diff options
author | Jordy Zomer ?? <> | 2021-06-24 21:44:39 -0500 |
---|---|---|
committer | Jordy Zomer ?? <> | 2021-06-24 21:44:39 -0500 |
commit | 9883501daac822eed5a5264609da34c79b323cbd (patch) | |
tree | 1f2bc3f8eed3f3f9ea7970dc3035c1792bb4da63 | |
parent | ceae7e269ab6cabfbe40d22d9eed6bd350b6851c (diff) | |
download | pidgin-9883501daac822eed5a5264609da34c79b323cbd.tar.gz |
Add fuzzing support for some libpurple features
Testing Done:
Hi!
I built and tested all of these fuzzers for libpurple.
You can build them by first building pidgin/libpurple with `--enable-fuzzing` then going into `libpurple/tests` and run `make check`. After that you can run these fuzzers. With a dictionary if you want :)
for example:
```bash
$ ./fuzz_markup_strip_html -dict=dictionaries/html.dict
Dictionary: 465 entries
INFO: Seed: 2274862685
INFO: Loaded 1 modules (3 inline 8-bit counters): 3 [0x5a4ec0, 0x5a4ec3),
INFO: Loaded 1 PC tables (3 PCs): 3 [0x568ee8,0x568f18),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 2 ft: 2 corp: 1/1b exec/s: 0 rss: 30Mb
#1048576 pulse cov: 2 ft: 2 corp: 1/1b lim: 4096 exec/s: 524288 rss: 789Mb
#2097152 pulse cov: 2 ft: 2 corp: 1/1b lim: 4096 exec/s: 524288 rss: 792Mb
```
Best Regards,
Jordy Zomer
Reviewed at https://reviews.imfreedom.org/r/760/
-rw-r--r-- | FUZZING | 108 | ||||
-rw-r--r-- | configure.ac | 12 | ||||
-rw-r--r-- | libpurple/tests/Makefile.am | 40 | ||||
-rw-r--r-- | libpurple/tests/dictionaries/html.dict | 478 | ||||
-rw-r--r-- | libpurple/tests/dictionaries/xml.dict | 82 | ||||
-rw-r--r-- | libpurple/tests/fuzz_html_to_xhtml.c | 49 | ||||
-rw-r--r-- | libpurple/tests/fuzz_jabber_caps.c | 59 | ||||
-rw-r--r-- | libpurple/tests/fuzz_jabber_id_new.c | 48 | ||||
-rw-r--r-- | libpurple/tests/fuzz_markup_strip_html.c | 47 | ||||
-rw-r--r-- | libpurple/tests/fuzz_mime.c | 46 | ||||
-rw-r--r-- | libpurple/tests/fuzz_xmlnode.c | 69 |
11 files changed, 1038 insertions, 0 deletions
diff --git a/FUZZING b/FUZZING new file mode 100644 index 0000000000..cfb7ff6f9a --- /dev/null +++ b/FUZZING @@ -0,0 +1,108 @@ +# Introduction and setup +Pidgin has fuzzing support for libpurple. Libfuzzer (https://llvm.org/docs/LibFuzzer.html) is used for this. + +There are currently a few fuzzers mentioned in libpurple/tests/fuzz *.c. You can build the fuzzers by following the usual build process and adding `--enable-fuzzing` to `./configure`, for this you'll need to set CC to `clang`, once you've done this you can go to `libpurple/tests` and run `make check` this will build the fuzzers for you. + +Example: +```bash +$ CC=clang ./configure --enable-fuzzing --disable-cyrus-sasl --disable-gtkui --disable-gstreamer --disable-vv --disable-idn --disable-meanwhile --disable-avahi --disable-libgadu --disable-dbus --disable-libsecret --disable-gnome-keyring --disable-kwallet --disable-plugin + +# This will configure build system +# The next step would be actually building pidgin and it's libraries. +# -j $(nproc) is optional, this build it with all available cores + +$ make -j $(nproc) + +# Now pidgin is actually built, we can build the fuzzers + +$ cd libpurple/tests +$ make check + +# Now the fuzzers should be built and can be run +# The -dict= paramater can be used to define a dictionary to be used by fuzzing +# For fuzzing common formats like xml you could for example use the xml dict, this is optional + +$ ./fuzz_xmlnode -dict=dictionaries/xml.dict +``` + +# Useful options + +Because Libfuzzer is a sophisticated program, here are some handy options: + +``` +help -> Print help. +jobs -> Number of jobs to run. If jobs >= 1 we spawn this number of jobs in separate worker processes with stdout/stderr redirected to fuzz-JOB.log. +workers -> Number of simultaneous worker processes to run the jobs. If zero, "min(jobs,NumberOfCpuCores()/2)" is used. +max_len -> Maximum length of the test input. If 0, libFuzzer tries to guess a good value based on the corpus and reports it. +``` + +You can also show the help with: + +`./fuzz_html_to_xhtml -help=1` + +This will show you all the options you can give to your fuzzer. + +In addition, if you're new to fuzzing with libfuzzer, https://github.com/google/fuzzing/blob/master/tutorial/libFuzzerTutorial.md is a fantastic place to start. + +# Adding more fuzzers + +Of course, having more fuzzers and covering more areas of the code used in libpurple is always a good thing. It's simple to incorporate a fuzzer into the current build system! +If you open the `Makefile.am` file in `libpurple/tests` you'll see a `fuzz_programs` variable, you have to add the name to your new fuzzing harness in there. + +Example: + +``` +fuzz_programs=\ + fuzz_html_to_xhtml \ + fuzz_jabber_caps \ + fuzz_jabber_id_new \ + fuzz_markup_strip_html \ + fuzz_mime \ + fuzz_xmlnode \ + fuzz_newfuzzer # This is the newly added fuzzer +``` + +We'll also need to define the sources, which we can do by copying and changing the lines from an existing fuzzer. + +For example we have a `fuzz_xmlnode.c` fuzzer, these are the lines that define the sources and the flags: +``` +fuzz_xmlnode_SOURCES=fuzz_xmlnode.c +fuzz_xmlnode_LDADD=$(check_libpurple_LDADD) +fuzz_xmlnode_CFLAGS=-fsanitize=fuzzer,address $(check_libpurple_CFLAGS) +``` + +We'll need to change the names of these to match the name of our new fuzzer and add any necessary flags: +``` +fuzz_new_SOURCES=fuzz_new.c +fuzz_new_LDADD=$(check_libpurple_LDADD) +fuzz_new_CFLAGS=-fsanitize=fuzzer,address $(check_libpurple_CFLAGS) +``` + +Now you must include your harness in `fuzz_new.c`, an example of a new harness could be as follows: +```C +#include <glib.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <purple.h> + +#include "../util.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + char *malicious_input = g_new0(char, size + 1); + + memcpy(malicious_input, data, size); + malicious_input[size] = '\0'; + + function_you_want_to_fuzz(malicious_input); + + g_free(malicious_input); + + return 0; +} +``` + +Make sure to include the relevant includes, and then run `./configure` again in the repository's root directory, after that run `make check` in `libpurple/tests` to create your new fuzzer. Then, by executing this binary, you can run it. diff --git a/configure.ac b/configure.ac index 23c13dcbf7..2e304da142 100644 --- a/configure.ac +++ b/configure.ac @@ -2532,6 +2532,18 @@ AC_SUBST(enable_devhelp) AM_CONDITIONAL(HAVE_DOXYGEN, test "x$enable_doxygen" = "xyes") AM_CONDITIONAL(HAVE_XSLTPROC, test "x$enable_devhelp" = "xyes") + +AC_ARG_ENABLE([fuzzing], [--enable-fuzzing Turn on fuzzing], + [case "${enableval}" in yes) fuzzing=true ;; no) fuzzing=false ;; *) AC_MSG_ERROR([bad value ${enableval} for --enable-fuzzing]) ;; esac],[fuzzing=false]) +AM_CONDITIONAL([FUZZ], [test x$fuzzing = xtrue]) + +if test "x$enable_fuzzing" = "xyes" ; then + if ! test "x$CC" = "xclang" ; then + AC_MSG_ERROR(["You need to set CC=clang to use --enable-fuzzing, used $CC"]) + fi +fi + + AC_ARG_ENABLE(debug, [AC_HELP_STRING([--enable-debug], [compile with debugging support])], , enable_debug=no) diff --git a/libpurple/tests/Makefile.am b/libpurple/tests/Makefile.am index 467c7438a7..3f2d8cd183 100644 --- a/libpurple/tests/Makefile.am +++ b/libpurple/tests/Makefile.am @@ -4,8 +4,21 @@ TESTS=check_libpurple clean-local: -rm -rf libpurple.. + check_PROGRAMS=check_libpurple +if FUZZ +fuzz_programs=\ + fuzz_html_to_xhtml \ + fuzz_jabber_caps \ + fuzz_jabber_id_new \ + fuzz_markup_strip_html \ + fuzz_mime \ + fuzz_xmlnode +check_PROGRAMS+=$(fuzz_programs) +endif + + check_libpurple_SOURCES=\ check_libpurple.c \ tests.h \ @@ -33,4 +46,31 @@ check_libpurple_LDADD=\ @CHECK_LIBS@ \ $(GLIB_LIBS) + +if FUZZ +fuzz_xmlnode_SOURCES=fuzz_xmlnode.c +fuzz_xmlnode_LDADD=$(check_libpurple_LDADD) +fuzz_xmlnode_CFLAGS=-fsanitize=fuzzer,address $(check_libpurple_CFLAGS) + +fuzz_jabber_id_new_SOURCES=fuzz_jabber_id_new.c +fuzz_jabber_id_new_LDADD=$(check_libpurple_LDADD) +fuzz_jabber_id_new_CFLAGS=-fsanitize=fuzzer,address $(check_libpurple_CFLAGS) + +fuzz_jabber_caps_SOURCES=fuzz_jabber_caps.c +fuzz_jabber_caps_LDADD=$(check_libpurple_LDADD) +fuzz_jabber_caps_CFLAGS=-fsanitize=fuzzer,address $(check_libpurple_CFLAGS) + +fuzz_mime_SOURCES=fuzz_mime.c +fuzz_mime_LDADD=$(check_libpurple_LDADD) +fuzz_mime_CFLAGS=-fsanitize=fuzzer,address $(check_libpurple_CFLAGS) + +fuzz_html_to_xhtml_SOURCES=fuzz_html_to_xhtml.c +fuzz_html_to_xhtml_LDADD=$(check_libpurple_LDADD) +fuzz_html_to_xhtml_CFLAGS=-fsanitize=fuzzer,address $(check_libpurple_CFLAGS) + +fuzz_markup_strip_html_SOURCES=fuzz_markup_strip_html.c +fuzz_markup_strip_html_LDADD=$(check_libpurple_LDADD) +fuzz_markup_strip_html_CFLAGS=-fsanitize=fuzzer,address $(check_libpurple_CFLAGS) +endif + endif diff --git a/libpurple/tests/dictionaries/html.dict b/libpurple/tests/dictionaries/html.dict new file mode 100644 index 0000000000..bf683a63a3 --- /dev/null +++ b/libpurple/tests/dictionaries/html.dict @@ -0,0 +1,478 @@ +# +# AFL dictionary for HTML parsers +# ------------------------------- +# +# A basic collection of HTML string likely to matter to HTML parsers. +# +# Created by Michal Zalewski <lcamtuf@google.com> +# + +tag_a="<a>" +tag_abbr="<abbr>" +tag_acronym="<acronym>" +tag_address="<address>" +tag_annotation_xml="<annotation-xml>" +tag_applet="<applet>" +tag_area="<area>" +tag_article="<article>" +tag_aside="<aside>" +tag_audio="<audio>" +tag_b="<b>" +tag_base="<base>" +tag_basefont="<basefont>" +tag_bdi="<bdi>" +tag_bdo="<bdo>" +tag_bgsound="<bgsound>" +tag_big="<big>" +tag_blink="<blink>" +tag_blockquote="<blockquote>" +tag_body="<body>" +tag_br="<br>" +tag_button="<button>" +tag_canvas="<canvas>" +tag_caption="<caption>" +tag_center="<center>" +tag_cite="<cite>" +tag_code="<code>" +tag_col="<col>" +tag_colgroup="<colgroup>" +tag_data="<data>" +tag_datalist="<datalist>" +tag_dd="<dd>" +tag_del="<del>" +tag_desc="<desc>" +tag_details="<details>" +tag_dfn="<dfn>" +tag_dir="<dir>" +tag_div="<div>" +tag_dl="<dl>" +tag_dt="<dt>" +tag_em="<em>" +tag_embed="<embed>" +tag_fieldset="<fieldset>" +tag_figcaption="<figcaption>" +tag_figure="<figure>" +tag_font="<font>" +tag_footer="<footer>" +tag_foreignobject="<foreignobject>" +tag_form="<form>" +tag_frame="<frame>" +tag_frameset="<frameset>" +tag_h1="<h1>" +tag_h2="<h2>" +tag_h3="<h3>" +tag_h4="<h4>" +tag_h5="<h5>" +tag_h6="<h6>" +tag_head="<head>" +tag_header="<header>" +tag_hgroup="<hgroup>" +tag_hr="<hr>" +tag_html="<html>" +tag_i="<i>" +tag_iframe="<iframe>" +tag_image="<image>" +tag_img="<img>" +tag_input="<input>" +tag_ins="<ins>" +tag_isindex="<isindex>" +tag_kbd="<kbd>" +tag_keygen="<keygen>" +tag_label="<label>" +tag_legend="<legend>" +tag_li="<li>" +tag_link="<link>" +tag_listing="<listing>" +tag_main="<main>" +tag_malignmark="<malignmark>" +tag_map="<map>" +tag_mark="<mark>" +tag_marquee="<marquee>" +tag_math="<math>" +tag_menu="<menu>" +tag_menuitem="<menuitem>" +tag_meta="<meta>" +tag_meter="<meter>" +tag_mglyph="<mglyph>" +tag_mi="<mi>" +tag_mn="<mn>" +tag_mo="<mo>" +tag_ms="<ms>" +tag_mtext="<mtext>" +tag_multicol="<multicol>" +tag_nav="<nav>" +tag_nextid="<nextid>" +tag_nobr="<nobr>" +tag_noembed="<noembed>" +tag_noframes="<noframes>" +tag_noscript="<noscript>" +tag_object="<object>" +tag_ol="<ol>" +tag_optgroup="<optgroup>" +tag_option="<option>" +tag_output="<output>" +tag_p="<p>" +tag_param="<param>" +tag_plaintext="<plaintext>" +tag_pre="<pre>" +tag_progress="<progress>" +tag_q="<q>" +tag_rb="<rb>" +tag_rp="<rp>" +tag_rt="<rt>" +tag_rtc="<rtc>" +tag_ruby="<ruby>" +tag_s="<s>" +tag_samp="<samp>" +tag_script="<script>" +tag_section="<section>" +tag_select="<select>" +tag_small="<small>" +tag_source="<source>" +tag_spacer="<spacer>" +tag_span="<span>" +tag_strike="<strike>" +tag_strong="<strong>" +tag_style="<style>" +tag_sub="<sub>" +tag_summary="<summary>" +tag_sup="<sup>" +tag_svg="<svg>" +tag_table="<table>" +tag_tbody="<tbody>" +tag_td="<td>" +tag_template="<template>" +tag_textarea="<textarea>" +tag_tfoot="<tfoot>" +tag_th="<th>" +tag_thead="<thead>" +tag_time="<time>" +tag_title="<title>" +tag_tr="<tr>" +tag_track="<track>" +tag_tt="<tt>" +tag_u="<u>" +tag_ul="<ul>" +tag_var="<var>" +tag_video="<video>" +tag_wbr="<wbr>" +tag_xmp="<xmp>" + + +# attributes + +"accept" +"accept-charset" +"accesskey" +"action" +"align" +"allow" +"alt" +"async" +"autocapitalize" +"autocomplete" +"autofocus" +"autoplay" +"background" +"bgcolor" +"border" +"capture" +"challenge" +"charset" +"checked" +"cite" +"class" +"code" +"codebase" +"color" +"cols" +"colspan" +"content" +"contenteditable" +"contextmenu" +"controls" +"coords" +"crossorigin" +"csp" +"data" +"data-" +"datetime" +"decoding" +"default" +"defer" +"dir" +"dirname" +"disabled" +"download" +"draggable" +"dropzone" +"enctype" +"enterkeyhint" +"for" +"form" +"formaction" +"formenctype" +"formmethod" +"formnovalidate" +"formtarget" +"headers" +"height" +"hidden" +"high" +"href" +"hreflang" +"http-equiv" +"icon" +"id" +"importance" +"integrity" +"inputmode" +"ismap" +"itemprop" +"keytype" +"kind" +"label" +"lang" +"language" +"loading" +"list" +"loop" +"low" +"manifest" +"max" +"maxlength" +"minlength" +"media" +"method" +"min" +"multiple" +"muted" +"name" +"novalidate" +"onabort" +"onactivate" +"onafterprint" +"onafterupdate" +"onanimationend" +"onanimationiteration" +"onanimationstart" +"onautocomplete" +"onautocompleteerror" +"onbeforeactivate" +"onbeforecopy" +"onbeforecut" +"onbeforedeactivate" +"onbeforeeditfocus" +"onbeforepaste" +"onbeforeprint" +"onbeforeunload" +"onbeforeupdate" +"onbegin" +"onblur" +"onbounce" +"oncancel" +"oncanplay" +"oncanplaythrough" +"oncellchange" +"onchange" +"onclick" +"onclose" +"oncompassneedscalibration" +"oncontextmenu" +"oncontrolselect" +"oncopy" +"oncuechange" +"oncut" +"ondataavailable" +"ondatasetchanged" +"ondatasetcomplete" +"ondblclick" +"ondeactivate" +"ondevicelight" +"ondevicemotion" +"ondeviceorientation" +"ondeviceproximity" +"ondrag" +"ondragdrop" +"ondragend" +"ondragenter" +"ondragexit" +"ondragleave" +"ondragover" +"ondragstart" +"ondrop" +"ondurationchange" +"onemptied" +"onend" +"onended" +"onerror" +"onerrorupdate" +"onexit" +"onfilterchange" +"onfinish" +"onfocus" +"onfocusin" +"onfocusout" +"onformchange " +"onforminput " +"ongesturechange" +"ongestureend" +"ongesturestart" +"onhashchange" +"onhelp" +"oninput" +"oninvalid" +"onkeydown" +"onkeypress" +"onkeyup" +"onlanguagechange" +"onlayoutcomplete" +"onload" +"onloadeddata" +"onloadedmetadata" +"onloadstart" +"onlosecapture" +"onmediacomplete" +"onmediaerror" +"onmessage" +"onmousedown" +"onmouseenter" +"onmouseleave" +"onmousemove" +"onmouseout" +"onmouseover" +"onmouseup" +"onmousewheel" +"onmove" +"onmoveend" +"onmovestart" +"onmozfullscreenchange" +"onmozfullscreenerror" +"onmozpointerlockchange" +"onmozpointerlockerror" +"onmsgesturechange" +"onmsgesturedoubletap" +"onmsgesturehold" +"onmsgesturerestart" +"onmsinertiastart" +"onmspointercancel" +"onmspointerdown" +"onmspointerenter" +"onmspointerhover" +"onmspointerleave" +"onmspointermove" +"onmspointerout" +"onmspointerover" +"onmspointerup" +"onoffline" +"ononline" +"onorientationchange" +"onoutofsync" +"onpagehide" +"onpageshow" +"onpaste" +"onpause" +"onplay" +"onplaying" +"onpopstate" +"onprogress" +"onpropertychange" +"onratechange" +"onreadystatechange" +"onreceived" +"onrepeat" +"onreset" +"onresize" +"onresizeend" +"onresizestart" +"onresume" +"onreverse" +"onrowdelete" +"onrowenter" +"onrowexit" +"onrowinserted" +"onrowsdelete" +"onrowsinserted" +"onscroll" +"onsearch" +"onseek" +"onseeked" +"onseeking" +"onselect" +"onselectionchange" +"onselectstart" +"onshow" +"onstalled" +"onstart" +"onstop" +"onstorage" +"onsubmit" +"onsuspend" +"onsynchrestored" +"ontimeerror" +"ontimeupdate" +"ontoggle" +"ontouchcancel" +"ontouchend" +"ontouchmove" +"ontouchstart" +"ontrackchange" +"ontransitionend" +"onunload" +"onurlflip" +"onuserproximity" +"onvolumechange" +"onwaiting" +"onwebkitanimationend" +"onwebkitanimationiteration" +"onwebkitanimationstart" +"onwebkitmouseforcechanged" +"onwebkitmouseforcedown" +"onwebkitmouseforceup" +"onwebkitmouseforcewillbegin" +"onwebkittransitionend" +"onwebkitwillrevealbottom" +"onwheel" +"onzoom" +"open" +"optimum" +"pattern" +"ping" +"placeholder" +"poster" +"preload" +"radiogroup" +"readonly" +"referrerpolicy" +"rel" +"required" +"reversed" +"rows" +"rowspan" +"sandbox" +"scope" +"scoped" +"selected" +"shape" +"size" +"sizes" +"slot" +"span" +"spellcheck" +"src" +"srcdoc" +"srclang" +"srcset" +"start" +"step" +"style" +"summary" +"tabindex" +"target" +"title" +"translate" +"type" +"usemap" +"value" +"width" +"wrap" diff --git a/libpurple/tests/dictionaries/xml.dict b/libpurple/tests/dictionaries/xml.dict new file mode 100644 index 0000000000..e101369188 --- /dev/null +++ b/libpurple/tests/dictionaries/xml.dict @@ -0,0 +1,82 @@ +# +# AFL dictionary for XML +# ---------------------- +# +# Several basic syntax elements and attributes, modeled on libxml2. +# +# Created by Michal Zalewski <lcamtuf@google.com> +# + +attr_encoding=" encoding=\"1\"" +attr_generic=" a=\"1\"" +attr_href=" href=\"1\"" +attr_standalone=" standalone=\"no\"" +attr_version=" version=\"1\"" +attr_xml_base=" xml:base=\"1\"" +attr_xml_id=" xml:id=\"1\"" +attr_xml_lang=" xml:lang=\"1\"" +attr_xml_space=" xml:space=\"1\"" +attr_xmlns=" xmlns=\"1\"" + +entity_builtin="<" +entity_decimal="" +entity_external="&a;" +entity_hex="" + +string_any="ANY" +string_brackets="[]" +string_cdata="CDATA" +string_col_fallback=":fallback" +string_col_generic=":a" +string_col_include=":include" +string_dashes="--" +string_empty="EMPTY" +string_empty_dblquotes="\"\"" +string_empty_quotes="''" +string_entities="ENTITIES" +string_entity="ENTITY" +string_fixed="#FIXED" +string_id="ID" +string_idref="IDREF" +string_idrefs="IDREFS" +string_implied="#IMPLIED" +string_nmtoken="NMTOKEN" +string_nmtokens="NMTOKENS" +string_notation="NOTATION" +string_parentheses="()" +string_pcdata="#PCDATA" +string_percent="%a" +string_public="PUBLIC" +string_required="#REQUIRED" +string_schema=":schema" +string_system="SYSTEM" +string_ucs4="UCS-4" +string_utf16="UTF-16" +string_utf8="UTF-8" +string_xmlns="xmlns:" + +tag_attlist="<!ATTLIST" +tag_cdata="<![CDATA[" +tag_close="</a>" +tag_doctype="<!DOCTYPE" +tag_element="<!ELEMENT" +tag_entity="<!ENTITY" +tag_ignore="<![IGNORE[" +tag_include="<![INCLUDE[" +tag_notation="<!NOTATION" +tag_open="<a>" +tag_open_close="<a />" +tag_open_exclamation="<!" +tag_open_q="<?" +tag_sq2_close="]]>" +tag_xml_q="<?xml?>" + +encoding_utf="UTF-" +encoding_iso1="ISO-8859" +encoding_iso3="ISO-10646-UCS" +encoding_iso5="ISO-LATIN-1" +encoding_jis="SHIFT_JIS" +encoding_utf7="UTF-7" +encoding_utf16le="UTF-16BE" +encoding_utf16le="UTF-16LE" +encoding_ascii="US-ASCII" diff --git a/libpurple/tests/fuzz_html_to_xhtml.c b/libpurple/tests/fuzz_html_to_xhtml.c new file mode 100644 index 0000000000..c5353bdf43 --- /dev/null +++ b/libpurple/tests/fuzz_html_to_xhtml.c @@ -0,0 +1,49 @@ +/* purple + * + * Purple is the legal property of its developers, whose names are too numerous + * to list here. Please refer to the COPYRIGHT file distributed with this + * source distribution. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA + */ + +#include <glib.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <purple.h> + +#include "../util.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + char *malicious_html = g_new0(char, size + 1); + + memcpy(malicious_html, data, size); + malicious_html[size] = '\0'; + + gchar *xhtml = NULL, *plaintext = NULL; + + purple_markup_html_to_xhtml(malicious_html, &xhtml, &plaintext); + + g_free(xhtml); + g_free(plaintext); + + g_free(malicious_html); + + return 0; +} diff --git a/libpurple/tests/fuzz_jabber_caps.c b/libpurple/tests/fuzz_jabber_caps.c new file mode 100644 index 0000000000..da9ac27125 --- /dev/null +++ b/libpurple/tests/fuzz_jabber_caps.c @@ -0,0 +1,59 @@ +/* purple + * + * Purple is the legal property of its developers, whose names are too numerous + * to list here. Please refer to the COPYRIGHT file distributed with this + * source distribution. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA + */ + +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <glib.h> + +#include "../xmlnode.h" +#include "../protocols/jabber/caps.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + char *malicious_xml = g_new0(char, size + 1); + xmlnode *query; + + memcpy(malicious_xml, data, size); + malicious_xml[size] = '\0'; + + if (*malicious_xml == '\0') { + g_free(malicious_xml); + return 0; + } + + query = xmlnode_new(malicious_xml); + + if (query == NULL) { + g_free(malicious_xml); + return 0; + } + + jabber_caps_parse_client_info(query); + + xmlnode_free(query); + + g_free(malicious_xml); + + return 0; +} diff --git a/libpurple/tests/fuzz_jabber_id_new.c b/libpurple/tests/fuzz_jabber_id_new.c new file mode 100644 index 0000000000..adb6c54049 --- /dev/null +++ b/libpurple/tests/fuzz_jabber_id_new.c @@ -0,0 +1,48 @@ +/* purple + * + * Purple is the legal property of its developers, whose names are too numerous + * to list here. Please refer to the COPYRIGHT file distributed with this + * source distribution. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA + */ + +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <glib.h> + +#include "../account.h" +#include "../conversation.h" +#include "../xmlnode.h" +#include "../protocols/jabber/jutil.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + char *malicious_jid = g_new0(char, size + 1); + + memcpy(malicious_jid, data, size); + malicious_jid[size] = '\0'; + + JabberID *jid = jabber_id_new(malicious_jid); + + jabber_id_free(jid); + + g_free(malicious_jid); + + return 0; +} diff --git a/libpurple/tests/fuzz_markup_strip_html.c b/libpurple/tests/fuzz_markup_strip_html.c new file mode 100644 index 0000000000..15337a34b0 --- /dev/null +++ b/libpurple/tests/fuzz_markup_strip_html.c @@ -0,0 +1,47 @@ +/* purple + * + * Purple is the legal property of its developers, whose names are too numerous + * to list here. Please refer to the COPYRIGHT file distributed with this + * source distribution. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA + */ + +#include <glib.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <purple.h> + +#include "../util.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + char *malicious_html = g_new0(char, size + 1); + char *stripped; + + memcpy(malicious_html, data, size); + malicious_html[size] = '\0'; + + stripped = purple_markup_strip_html(malicious_html); + + g_free(stripped); + + g_free(malicious_html); + + return 0; +} diff --git a/libpurple/tests/fuzz_mime.c b/libpurple/tests/fuzz_mime.c new file mode 100644 index 0000000000..8ab755cbc3 --- /dev/null +++ b/libpurple/tests/fuzz_mime.c @@ -0,0 +1,46 @@ +/* purple + * + * Purple is the legal property of its developers, whose names are too numerous + * to list here. Please refer to the COPYRIGHT file distributed with this + * source distribution. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA + */ + +#include <glib.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <purple.h> + +#include "../util.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + char *malicious_mime = g_new0(char, size + 1); + + memcpy(malicious_mime, data, size); + malicious_mime[size] = '\0'; + + gchar *result = purple_mime_decode_field(malicious_mime); + g_free(result); + + + g_free(malicious_mime); + + return 0; +} diff --git a/libpurple/tests/fuzz_xmlnode.c b/libpurple/tests/fuzz_xmlnode.c new file mode 100644 index 0000000000..e0314054fe --- /dev/null +++ b/libpurple/tests/fuzz_xmlnode.c @@ -0,0 +1,69 @@ +/* purple + * + * Purple is the legal property of its developers, whose names are too numerous + * to list here. Please refer to the COPYRIGHT file distributed with this + * source distribution. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA + */ + +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <glib.h> + +#include "../xmlnode.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + char *malicious_xml = g_new0(char, size + 1); + char *str; + xmlnode *xml; + + memcpy(malicious_xml, data, size); + malicious_xml[size] = '\0'; + + xml = xmlnode_from_str(malicious_xml, -1); + + if (xml == NULL) { + g_free(malicious_xml); + return 0; + } + + str = xmlnode_to_str(xml, NULL); + + if (str == NULL) { + xmlnode_free(xml); + free(malicious_xml); + return 0; + } + + if (strcmp(malicious_xml, str) != 0) { + g_free(str); + xmlnode_free(xml); + free(malicious_xml); + __builtin_trap(); + } + + g_free(str); + + xmlnode_free(xml); + + g_free(malicious_xml); + + return 0; +} |