1
1
2
2
/* A tiny utility for fuzzing bzip3.
3
3
*
4
- * Instructions:
4
+ * Prerequisites:
5
+ *
6
+ * - AFL https://github.com/AFLplusplus/AFLplusplus
7
+ * - clang (part of LLVM)
8
+ *
9
+ * On Arch this is `pacman -S afl++ clang`
10
+ *
11
+ * # Instructions:
12
+ *
13
+ * 1. Build the Repository (per example in README.md)
14
+ *
15
+ * This will get you a working binary of `bzip3` (in repo root).
16
+ * Then cd into this (examples) folder.
17
+ *
18
+ * 2. Prepare fuzzer directories
19
+ *
5
20
* mkdir -p afl_in && mkdir -p afl_out
6
- * ./compress-file ../Makefile afl_in/a.bz3
7
- * afl-clang examples/fuzz.c -Iinclude src/libbz3.c -o examples/fuzz -g3 "-DVERSION=\"0.0.0\"" -O3 -march=native
21
+ *
22
+ * 3. Make a fuzzer input file.
23
+ *
24
+ * With `your_file` being an arbitrary input to test.
25
+ *
26
+ * ../bzip3 -e your_file
27
+ * mv your_file.bz3 afl_in/
28
+ *
29
+ * 4. Build instrumented binary.
30
+ *
31
+ * afl-clang fuzz.c -I../include ../src/libbz3.c -o fuzz -g3 "-DVERSION=\"0.0.0\"" -O3 -march=native
32
+ *
33
+ * 5. Run the fuzzer.
34
+ *
8
35
* AFL_SKIP_CPUFREQ=1 afl-fuzz -i afl_in -o afl_out -- ./fuzz @@
9
36
*
37
+ * 6. Found a crash?
38
+ *
10
39
* If you find a crash, consider also doing the following:
11
- * gcc examples/fuzz.c src/libbz3.c -g3 -O3 -march=native -o examples/fuzz_asan -Iinclude "-DVERSION=\"0.0.0\""
12
- * -fsanitize=undefined -fsanitize=address
40
+ *
41
+ * clang fuzz.c ../src/libbz3.c -g3 -O3 -march=native -o fuzz_asan -I../include "-DVERSION=\"0.0.0\"" -fsanitize=undefined -fsanitize=address
13
42
*
14
43
* And run fuzz_asan on the crashing test case. Attach the test case /and/ the output of fuzz_asan to the bug report.
15
44
*/
@@ -30,24 +59,27 @@ int main(int argc, char ** argv) {
30
59
31
60
if (size < 64 ) {
32
61
// Too small.
62
+ free (buffer );
33
63
return 0 ;
34
64
}
35
65
36
66
// Decompress the file:
37
67
size_t orig_size = * (size_t * )buffer ;
38
68
if (orig_size >= 0x10000000 ) {
39
69
// Sanity check: don't allocate more than 256MB.
70
+ free (buffer );
40
71
return 0 ;
41
72
}
42
73
uint8_t * outbuf = malloc (orig_size );
43
74
int bzerr = bz3_decompress (buffer + sizeof (size_t ), outbuf , size - sizeof (size_t ), & orig_size );
44
75
if (bzerr != BZ3_OK ) {
45
76
printf ("bz3_decompress() failed with error code %d" , bzerr );
77
+ free (outbuf );
78
+ free (buffer );
46
79
return 1 ;
47
80
}
48
81
49
82
printf ("OK, %d => %d" , size , orig_size );
50
-
51
83
free (outbuf );
52
84
free (buffer );
53
85
return 0 ;
0 commit comments