Test out simple generic fuzzing using traversal

cmyr · cmyr · commit 52848ddcab16 · 2024-08-21T18:18:00.000-04:00
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
@@ -67,3 +67,21 @@ name = "fuzz_sparse_bit_set_encode"
 path = "fuzz_targets/fuzz_sparse_bit_set_encode.rs"
 test = false
 doc = false
+
+[[bin]]
+name = "fuzz_gdef"
+path = "fuzz_targets/fuzz_gdef.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_gpos"
+path = "fuzz_targets/fuzz_gpos.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_gsub"
+path = "fuzz_targets/fuzz_gsub.rs"
+test = false
+doc = false
diff --git a/fuzz/fuzz_targets/fuzz_gdef.rs b/fuzz/fuzz_targets/fuzz_gdef.rs
@@ -0,0 +1,7 @@
+#![no_main]
+
+mod traversal_fuzz;
+use libfuzzer_sys::{fuzz_target, Corpus};
+use read_fonts::tables::gdef::Gdef;
+
+fuzz_target!(|data: &[u8]| -> Corpus { traversal_fuzz::try_traverse_table::<Gdef>(data, false) });
diff --git a/fuzz/fuzz_targets/fuzz_gpos.rs b/fuzz/fuzz_targets/fuzz_gpos.rs
@@ -0,0 +1,7 @@
+#![no_main]
+
+mod traversal_fuzz;
+use libfuzzer_sys::{fuzz_target, Corpus};
+use read_fonts::tables::gpos::Gpos;
+
+fuzz_target!(|data: &[u8]| -> Corpus { traversal_fuzz::try_traverse_table::<Gpos>(data, false) });
diff --git a/fuzz/fuzz_targets/fuzz_gsub.rs b/fuzz/fuzz_targets/fuzz_gsub.rs
@@ -0,0 +1,7 @@
+#![no_main]
+
+mod traversal_fuzz;
+use libfuzzer_sys::{fuzz_target, Corpus};
+use read_fonts::tables::gsub::Gsub;
+
+fuzz_target!(|data: &[u8]| -> Corpus { traversal_fuzz::try_traverse_table::<Gsub>(data, false) });
diff --git a/fuzz/fuzz_targets/traversal_fuzz.rs b/fuzz/fuzz_targets/traversal_fuzz.rs
@@ -0,0 +1,28 @@
+use std::fmt::Debug;
+use std::io::Write;
+
+use libfuzzer_sys::Corpus;
+use read_fonts::FontRead;
+
+/// Reusable entry point to fuzz any table via traversal
+///
+/// To debug timeouts, set `print_output` to `true` (the output text will help
+/// show where you're hitting a loop)
+pub fn try_traverse_table<'a, T: FontRead<'a> + Debug>(
+    data: &'a [u8],
+    print_output: bool,
+) -> Corpus {
+    match T::read(data.into()) {
+        Err(_) => Corpus::Reject,
+        Ok(table) => {
+            if print_output {
+                eprintln!("{table:?}");
+            } else {
+                // if we don't want to see the output don't bother filling a buffer
+                let mut empty = std::io::empty();
+                write!(&mut empty, "{table:?}").unwrap();
+            }
+            Corpus::Keep
+        }
+    }
+}
