fnmatch: add fuzzer for fnmatch testing

Author: cmeister2

.gitignore

@@ -30,6 +30,8 @@ missing
 /curl_fuzzer_dict_seed_corpus.zip
 /curl_fuzzer_file
 /curl_fuzzer_file_seed_corpus.zip
+/curl_fuzzer_fnmatch
+/curl_fuzzer_fnmatch_seed_corpus.zip
 /curl_fuzzer_ftp
 /curl_fuzzer_ftp_seed_corpus.zip
 /curl_fuzzer_gopher

Makefile.am

@@ -25,7 +25,7 @@ ACLOCAL_AMFLAGS = -I m4
 @CODE_COVERAGE_RULES@
 
 # Include debug symbols by default as recommended by libfuzzer.
-AM_CXXFLAGS = -g -I@INSTALLDIR@/include
+AM_CXXFLAGS = -g -I@INSTALLDIR@/include -I@INSTALLDIR@/utfuzzer
 
 LIBS = -lpthread -lm
 
@@ -38,6 +38,7 @@ LIB_FUZZING_ENGINE ?= libstandaloneengine.a
 FUZZPROGS = curl_fuzzer \
 			curl_fuzzer_dict \
 			curl_fuzzer_file \
+			curl_fuzzer_fnmatch \
 			curl_fuzzer_ftp \
 			curl_fuzzer_gopher \
 			curl_fuzzer_http \
@@ -112,6 +113,11 @@ curl_fuzzer_tftp_SOURCES = $(COMMON_SOURCES)
 curl_fuzzer_tftp_CXXFLAGS = $(COMMON_FLAGS) -DFUZZ_PROTOCOLS_TFTP
 curl_fuzzer_tftp_LDADD = $(COMMON_LDADD)
 
+# Unit test fuzzers
+curl_fuzzer_fnmatch_SOURCES = fuzz_fnmatch.cc
+curl_fuzzer_fnmatch_CXXFLAGS = $(COMMON_FLAGS)
+curl_fuzzer_fnmatch_LDADD = $(COMMON_LDADD)
+
 # Create the seed corpora zip files.
 zip:
 	./create_zip.sh

corpora/curl_fuzzer_fnmatch/test_pattern_only

@@ -0,0 +1,105 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2017, Max Dymond, <[email protected]>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+extern "C"
+{
+  #include <stdlib.h>
+  #include <signal.h>
+  #include <string.h>
+  #include <unistd.h>
+  #include <inttypes.h>
+  #include <curl/curl.h>
+  #include "curl_fnmatch.h"
+}
+
+/* #define DEBUG(STMT)  STMT */
+#define DEBUG(STMT)
+
+/**
+ * Fuzzing entry point. This function is passed a buffer containing a test
+ * case.  This test case should drive the CURL fnmatch function.
+ */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+  const char *string_data = (const char *)data;
+  const char *pattern;
+  const char *contents;
+  int pattern_len;
+  int fnrc;
+
+  DEBUG(printf("\nSize is %lu bytes \n", size));
+
+  /* The string requires at least two null terminators. Anything
+     smaller is an error. */
+  if(size < 2) {
+    DEBUG(printf("Size is too small. \n"));
+    goto EXIT_LABEL;
+  }
+
+  /* The data should be split into two strings - the pattern and the
+     string to match on. The data should be null-terminated. */
+  if(data[size - 1] != 0) {
+    DEBUG(printf("Not null terminated \n"));
+    goto EXIT_LABEL;
+  }
+
+  pattern_len = strnlen(string_data, size);
+
+  DEBUG(printf("Pattern length %d \n", pattern_len));
+
+  /* Check to see if the string length is valid. Because pattern_len
+     doesn't include a null terminator, we should check to see if the length
+     equals the full buffer size with or without a null terminator. */
+  if((pattern_len >= size - 1) ||
+     (string_data[pattern_len] != 0)) {
+    /* The string was not valid. */
+    DEBUG(printf("Pattern string was invalid \n"));
+    goto EXIT_LABEL;
+  }
+
+  /* Set up the pointers for the pattern and string. */
+  pattern = string_data;
+  contents = &string_data[pattern_len + 1];
+
+  /* Sanity check the size of the strings. We should have two strings
+     less two null terminators. */
+  if(strlen(contents) + pattern_len != size - 2) {
+    DEBUG(printf("Unexpected lengths: %lu + %d != %lu - 2 \n",
+                 strlen(contents),
+                 pattern_len,
+                 size));
+    goto EXIT_LABEL;
+  }
+
+  DEBUG(printf("Pattern: '%s' \n", pattern));
+  DEBUG(printf("Contents: '%s' \n", contents));
+
+  /* Call the fuzz function. */
+  fnrc = Curl_fnmatch(NULL, pattern, contents);
+
+  (void)fnrc;
+  DEBUG(printf("Curl_fnmatch returned %d \n", fnrc));
+
+EXIT_LABEL:
+
+  return 0;
+}

corpora/curl_fuzzer_fnmatch/test_pattern_string

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer"
+export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_fnmatch curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer"

fuzz_fnmatch.cc

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Redirect the output of this script to a test file.
+printf "$1\0$2\0"

fuzz_targets

@@ -50,4 +50,11 @@ pushd ${SRCDIR}
 make
 make install
 
+# Make any explicit folders which are post install
+UTFUZZDIR=${INSTALLDIR}/utfuzzer
+mkdir -p ${UTFUZZDIR}
+
+# Copy header files.
+cp -v lib/curl_fnmatch.h ${UTFUZZDIR}
+
 popd