Create a fuzzing target for jansson

7 files changed, 156 insertions, 0 deletions

diff --git a/.travis.yml b/.travis.yml
index 5b23c94..449e9bb 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -3,6 +3,7 @@ env:
     - JANSSON_BUILD_METHOD=cmake JANSSON_CMAKE_OPTIONS="-DJANSSON_TEST_WITH_VALGRIND=ON" JANSSON_EXTRA_INSTALL="valgrind"
     - JANSSON_BUILD_METHOD=autotools
     - JANSSON_BUILD_METHOD=coverage JANSSON_CMAKE_OPTIONS="-DJANSSON_COVERAGE=ON -DJANSSON_COVERALLS=ON -DCMAKE_BUILD_TYPE=Debug" JANSSON_EXTRA_INSTALL="lcov curl"
+    - JANSSON_BUILD_METHOD=fuzzer
 language: c
 compiler:
   - gcc
@@ -20,3 +21,4 @@ script:
   - if [ "$JANSSON_BUILD_METHOD" = "autotools" ]; then autoreconf -f -i && CFLAGS=-Werror ./configure && make check; fi
   - if [ "$JANSSON_BUILD_METHOD" = "cmake" ]; then mkdir build && cd build && cmake $JANSSON_CMAKE_OPTIONS .. && cmake --build . && ctest --output-on-failure; fi
   - if [ "$JANSSON_BUILD_METHOD" = "coverage" ]; then mkdir build && cd build && cmake $JANSSON_CMAKE_OPTIONS .. && cmake --build . && cmake --build . --target coveralls; fi
+  - if [ "$JANSSON_BUILD_METHOD" = "fuzzer" ]; then ./ossfuzz/travisoss.sh; fi
diff --git a/Makefile.am b/Makefile.am
index 0de2ac1..3e3dc09 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -8,3 +8,15 @@ dvi:
 
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = jansson.pc
+
+
+# Add fuzzing support
+LIB_FUZZING_ENGINE ?= standaloneengine.o
+
+ossfuzz/%.o: ossfuzz/%.cc
+	$(CXX) -c -Isrc $(CXXFLAGS) $< -o $@
+
+.PHONY: json_load_fuzzer
+json_load_fuzzer: ossfuzz/json_load_fuzzer.o src/.libs/libjansson.a
+	$(CXX) -c $(CXXFLAGS) ossfuzz/standaloneengine.cc -o standaloneengine.o
+	$(CXX) $(CXXFLAGS) $(LIB_FUZZING_ENGINE) $^ -o $@$(EXT)
diff --git a/ossfuzz/json_load_fuzzer.cc b/ossfuzz/json_load_fuzzer.cc
new file mode 100644
index 0000000..09e7da5
--- /dev/null
+++ b/ossfuzz/json_load_fuzzer.cc
@@ -0,0 +1,11 @@
+#include <stdint.h>
+
+#include "jansson.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  json_error_t error;
+  auto jobj = json_loadb(reinterpret_cast<const char *>(data), size, 0, &error);
+  if (jobj)
+    json_decref(jobj);
+  return 0;
+}
diff --git a/ossfuzz/ossfuzz.sh b/ossfuzz/ossfuzz.sh
new file mode 100755
index 0000000..897e5a6
--- /dev/null
+++ b/ossfuzz/ossfuzz.sh
@@ -0,0 +1,28 @@
+#!/bin/bash -eu
+
+# This script is called by the oss-fuzz main project when compiling the fuzz
+# targets. This script is regression tested by travisoss.sh.
+
+# Save off the current folder as the build root.
+export BUILD_ROOT=$PWD
+
+echo "CC: $CC"
+echo "CXX: $CXX"
+echo "LIB_FUZZING_ENGINE: $LIB_FUZZING_ENGINE"
+echo "CFLAGS: $CFLAGS"
+echo "CXXFLAGS: $CXXFLAGS"
+echo "OUT: $OUT"
+
+export MAKEFLAGS+="-j$(nproc)"
+
+# Install dependencies
+apt-get -y install automake libtool
+
+# Compile the fuzzer.
+autoreconf -i
+./configure
+make
+make json_load_fuzzer
+
+# Copy the fuzzer to the output directory.
+cp -v json_load_fuzzer $OUT/
diff --git a/ossfuzz/standaloneengine.cc b/ossfuzz/standaloneengine.cc
new file mode 100644
index 0000000..175360e
--- /dev/null
+++ b/ossfuzz/standaloneengine.cc
@@ -0,0 +1,74 @@
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "testinput.h"
+
+/**
+ * Main procedure for standalone fuzzing engine.
+ *
+ * Reads filenames from the argument array. For each filename, read the file
+ * into memory and then call the fuzzing interface with the data.
+ */
+int main(int argc, char **argv)
+{
+  int ii;
+  for(ii = 1; ii < argc; ii++)
+  {
+    FILE *infile;
+    printf("[%s] ", argv[ii]);
+
+    /* Try and open the file. */
+    infile = fopen(argv[ii], "rb");
+    if(infile)
+    {
+      uint8_t *buffer = NULL;
+      size_t buffer_len;
+
+      printf("Opened.. ");
+
+      /* Get the length of the file. */
+      fseek(infile, 0L, SEEK_END);
+      buffer_len = ftell(infile);
+
+      /* Reset the file indicator to the beginning of the file. */
+      fseek(infile, 0L, SEEK_SET);
+
+      /* Allocate a buffer for the file contents. */
+      buffer = (uint8_t *)calloc(buffer_len, sizeof(uint8_t));
+      if(buffer)
+      {
+        /* Read all the text from the file into the buffer. */
+        fread(buffer, sizeof(uint8_t), buffer_len, infile);
+        printf("Read %zu bytes, fuzzing.. ", buffer_len);
+
+        /* Call the fuzzer with the data. */
+        LLVMFuzzerTestOneInput(buffer, buffer_len);
+
+        printf("complete !!");
+
+        /* Free the buffer as it's no longer needed. */
+        free(buffer);
+        buffer = NULL;
+      }
+      else
+      {
+        fprintf(stderr,
+                "[%s] Failed to allocate %zu bytes \n",
+                argv[ii],
+                buffer_len);
+      }
+
+      /* Close the file as it's no longer needed. */
+      fclose(infile);
+      infile = NULL;
+    }
+    else
+    {
+      /* Failed to open the file. Maybe wrong name or wrong permissions? */
+      fprintf(stderr, "[%s] Open failed. \n", argv[ii]);
+    }
+
+    printf("\n");
+  }
+}
diff --git a/ossfuzz/testinput.h b/ossfuzz/testinput.h
new file mode 100644
index 0000000..6ab9b51
--- /dev/null
+++ b/ossfuzz/testinput.h
@@ -0,0 +1,3 @@
+#include <inttypes.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
diff --git a/ossfuzz/travisoss.sh b/ossfuzz/travisoss.sh
new file mode 100755
index 0000000..e99cc6e
--- /dev/null
+++ b/ossfuzz/travisoss.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -ex
+
+PROJECT_NAME=jansson
+
+# Clone the oss-fuzz repository
+git clone https://github.com/google/oss-fuzz.git /tmp/ossfuzz
+
+if [[ ! -d /tmp/ossfuzz/projects/${PROJECT_NAME} ]]
+then
+    echo "Could not find the ${PROJECT_NAME} project in ossfuzz"
+
+    # Exit with a success code while the jansson project is not expected to exist
+    # on oss-fuzz.
+    exit 0
+fi
+
+# Modify the oss-fuzz Dockerfile so that we're checking out the current branch on travis.
+sed -i "s@https://github.com/akheron/jansson.git@-b $TRAVIS_BRANCH https://github.com/akheron/jansson.git@" /tmp/ossfuzz/projects/${PROJECT_NAME}/Dockerfile
+
+# Try and build the fuzzers
+pushd /tmp/ossfuzz
+python infra/helper.py build_image --pull ${PROJECT_NAME}
+python infra/helper.py build_fuzzers ${PROJECT_NAME}
+popd