Split KArchive fuzzer and add dict files (#13633)

amazingakai · web-flow · commit dbc0042a87ef · 2025-07-17T09:58:25.000+01:00
diff --git a/projects/karchive/Dockerfile b/projects/karchive/Dockerfile
@@ -25,5 +25,5 @@ RUN git clone --depth 1 --branch=dev git://code.qt.io/qt/qtbase.git
 RUN git clone --depth 1 --branch=dev git://code.qt.io/qt/qttools.git
 RUN git clone --depth 1 -b master https://invent.kde.org/frameworks/extra-cmake-modules.git
 RUN git clone --depth 1 -b master https://invent.kde.org/frameworks/karchive.git
-COPY build.sh karchive_fuzzer.cc $SRC/
+COPY build.sh karchive_fuzzer.cc karchive_fuzzer_common.h kcompressiondevice_fuzzer.cc dict $SRC/
 WORKDIR $SRC/karchive
diff --git a/projects/karchive/build.sh b/projects/karchive/build.sh
@@ -89,7 +89,40 @@ cmake . -DBUILD_SHARED_LIBS=OFF -DBUILD_TESTING=OFF
 make install -j$(nproc)
 
 # Build karchive_fuzzer
-$CXX $CXXFLAGS -fPIC -std=c++17 $SRC/karchive_fuzzer.cc -o $OUT/karchive_fuzzer -I /usr/include/QtCore/ -I /usr/local/include/KF6/KArchive -lQt6Core -lm -lQt6BundledPcre2 -ldl -lpthread $LIB_FUZZING_ENGINE /usr/local/lib/libz.a -lKF6Archive /usr/local/lib/libbz2.a -llzma /usr/local/lib/libzstd.a /usr/local/lib64/libcrypto.a
+HANDLER_TYPES="K7Zip 7z karchive_fuzzer
+        KAr ar karchive_fuzzer
+        KTar tar karchive_fuzzer
+        KZip zip karchive_fuzzer
+        GZip tar_gz kcompressiondevice_fuzzer
+        BZip2 tar_bz2 kcompressiondevice_fuzzer
+        Xz tar_xz kcompressiondevice_fuzzer
+        Zstd tar_zst kcompressiondevice_fuzzer
+        Lz tar_lz kcompressiondevice_fuzzer"
 
-cd $SRC
-find . -name "*.gz" -o -name "*.zip" -o -name "*.xz" -o -name "*.tar" -o -name "*.7z" | zip -q $OUT/karchive_fuzzer_seed_corpus.zip -@
+echo "$HANDLER_TYPES" | while read class format source_file; do
+(
+  fuzz_target_name=k${format}_fuzzer
+  fuzz_target_flags="-DHANDLER=$class"
+
+  if [[ "$class" == "K7Zip" ]]; then # KZip in future?
+    fuzz_target_flags+=" -DUSE_PASSWORD"
+  fi
+
+  $CXX $CXXFLAGS -fPIC $fuzz_target_flags -std=c++17 $SRC/$source_file.cc -o $OUT/$fuzz_target_name \
+    -I /usr/include/QtCore/ -I /usr/local/include/KF6/KArchive -lQt6Core -lm -lQt6BundledPcre2 \
+    -ldl -lpthread $LIB_FUZZING_ENGINE /usr/local/lib/libz.a -lKF6Archive /usr/local/lib/libbz2.a \
+    -llzma /usr/local/lib/libzstd.a /usr/local/lib64/libcrypto.a
+
+  extension="${format/_/.}" # Replace _ with .
+  files=$(find . -name "*.${extension}")
+  if [ -n "$files" ]; then
+    echo "$files" | zip -q $OUT/${fuzz_target_name}_seed_corpus.zip -@
+  else
+    echo "no files found with extension $extension for $fuzz_target_name seed corpus"
+  fi
+
+  if [ -f "$SRC/$fuzz_target_name.dict" ]; then
+    cp "$SRC/$fuzz_target_name.dict" $OUT/
+  fi
+)
+done
diff --git a/projects/karchive/dict/k7z_fuzzer.dict b/projects/karchive/dict/k7z_fuzzer.dict
@@ -0,0 +1,41 @@
+# SPDX-FileCopyrightText: 2025 Azhar Momin <azhar.momin@kdemail.net>
+# SPDX-License-Identifier: CC0-1.0
+
+magic="7z\xBC\xAF\x27\x1C"
+
+# Header types
+end="\x00"
+header="\x01"
+archive_properties="\x02"
+additional_streams_info="\x03"
+main_streams_info="\x04"
+files_info="\x05"
+pack_info="\x06"
+unpack_info="\x07"
+substreams_info="\x08"
+size="\x09"
+crc="\x0A"
+folder="\x0B"
+coders_unpack_size="\x0C"
+num_unpack_stream="\x0D"
+empty_stream="\x0E"
+empty_file="\x0F"
+anti="\x10"
+name="\x11"
+ctime="\x12"
+atime="\x13"
+mtime="\x14"
+attributes="\x15"
+comment="\x16"
+encoded_header="\x17"
+start_pos="\x18"
+dummy="\x19"
+
+# Method IDs
+lzma2="\x21"
+lzma="\x03\x01\x01"
+bcj="\x03\x03\x01\x03"
+bcj2="\x03\x03\x01\x1B"
+ppmd="\x03\x04\x01"
+bzip2="\x04\x02\x02"
+aes="\x06\xF1\x07\x01"
diff --git a/projects/karchive/dict/kar_fuzzer.dict b/projects/karchive/dict/kar_fuzzer.dict
@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: 2025 Azhar Momin <azhar.momin@kdemail.net>
+# SPDX-License-Identifier: CC0-1.0
+
+magic="!<arch>\\n"
+file_magic="`\\n"
diff --git a/projects/karchive/dict/ktar_bz2_fuzzer.dict b/projects/karchive/dict/ktar_bz2_fuzzer.dict
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2025 Azhar Momin <azhar.momin@kdemail.net>
+# SPDX-License-Identifier: CC0-1.0
+
+magic="ustar"
+version="00"
+
+magic="BZ"
+version_bzip2="h"
+version_bzip1="0"
+
+compressed_magic="\x31\x41\x59\x26\x53\x59"
+eos_magic="\x17\x72\x45\x38\x50\x90"
diff --git a/projects/karchive/dict/ktar_fuzzer.dict b/projects/karchive/dict/ktar_fuzzer.dict
@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: 2025 Azhar Momin <azhar.momin@kdemail.net>
+# SPDX-License-Identifier: CC0-1.0
+
+magic="ustar"
+version="00"
+
+# Interesting typeflags
+"5"
+"D"
+"x"
+"g"
+"1"
+
+longlink="././@LongLink"
diff --git a/projects/karchive/dict/ktar_gz_fuzzer.dict b/projects/karchive/dict/ktar_gz_fuzzer.dict
@@ -0,0 +1,34 @@
+# SPDX-FileCopyrightText: 2025 Azhar Momin <azhar.momin@kdemail.net>
+# SPDX-License-Identifier: CC0-1.0
+
+magic="ustar"
+version="00"
+
+magic="\x1F\x8B"
+
+deflate="\x08"
+
+# File Flags
+ftxt="\x01"
+fhcrc="\x02"
+fextra="\x04"
+fname="\x08"
+fcomment="\x10"
+fall="\x1F"
+
+# Operating System
+fat="\x00"
+amiga="\x01"
+vms="\x02"
+unix="\x03"
+vm_cms="\x04"
+atari_tos="\x05"
+hpfs="\x06"
+mac="\x07"
+zsystem="\x08"
+cp_m="\x09"
+tops20="\x0A"
+ntfs="\x0B"
+qdos="\x0C"
+acorn_riscos="\x0D"
+unknown="\xFF"
diff --git a/projects/karchive/dict/ktar_lz_fuzzer.dict b/projects/karchive/dict/ktar_lz_fuzzer.dict
@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2025 Azhar Momin <azhar.momin@kdemail.net>
+# SPDX-License-Identifier: CC0-1.0
+
+magic="ustar"
+version="00"
+
+magic="LZIP"
+version_old="\x00"
+version="\x01"
diff --git a/projects/karchive/dict/ktar_xz_fuzzer.dict b/projects/karchive/dict/ktar_xz_fuzzer.dict
@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2025 Azhar Momin <azhar.momin@kdemail.net>
+# SPDX-License-Identifier: CC0-1.0
+
+magic="ustar"
+version="00"
+
+magic="\x5D\x37\x7A\x58\x5A\x00"
+footer_magic="\x59\x5A"
+
+check_none="\x00\x00"
+check_crc32="\x01\x00"
+check_crc64="\x04\x00"
+check_sha256="\x0A\x00"
+
+# Filter IDs
+lzma2="\x21"
+delta="\x03"
+x86="\x04"
+powerpc="\x05"
+ia64="\x06"
+arm="\x07"
+armthumb="\x08"
+sparc="\x09"
diff --git a/projects/karchive/dict/ktar_zst_fuzzer.dict b/projects/karchive/dict/ktar_zst_fuzzer.dict
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2025 Azhar Momin <azhar.momin@kdemail.net>
+# SPDX-License-Identifier: CC0-1.0
+
+magic="ustar"
+version="00"
+
+magic="\x28\xB5\x2F\xFD"
+
+# Skippable Frames
+"\x50\x2A\x4D\x18"
+"\x51\x2A\x4D\x18"
+"\x52\x2A\x4D\x18"
+"\x53\x2A\x4D\x18"
+"\x54\x2A\x4D\x18"
+"\x55\x2A\x4D\x18"
+"\x56\x2A\x4D\x18"
+"\x57\x2A\x4D\x18"
+"\x58\x2A\x4D\x18"
+"\x59\x2A\x4D\x18"
+"\x5A\x2A\x4D\x18"
+"\x5B\x2A\x4D\x18"
+"\x5C\x2A\x4D\x18"
+"\x5D\x2A\x4D\x18"
+"\x5E\x2A\x4D\x18"
+"\x5F\x2A\x4D\x18"
diff --git a/projects/karchive/dict/kzip_fuzzer.dict b/projects/karchive/dict/kzip_fuzzer.dict
@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2025 Azhar Momin <azhar.momin@kdemail.net>
+# SPDX-License-Identifier: CC0-1.0
+
+cd="\x50\x4B\x01\x02"
+lfh="\x50\x4B\x03\x04"
+eocd="\x50\x4B\x05\x06"
+zip64_eocd"\x50\x4B\x06\x06"
+zip64_eocd_locator="\x50\x4B\x06\x07"
+dd="\x50\x4B\x07\x08"
+
+# Compression methods
+store="\x00"
+deflate="\x08"
diff --git a/projects/karchive/karchive_fuzzer.cc b/projects/karchive/karchive_fuzzer.cc
@@ -1,5 +1,10 @@
 /*
+# SPDX-FileCopyrightText: 2019 Google Inc.
+# SPDX-FileCopyrightText: 2025 Azhar Momin <azhar.momin@kdemail.net>
+# SPDX-License-Identifier: Apache-2.0
+#
 # Copyright 2019 Google Inc.
+# Copyright 2025 Azhar Momin <azhar.momin@kdemail.net>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,87 +25,39 @@
   Usage:
     python infra/helper.py build_image karchive
     python infra/helper.py build_fuzzers --sanitizer undefined|address|memory karchive
-    python infra/helper.py run_fuzzer karchive karchive_fuzzer
+    python infra/helper.py run_fuzzer karchive k[ar|tar|zip|7z]_fuzzer
 */
 
-
 #include <QBuffer>
 #include <QCoreApplication>
-#include <QVector>
-
-#include <KF6/KArchive/k7zip.h>
-#include <KF6/KArchive/ktar.h>
-#include <KF6/KArchive/kzip.h>
-#include <KF6/KArchive/kar.h>
-#include <KF6/KArchive/kcompressiondevice.h>
 
-void traverseArchive(const KArchiveDirectory *dir, const QString &path = QString()) {
-    const auto allEntries = dir->entries();
+#include <k7zip.h>
+#include <kar.h>
+#include <ktar.h>
+#include <kzip.h>
 
-    for (const auto& entryName : allEntries) {
-        auto entry = dir->entry(entryName);
-        const QString fullPath = path + QString::fromUtf8("/") + entryName;
-
-        if (entry->isFile()) {
-            auto file = static_cast<const KArchiveFile*>(entry);
-            auto fullpath = fullPath.toStdString();
-            auto filesize =  file->size();
-            auto datasize = file->data().size();
-            auto date =  file->date().toString().toStdString();
-            auto filename = file->name().toStdString();
-            auto user = file->user().toStdString();
-            auto group = file->group().toStdString();
-        } else if (entry->isDirectory()) {
-            auto subDir = static_cast<const KArchiveDirectory*>(entry);
-            traverseArchive(subDir, fullPath);
-        }
-    }
-}
+#include "karchive_fuzzer_common.h"
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
     int argc = 0;
     QCoreApplication a(argc, nullptr);
 
     QBuffer b;
-    b.setData(QByteArray((const char *)data, size));
-
-    std::unique_ptr<KCompressionDevice> gzipKD(new KCompressionDevice(&b, false, KCompressionDevice::GZip));
-    std::unique_ptr<KCompressionDevice> bzipKD(new KCompressionDevice(&b, false, KCompressionDevice::BZip2));
-    std::unique_ptr<KCompressionDevice> xzKD(new KCompressionDevice(&b, false, KCompressionDevice::Xz));
-    std::unique_ptr<KCompressionDevice> zstdKD(new KCompressionDevice(&b, false, KCompressionDevice::Zstd));
-    std::unique_ptr<KCompressionDevice> lzKD(new KCompressionDevice(&b, false, KCompressionDevice::Lz));
+    b.setData((const char *)data, size);
 
-    const QVector<KArchive*> handlers = {
-        new K7Zip(&b),
-        new KTar(&b),
-        new KTar(gzipKD.get()),
-        new KTar(bzipKD.get()),
-        new KTar(xzKD.get()),
-        new KTar(zstdKD.get()),
-        new KTar(lzKD.get()),
-        new KZip(&b),
-        new KAr(&b)
-    };
+#ifdef HANDLER
+    HANDLER handler(&b);
 
-    for (KArchive *h : handlers) {
-        if (b.isOpen()) {
-            b.reset();
-        }
+#ifdef USE_PASSWORD
+    handler.setPassword("youshallnotpass");
+#endif
 
-        if (auto k7zip = dynamic_cast<K7Zip *>(h)) {
-            // Set a dummy password to trigger decryption code
-            k7zip->setPassword("youshallnotpass");
-        }
-
-        if (h->open(QIODevice::ReadOnly)) {
-            const KArchiveDirectory *rootDir = h->directory();
-            traverseArchive(rootDir); 
-            h->close();
-        }
+    if (handler.open(QIODevice::ReadOnly)) {
+        traverseArchive(handler.directory());
+        handler.close();
     }
-
-    qDeleteAll(handlers);
+#endif
 
     return 0;
 }
diff --git a/projects/karchive/karchive_fuzzer_common.h b/projects/karchive/karchive_fuzzer_common.h
@@ -0,0 +1,37 @@
+/*
+# SPDX-FileCopyrightText: 2025 Google LLC
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+*/
+
+#include <karchive.h>
+
+inline void traverseArchive(const KArchiveDirectory *dir, const QString &path = QString())
+{
+    for (const auto &entryName : dir->entries()) {
+        auto entry = dir->entry(entryName);
+
+        if (entry->isFile()) {
+            auto file = static_cast<const KArchiveFile *>(entry);
+            auto data = file->data();
+        } else if (entry->isDirectory()) {
+            auto subDir = static_cast<const KArchiveDirectory *>(entry);
+            traverseArchive(subDir, path + QString::fromUtf8("/") + entryName);
+        }
+    }
+}
diff --git a/projects/karchive/kcompressiondevice_fuzzer.cc b/projects/karchive/kcompressiondevice_fuzzer.cc
