Skip to content

Commit cc01039

Browse files
authored
Improved: Make fuzzing docs a tiny bit clearer. (#142)
1 parent 187b322 commit cc01039

File tree

1 file changed

+38
-6
lines changed

1 file changed

+38
-6
lines changed

examples/fuzz.c

Lines changed: 38 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,44 @@
11

22
/* A tiny utility for fuzzing bzip3.
33
*
4-
* Instructions:
4+
* Prerequisites:
5+
*
6+
* - AFL https://github.com/AFLplusplus/AFLplusplus
7+
* - clang (part of LLVM)
8+
*
9+
* On Arch this is `pacman -S afl++ clang`
10+
*
11+
* # Instructions:
12+
*
13+
* 1. Build the Repository (per example in README.md)
14+
*
15+
* This will get you a working binary of `bzip3` (in repo root).
16+
* Then cd into this (examples) folder.
17+
*
18+
* 2. Prepare fuzzer directories
19+
*
520
* mkdir -p afl_in && mkdir -p afl_out
6-
* ./compress-file ../Makefile afl_in/a.bz3
7-
* afl-clang examples/fuzz.c -Iinclude src/libbz3.c -o examples/fuzz -g3 "-DVERSION=\"0.0.0\"" -O3 -march=native
21+
*
22+
* 3. Make a fuzzer input file.
23+
*
24+
* With `your_file` being an arbitrary input to test.
25+
*
26+
* ../bzip3 -e your_file
27+
* mv your_file.bz3 afl_in/
28+
*
29+
* 4. Build instrumented binary.
30+
*
31+
* afl-clang fuzz.c -I../include ../src/libbz3.c -o fuzz -g3 "-DVERSION=\"0.0.0\"" -O3 -march=native
32+
*
33+
* 5. Run the fuzzer.
34+
*
835
* AFL_SKIP_CPUFREQ=1 afl-fuzz -i afl_in -o afl_out -- ./fuzz @@
936
*
37+
* 6. Found a crash?
38+
*
1039
* If you find a crash, consider also doing the following:
11-
* gcc examples/fuzz.c src/libbz3.c -g3 -O3 -march=native -o examples/fuzz_asan -Iinclude "-DVERSION=\"0.0.0\""
12-
* -fsanitize=undefined -fsanitize=address
40+
*
41+
* clang fuzz.c ../src/libbz3.c -g3 -O3 -march=native -o fuzz_asan -I../include "-DVERSION=\"0.0.0\"" -fsanitize=undefined -fsanitize=address
1342
*
1443
* And run fuzz_asan on the crashing test case. Attach the test case /and/ the output of fuzz_asan to the bug report.
1544
*/
@@ -30,24 +59,27 @@ int main(int argc, char ** argv) {
3059

3160
if (size < 64) {
3261
// Too small.
62+
free(buffer);
3363
return 0;
3464
}
3565

3666
// Decompress the file:
3767
size_t orig_size = *(size_t *)buffer;
3868
if (orig_size >= 0x10000000) {
3969
// Sanity check: don't allocate more than 256MB.
70+
free(buffer);
4071
return 0;
4172
}
4273
uint8_t * outbuf = malloc(orig_size);
4374
int bzerr = bz3_decompress(buffer + sizeof(size_t), outbuf, size - sizeof(size_t), &orig_size);
4475
if (bzerr != BZ3_OK) {
4576
printf("bz3_decompress() failed with error code %d", bzerr);
77+
free(outbuf);
78+
free(buffer);
4679
return 1;
4780
}
4881

4982
printf("OK, %d => %d", size, orig_size);
50-
5183
free(outbuf);
5284
free(buffer);
5385
return 0;

0 commit comments

Comments
 (0)