benhoyt · 0x34d · Apr 9, 2024
diff --git a/fuzzing/OSS-FUZZ.MD b/fuzzing/OSS-FUZZ.MD
diff --git a/fuzzing/build.sh b/fuzzing/build.sh
diff --git a/fuzzing/fuzz.sh b/fuzzing/fuzz.sh
diff --git a/fuzzing/fuzzing.sh b/fuzzing/fuzzing.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+CC=clang
+CXX=clang++
+LIB_FUZZING_ENGINE="-fsanitize=fuzzer"
+
+# Compile and link with AddressSanitizer
+CFLAGS_ASAN="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link"
+$CC $CFLAGS_ASAN -c ../ini.c
+$CC $CFLAGS_ASAN -c inihfuzz.c
+$CXX $CFLAGS_ASAN $LIB_FUZZING_ENGINE inihfuzz.o ini.o -o inihfuzz_asan
+rm *.o
+
+# Compile and link with MemorySanitizer
+CFLAGS_MSAN="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory -fsanitize-memory-track-origins -fsanitize=fuzzer-no-link"
+$CC $CFLAGS_MSAN -c ../ini.c
+$CC $CFLAGS_MSAN -c inihfuzz.c
+$CXX $CFLAGS_MSAN $LIB_FUZZING_ENGINE inihfuzz.o ini.o -o inihfuzz_msan
+rm *.o
+
+# Compile and link with UndefinedBehaviorSanitizer
+CFLAGS_UBSAN="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr -fno-sanitize-recover=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr -fsanitize=fuzzer-no-link"
+$CC $CFLAGS_UBSAN -c ../ini.c
+$CC $CFLAGS_UBSAN -c inihfuzz.c
+$CXX $CFLAGS_UBSAN $LIB_FUZZING_ENGINE inihfuzz.o ini.o -o inihfuzz_ubsan
+rm *.o
+
+# Uncomment to run the fuzzer of your choice
+mkdir covearge/
+#./inihfuzz_asan  covearge/  testcases_seed/
+#./inihfuzz_msan  covearge/  testcases_seed/
+#./inihfuzz_ubsan covearge/  testcases_seed/
diff --git a/fuzzing/inihfuzz.c b/fuzzing/inihfuzz.c
@@ -5,78 +5,41 @@
 #include <string.h>
 #include "../ini.h"
 
+#define kMinInputLength 8
+#define kMaxInputLength 512
+
 int User;
 char Prev_section[50];
 
 int dumper(void* user, const char* section, const char* name,
            const char* value)
 {
     User = *((int*)user);
-    if (!name || strcmp(section, Prev_section)) {
-        printf("... [%s]\n", section);
+    if (strcmp(section, Prev_section)) {
         strncpy(Prev_section, section, sizeof(Prev_section));
         Prev_section[sizeof(Prev_section) - 1] = '\0';
     }
-    if (!name) {
-        return 1;
-    }
-
-    printf("... %s%s%s;\n", name, value ? "=" : "", value ? value : "");
-
-    if (!value) {
-        // Happens when INI_ALLOW_NO_VALUE=1 and line has no value (no '=' or ':')
-        return 1;
-    }
-
-    return strcmp(name, "user")==0 && strcmp(value, "parse_error")==0 ? 0 : 1;
+    return 1;
 }
 
-void parse(const char* fname) {
-    static int u = 100;
-    int e;
-
-    *Prev_section = '\0';
-    e = ini_parse(fname, dumper, &u);
-    printf("%s: e=%d user=%d\n", fname, e, User);
-    u++;
-}
-
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-
-int main(int argc, char **argv)
-{
-    if (argc < 2) {
-        printf("usage: inihfuzz file.ini\n");
-        return 1;
-    }
-    parse(argv[1]);
-    return 0;
-}
-
-#else
-
-#define kMinInputLength 20
-#define kMaxInputLength 1024
-
-extern int LLVMFuzzerTestOneInput(const char *Data, size_t Size) {
-
-    if (Size < kMinInputLength || Size > kMaxInputLength) {
+extern int LLVMFuzzerTestOneInput(const char *data, size_t size) {
+    if (size < kMinInputLength || size > kMaxInputLength) {
         return 0;
     }
 
-    int ret;
-    *Prev_section = '\0';
-    int u = 100;
+    int e;
+    static int u = 100;
+    Prev_section[0] = '\0';
 
-    char *data = malloc(Size + 1);
-    memcpy(data, Data, Size);
-    data[Size] = '\0';
+    char *data_in = malloc(size + 1);
+    if (!data_in) return 0; // Just in case malloc fails
 
-    ret = ini_parse(data, dumper, &u);
+    memcpy(data_in, data, size);
+    data_in[size] = '\0';
 
-    free(data);
+    e = ini_parse_string(data_in, dumper, &u);
 
-    return ret;
-}
+    free(data_in);
 
-#endif
+    return e;
+}