
+  #include <string.h>
+  #include <unistd.h>
+  #include <inttypes.h>
+  #include <curl/curl.h>
+  #include "curl/lib/curl_base64.h"
+  #include "curl/lib/curl_printf.h"
+  #include "curl/lib/curl_memory.h"
+  #include "curl/lib/memdebug.h"
+  #include <assert.h>
+}
+
+#include <string>
+
+/* #define DEBUG(STMT)  STMT */
+#define DEBUG(STMT)
+
+
+void curl_dbg_free(void *ptr)
+{
+  if(ptr) {
+    void *mem = (void *)((char *)ptr - 8);
+
+    /* free for real */
+    (Curl_cfree)(mem);
+  }
+}
+
+
+/**
+ * Fuzzing entry point. This function is passed a buffer containing a test
+ * case.  This test case should drive the CURL fnmatch function.
+ */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+  std::string s(reinterpret_cast<const char*>(data), size);
+  CURLcode fnrc;
+  unsigned char *outptr = NULL, *outptr2 = NULL;
+  char *recodeptr = NULL;
+  size_t inlen = strlen(s.c_str()), outlen, outlen2, recodelen;
+
+  fnrc = Curl_base64_decode(s.c_str(), &outptr, &outlen);
+
+  (void)fnrc;
+  DEBUG(printf("Curl_base64_decode returned %d with %s\n", fnrc, s.c_str()));
+
+  if (fnrc != CURLE_OK)
+    goto EXIT_LABEL;
+
+  fnrc = Curl_base64_encode((const char *)outptr, outlen, &recodeptr, &recodelen);
+
+  if (fnrc != CURLE_OK)
+    goto EXIT_LABEL;
+
+  (void)fnrc;
+  DEBUG(printf("Curl_base64_encode returned %d with %s\n", fnrc, s.c_str()));
+
+  fnrc = Curl_base64_decode(recodeptr, &outptr2, &outlen2);
+
+  DEBUG(printf("Sizes og:%lu decode:%lu recode:%lu decode2:%lu, Strings '%s' '%s'\n", inlen, outlen, recodelen, outlen2, s.c_str(), recodeptr));
+
+  assert(fnrc == CURLE_OK);
+  assert(outlen == outlen2);
+  assert(!memcmp(outptr, outptr2, outlen));
+
+EXIT_LABEL:
+
+  curl_dbg_free(outptr);
+  curl_dbg_free(outptr2);
+  curl_dbg_free(recodeptr);
+
+  return 0;
+}