[fuzzers] add kirenenko (google#921)

ImanHosseini · Jan 11, 2021 · 7109b59 · 7109b59
1 parent 6195ee2
commit 7109b59
Show file tree

Hide file tree

Showing 48 changed files with 2,375 additions and 81 deletions.
diff --git a/.github/workflows/fuzzers.yml b/.github/workflows/fuzzers.yml
@@ -30,6 +30,7 @@ jobs:
           - honggfuzz
           - lafintel
           - klee
+          - kirenenko
           - libfuzzer
           - libaflfuzzer
           - manul

diff --git a/benchmarks/arrow_parquet-arrow-fuzz/benchmark.yaml b/benchmarks/arrow_parquet-arrow-fuzz/benchmark.yaml
@@ -11,3 +11,4 @@ unsupported_fuzzers:
   - honggfuzz_qemu
   - klee
   - weizz_qemu
+  - kirenenko
diff --git a/benchmarks/bloaty_fuzz_target/benchmark.yaml b/benchmarks/bloaty_fuzz_target/benchmark.yaml
@@ -18,3 +18,4 @@ fuzz_target: fuzz_target
 project: bloaty
 unsupported_fuzzers:
   - klee
+  - kirenenko
diff --git a/benchmarks/curl_curl_fuzzer_http/benchmark.yaml b/benchmarks/curl_curl_fuzzer_http/benchmark.yaml
@@ -18,3 +18,4 @@ fuzz_target: curl_fuzzer_http
 project: curl
 unsupported_fuzzers:
   - klee
+  - kirenenko
diff --git a/benchmarks/freetype2-2017/benchmark.yaml b/benchmarks/freetype2-2017/benchmark.yaml
@@ -14,3 +14,5 @@
 
 fuzz_target: ftfuzzer
 project: freetype2
+unsupported_fuzzers:
+  - kirenenko
diff --git a/benchmarks/harfbuzz-1.3.2/benchmark.yaml b/benchmarks/harfbuzz-1.3.2/benchmark.yaml
@@ -16,3 +16,4 @@ fuzz_target: hb-shape-fuzzer
 project: harfbuzz
 unsupported_fuzzers:
   - klee
+  - kirenenko
diff --git a/benchmarks/harfbuzz_hb-subset-fuzzer/benchmark.yaml b/benchmarks/harfbuzz_hb-subset-fuzzer/benchmark.yaml
@@ -10,3 +10,4 @@ unsupported_fuzzers:
   - honggfuzz_qemu
   - klee
   - weizz_qemu
+  - kirenenko
diff --git a/benchmarks/jsoncpp_jsoncpp_fuzzer/benchmark.yaml b/benchmarks/jsoncpp_jsoncpp_fuzzer/benchmark.yaml
@@ -18,3 +18,4 @@ fuzz_target: jsoncpp_fuzzer
 project: jsoncpp
 unsupported_fuzzers:
   - klee
+  - kirenenko
diff --git a/benchmarks/lcms-2017-03-21/Dockerfile b/benchmarks/lcms-2017-03-21/Dockerfile
@@ -27,5 +27,5 @@ RUN git clone https://github.com/mm2/Little-CMS.git
 
 RUN wget -qO $OUT/fuzz-target.dict \
     https://raw.githubusercontent.com/google/fuzzing/master/dictionaries/icc.dict
-COPY cms_transform_fuzzer.cc build.sh $SRC/
+COPY cms_transform_fuzzer.c build.sh $SRC/
 ADD seeds /opt/seeds
diff --git a/benchmarks/lcms-2017-03-21/build.sh b/benchmarks/lcms-2017-03-21/build.sh
@@ -17,8 +17,15 @@ cd Little-CMS
 git checkout f9d75ccef0b54c9f4167d95088d4727985133c52
 ./autogen.sh
 ./configure
+make clean
 make -j $(nproc)
 
-$CXX $CXXFLAGS $SRC/cms_transform_fuzzer.cc -I include/ src/.libs/liblcms2.a \
-    $FUZZER_LIB -o $OUT/cms_transform_fuzzer
+if [[ -z "${KIRENENKO_FUZZER}" ]]; then
+    $CXX $CXXFLAGS -std=c++11 $SRC/cms_transform_fuzzer.c -I include/ src/.libs/liblcms2.a \
+        $FUZZER_LIB -o $OUT/cms_transform_fuzzer
+else
+    $CC $CFLAGS -DKIRENENKO $SRC/cms_transform_fuzzer.c -I include/ src/.libs/liblcms2.a \
+        $FUZZER_LIB -o $OUT/$FUZZ_TARGET
+fi
+
 cp -r /opt/seeds $OUT/
diff --git a/...s/lcms-2017-03-21/cms_transform_fuzzer.cc → ...ks/lcms-2017-03-21/cms_transform_fuzzer.c b/...s/lcms-2017-03-21/cms_transform_fuzzer.cc → ...ks/lcms-2017-03-21/cms_transform_fuzzer.c
@@ -16,7 +16,11 @@
 
 #include "lcms2.h"
 
+#ifdef KIRENENKO
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+#else
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+#endif
   cmsHPROFILE srcProfile = cmsOpenProfileFromMem(data, size);
   if (!srcProfile) return 0;
 

diff --git a/benchmarks/libhevc_hevc_dec_fuzzer/benchmark.yaml b/benchmarks/libhevc_hevc_dec_fuzzer/benchmark.yaml
@@ -10,4 +10,5 @@ unsupported_fuzzers:
   - honggfuzz_qemu
   - klee
   - weizz_qemu
+  - kirenenko
 
diff --git a/benchmarks/libjpeg-turbo-07-2017/build.sh b/benchmarks/libjpeg-turbo-07-2017/build.sh
@@ -16,9 +16,15 @@
 cd libjpeg-turbo
 git checkout b0971e47d76fdb81270e93bbf11ff5558073350d
 autoreconf -fiv
-./configure
+./configure --disable-shared
+make clean
 make -j $(nproc)
 
-$CXX $CXXFLAGS -std=c++11 $SRC/libjpeg_turbo_fuzzer.cc -I . \
-    .libs/libturbojpeg.a $FUZZER_LIB -o $OUT/libjpeg_turbo_fuzzer
+if [[ -z "${KIRENENKO_FUZZER}" ]]; then
+    $CXX $CXXFLAGS -std=c++11 $SRC/libjpeg_turbo_fuzzer.c -I . \
+        .libs/libturbojpeg.a $FUZZER_LIB -o $OUT/libjpeg_turbo_fuzzer
+else
+    $CC $CFLAGS -DKIRENENKO $SRC/libjpeg_turbo_fuzzer.c -I . \
+        .libs/libturbojpeg.a $FUZZER_LIB -o $OUT/$FUZZ_TARGET
+fi
 cp -r /opt/seeds $OUT/
diff --git a/...peg-turbo-07-2017/libjpeg_turbo_fuzzer.cc → ...jpeg-turbo-07-2017/libjpeg_turbo_fuzzer.c b/...peg-turbo-07-2017/libjpeg_turbo_fuzzer.cc → ...jpeg-turbo-07-2017/libjpeg_turbo_fuzzer.c
@@ -15,12 +15,15 @@
 #include <stdint.h>
 #include <stdlib.h>
 
-#include <memory>
+#include <memory.h>
 
 #include <turbojpeg.h>
 
-
+#ifdef KIRENENKO
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+#else
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+#endif
     tjhandle jpegDecompressor = tjInitDecompress();
 
     int width, height, subsamp, colorspace;
@@ -35,11 +38,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         return 0;
     }
 
-    std::unique_ptr<unsigned char[]> buf(new unsigned char[width * height * 3]);
+	unsigned char* buf = (unsigned char *)malloc(width*height*3);
     tjDecompress2(
-        jpegDecompressor, data, size, buf.get(), width, 0, height, TJPF_RGB, 0);
+        jpegDecompressor, data, size, buf, width, 0, height, TJPF_RGB, 0);
 
     tjDestroy(jpegDecompressor);
+    free(buf);
 
     return 0;
 }
diff --git a/benchmarks/libpcap_fuzz_both/benchmark.yaml b/benchmarks/libpcap_fuzz_both/benchmark.yaml
@@ -18,3 +18,4 @@ fuzz_target: fuzz_both
 project: libpcap
 unsupported_fuzzers:
   - klee
+  - kirenenko
diff --git a/benchmarks/libpng-1.2.56/Dockerfile b/benchmarks/libpng-1.2.56/Dockerfile
@@ -31,4 +31,5 @@ RUN wget \
 RUN wget -qO $OUT/fuzz-target.dict \
     https://raw.githubusercontent.com/google/fuzzing/master/dictionaries/png.dict
 ADD seeds /opt/seeds
+COPY target.c $SRC/
 COPY * $SRC/
diff --git a/benchmarks/libpng-1.2.56/build.sh b/benchmarks/libpng-1.2.56/build.sh
@@ -17,8 +17,14 @@ tar xf libpng-1.2.56.tar.gz
 
 cd libpng-1.2.56
 ./configure
+make clean
 make -j $(nproc)
 
-$CXX $CXXFLAGS -std=c++11 $SRC/target.cc .libs/libpng12.a $FUZZER_LIB -I . -lz \
-    -o $OUT/libpng_read_fuzzer
+if [[ -z "${KIRENENKO_FUZZER}" ]]; then
+    $CXX $CXXFLAGS -std=c++11 $SRC/target.c .libs/libpng12.a $FUZZER_LIB -I . -lz \
+        -o $OUT/libpng_read_fuzzer
+else
+    $CC $CFLAGS -DKIRENENKO $SRC/target.c .libs/libpng12.a $FUZZER_LIB -I . -lz \
+        -o $OUT/$FUZZ_TARGET
+fi
 cp -r /opt/seeds $OUT/
diff --git a/benchmarks/libpng-1.2.56/target.cc → benchmarks/libpng-1.2.56/target.c b/benchmarks/libpng-1.2.56/target.cc → benchmarks/libpng-1.2.56/target.c
@@ -26,7 +26,7 @@ struct BufState {
 };
 
 void user_read_data(png_structp png_ptr, png_bytep data, png_size_t length) {
-  BufState* buf_state = static_cast<BufState*>(png_get_io_ptr(png_ptr));
+  struct BufState* buf_state = (struct BufState*)(png_get_io_ptr(png_ptr));
   if (length > buf_state->bytes_left) {
     png_error(png_ptr, "read error");
   }
@@ -37,82 +37,49 @@ void user_read_data(png_structp png_ptr, png_bytep data, png_size_t length) {
 
 static const int kPngHeaderSize = 8;
 
-struct ScopedPngObject {
-  ~ScopedPngObject() {
-    if (row && png_ptr) {
-      png_free(png_ptr, row);
-    }
-    if (png_ptr && info_ptr) {
-      png_destroy_read_struct(&png_ptr, &info_ptr, nullptr);
-    }
-    delete buf_state;
-  }
-  png_infop info_ptr = nullptr;
-  png_voidp row = 0;
-  png_structp png_ptr = nullptr;
-  BufState *buf_state = nullptr;
-};
-
-bool DetectLargeSize(const uint8_t *data, size_t size) {
-  uint8_t *ihdr = reinterpret_cast<uint8_t *>(memmem(data, size, "IHDR", 4));
-  if (!ihdr) return false;
-  if (ihdr + 12 > data + size) return false;
-  uint32_t W = *(uint32_t*)(ihdr + 4);
-  uint32_t H = *(uint32_t*)(ihdr + 8);
-  W = __builtin_bswap32(W);
-  H = __builtin_bswap32(H);
-  uint64_t WxH = static_cast<uint64_t>(W) * H;
-  if (WxH > 100000ULL) {
-    // fprintf(stderr, "ZZZ %zu %u %u\n", WxH, W, H);
-    return true;
-  }
-  return false;
-}
-
 // Fuzzing entry point. Roughly follows the libpng book example:
 // http://www.libpng.org/pub/png/book/chapter13.html
+#ifdef KIRENENKO
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+#else
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+#endif
   if (size < kPngHeaderSize) {
     return 0;
   }
-  ScopedPngObject O;
-  if (png_sig_cmp(const_cast<uint8_t*>(data), 0, kPngHeaderSize)) {
+
+  if (png_sig_cmp((uint8_t*)data, 0, kPngHeaderSize)) {
     // not a PNG.
     return 0;
   }
 
-  // if (DetectLargeSize(data, size)) return 0;
 
-  auto &png_ptr = O.png_ptr;
-  png_ptr = png_create_read_struct
-    (PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr);
+  png_structp png_ptr = png_create_read_struct
+    (PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
   assert(png_ptr);
 
-  png_ptr->flags &= ~PNG_FLAG_CRC_CRITICAL_MASK;
-  png_ptr->flags |= PNG_FLAG_CRC_CRITICAL_IGNORE;
+  (png_ptr)->flags &= ~PNG_FLAG_CRC_CRITICAL_MASK;
+  (png_ptr)->flags |= PNG_FLAG_CRC_CRITICAL_IGNORE;
 
-  png_ptr->flags &= ~PNG_FLAG_CRC_ANCILLARY_MASK;
-  png_ptr->flags |= PNG_FLAG_CRC_ANCILLARY_NOWARN;
+  (png_ptr)->flags &= ~PNG_FLAG_CRC_ANCILLARY_MASK;
+  (png_ptr)->flags |= PNG_FLAG_CRC_ANCILLARY_NOWARN;
 
-  auto &info_ptr = O.info_ptr;
-  info_ptr = png_create_info_struct(png_ptr);
+  png_infop  info_ptr = png_create_info_struct(png_ptr);
   assert(info_ptr);
 
   // Setting up reading from buffer.
-  auto &buf_state = O.buf_state;
-  buf_state = new BufState();
-  buf_state->data = data + kPngHeaderSize;
-  buf_state->bytes_left = size - kPngHeaderSize;
+  struct BufState* buf_state = (struct BufState*)malloc(sizeof(struct BufState));
+  (buf_state)->data = data + kPngHeaderSize;
+  (buf_state)->bytes_left = size - kPngHeaderSize;
   png_set_read_fn(png_ptr, buf_state, user_read_data);
   png_set_sig_bytes(png_ptr, kPngHeaderSize);
   int passes = 0;
 
   // libpng error handling.
-  if (setjmp(png_ptr->jmpbuf)) {
+  if (setjmp((png_ptr)->jmpbuf)) {
     return 0;
   }
 
-  // png_ptr->mode & PNG_HAVE_IDAT
   // Reading
   png_read_info(png_ptr, info_ptr);
 
@@ -132,12 +99,20 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   passes = png_set_interlace_handling(png_ptr);
   png_start_read_image(png_ptr);
 
-  O.row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr));
+  png_voidp row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr));
 
   for (int pass = 0; pass < passes; ++pass) {
     for (png_uint_32 y = 0; y < height; ++y) {
-      png_read_row(png_ptr, static_cast<png_bytep>(O.row), NULL);
+      png_read_row(png_ptr, (png_bytep)(row), NULL);
     }
   }
+	if (row && png_ptr) {
+      png_free(png_ptr, row);
+  }
+  if (png_ptr && info_ptr) {
+      png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
+  }
+  free (buf_state);
+
   return 0;
 }
diff --git a/benchmarks/libxml2-v2.9.2/Dockerfile b/benchmarks/libxml2-v2.9.2/Dockerfile
@@ -29,4 +29,4 @@ RUN git clone https://gitlab.gnome.org/GNOME/libxml2.git
 
 RUN wget -qO $OUT/fuzz-target.dict \
     https://raw.githubusercontent.com/google/AFL/debe27037b9444bbf090a0ffbd5d24889bb887ae/dictionaries/xml.dict
-COPY target.cc build.sh $SRC/
+COPY target.c build.sh $SRC/
diff --git a/benchmarks/libxml2-v2.9.2/build.sh b/benchmarks/libxml2-v2.9.2/build.sh
@@ -19,9 +19,16 @@ cd libxml2
 # don't even want.
 git checkout -f v2.9.2
 ./autogen.sh
-CCLD="$CXX $CXXFLAGS" ./configure --without-python --with-threads=no \
+./configure --without-python --with-threads=no \
     --with-zlib=no --with-lzma=no
+make clean
 make -j $(nproc)
 
-$CXX $CXXFLAGS -std=c++11 $SRC/target.cc -I include .libs/libxml2.a \
-    $FUZZER_LIB -o $OUT/xml
+if [[ -z "${KIRENENKO_FUZZER}" ]]; then
+    $CXX $CXXFLAGS -std=c++11 $SRC/target.c -I include \
+        .libs/libxml2.a $FUZZER_LIB -o $OUT/xml
+else
+    $CC $CFLAGS -DKIRENENKO $SRC/target.c -I include \
+        .libs/libxml2.a $FUZZER_LIB -o $OUT/$FUZZ_TARGET
+fi
+
diff --git a/benchmarks/libxml2-v2.9.2/target.cc → benchmarks/libxml2-v2.9.2/target.c b/benchmarks/libxml2-v2.9.2/target.cc → benchmarks/libxml2-v2.9.2/target.c
@@ -12,19 +12,23 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-#include <string>
-#include <vector>
 #include "libxml/xmlversion.h"
 #include "libxml/parser.h"
 #include "libxml/HTMLparser.h"
 #include "libxml/tree.h"
+#include <stdint.h>
 
 void ignore (void * ctx, const char * msg, ...) {}
 
+#ifdef KIRENENKO
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+#else
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+#endif
   xmlSetGenericErrorFunc(NULL, &ignore);
-  if (auto doc = xmlReadMemory(reinterpret_cast<const char *>(data), size,
+  xmlDocPtr doc;
+  if (doc = xmlReadMemory((const char *)(data), size,
                                "noname.xml", NULL, 0))
-    xmlFreeDoc(doc);
+  xmlFreeDoc(doc);
   return 0;
 }
diff --git a/benchmarks/libxslt_xpath/benchmark.yaml b/benchmarks/libxslt_xpath/benchmark.yaml
@@ -7,3 +7,4 @@ unsupported_fuzzers:
   - aflplusplus_qemu
   - klee
   - weizz_qemu
+  - kirenenko
diff --git a/benchmarks/matio_matio_fuzzer/benchmark.yaml b/benchmarks/matio_matio_fuzzer/benchmark.yaml
@@ -10,3 +10,4 @@ unsupported_fuzzers:
   - honggfuzz_qemu
   - klee
   - weizz_qemu
+  - kirenenko
diff --git a/benchmarks/mbedtls_fuzz_dtlsclient/build.sh b/benchmarks/mbedtls_fuzz_dtlsclient/build.sh
@@ -18,12 +18,18 @@
 # build project
 perl scripts/config.pl set MBEDTLS_PLATFORM_TIME_ALT
 git -C crypto checkout -f 819799cfc68e4c4381673a8a27af19802c8263f2
-mkdir build
+mkdir -p build
 cd build
+rm -rf *
 cmake ..
 # build including fuzzers
 make -j$(nproc) all
-cp programs/fuzz/fuzz_* $OUT/
+if [[ -z "${KIRENENKO_FUZZER}" ]]; then
+    cp programs/fuzz/fuzz_* $OUT/
+else
+    cp programs/fuzz/fuzz_dtlsclient $OUT/$FUZZ_TARGET
+fi
+
 
 # build corpuses
 cd ../programs

diff --git a/benchmarks/ndpi_fuzz_ndpi_reader/benchmark.yaml b/benchmarks/ndpi_fuzz_ndpi_reader/benchmark.yaml
@@ -10,3 +10,4 @@ unsupported_fuzzers:
   - honggfuzz_qemu
   - klee
   - weizz_qemu
+  - kirenenko
diff --git a/benchmarks/openexr_openexr_exrenvmap_fuzzer/benchmark.yaml b/benchmarks/openexr_openexr_exrenvmap_fuzzer/benchmark.yaml
@@ -10,3 +10,4 @@ unsupported_fuzzers:
   - honggfuzz_qemu
   - klee
   - weizz_qemu
+  - kirenenko
diff --git a/benchmarks/openh264_decoder_fuzzer/benchmark.yaml b/benchmarks/openh264_decoder_fuzzer/benchmark.yaml
@@ -10,3 +10,4 @@ unsupported_fuzzers:
   - honggfuzz_qemu
   - klee
   - weizz_qemu
+  - kirenenko