Improve fuzzing coverage of yajl-ruby for OSS-Fuzz

Author: jsnv-dev

fuzz/error_string_fuzzer.c

@@ -0,0 +1,86 @@
+/*
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+*/
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "yajl_lex.h"
+#include "yajl_parser.h"
+#include "yajl_encode.h"
+#include "yajl_bytestack.h"
+#include "api/yajl_parse.h"
+
+// Helper to create parse error
+static void create_parse_error(yajl_handle hand) {
+    yajl_bs_push(hand->stateStack, yajl_state_parse_error);
+    hand->parseError = "test parse error";
+}
+
+// Helper to create lexical error
+static void create_lexical_error(yajl_handle hand) {
+    yajl_bs_push(hand->stateStack, yajl_state_lexical_error);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size < 2) {
+        return 0;
+    }
+
+    // Initialize parser
+    yajl_parser_config cfg = { 1, 1 }; // allowComments=1, checkUTF8=1
+    yajl_handle hand = yajl_alloc(NULL, &cfg, NULL, NULL);
+    if (!hand) {
+        return 0;
+    }
+
+    // Use first byte to determine error type and verbosity
+    unsigned int error_type = data[0] % 3; // 0=parse, 1=lexical, 2=other
+    int verbose = data[1] & 1;
+
+    // Set bytesConsumed to some position in the input
+    hand->bytesConsumed = (size > 2) ? (data[2] % (size - 2)) : 0;
+
+    // Create error state based on type
+    switch (error_type) {
+        case 0:
+            create_parse_error(hand);
+            break;
+        case 1:
+            create_lexical_error(hand);
+            break;
+        default:
+            // Leave in unknown state
+            break;
+    }
+
+    // Get error string
+    unsigned char *error = yajl_render_error_string(hand, 
+                                                  data + 2, 
+                                                  size > 2 ? size - 2 : 0,
+                                                  verbose);
+
+    // Free error string if allocated
+    if (error) {
+        yajl_free_error(hand, error);
+    }
+
+    yajl_free(hand);
+    return 0;
+}

fuzz/error_string_fuzzer.dict

@@ -0,0 +1,35 @@
+# JSON fragments that might trigger errors
+"{"
+"}"
+"["
+"]"
+","
+":"
+"null"
+"true"
+"false"
+"123"
+"-123"
+"1.23"
+"\\"string\\""
+"\\"
+"\\n"
+"\\r"
+"\\t"
+"\\u0000"
+
+# Special characters that might affect error display
+"\\n"
+"\\r"
+"\\t"
+" "
+"#"
+"/*"
+"//"
+
+# Common error locations
+"{"
+"{\\"key\\":"
+"[1,2,"
+"[\\"incomplete"
+"{\\"key\\":123,"

fuzz/json_fuzzer.c

@@ -0,0 +1,104 @@
+/*
+# Copyright 2018 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+*/
+
+#include <assert.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#include "api/yajl_parse.h"
+
+typedef struct {
+    int arrayLevel;
+    int objectLevel;
+} context;
+
+static int yajl_found_null(void* ctx) { 
+    return 1;
+}
+
+static int yajl_found_boolean(void* ctx, int boolean) {
+    return 1;
+};
+
+static int yajl_found_number(void* ctx, const char* v, unsigned int l) {
+    assert(l > 0);
+    return 1;
+}
+
+static int yajl_found_string(void* ctx, const unsigned char* s, unsigned int l) {
+    return 1;
+}
+
+static int yajl_found_object_key(void* ctx, const unsigned char* v, unsigned int l) {
+    assert(((context*)ctx)->objectLevel > 0);
+    return 1;
+}
+
+static int yajl_found_start_object(void* ctx) {
+    ((context*)ctx)->objectLevel++;
+    return 1;
+}
+
+static int yajl_found_end_object(void* ctx) {
+    assert(((context*)ctx)->objectLevel > 0);
+    ((context*)ctx)->objectLevel--;
+    return 1;
+}
+
+static int yajl_found_start_array(void* ctx) {
+    ((context*)ctx)->arrayLevel++;
+    return 1;
+}
+
+static int yajl_found_end_array(void* ctx) {
+    assert(((context*)ctx)->arrayLevel > 0);
+    ((context*)ctx)->arrayLevel--;
+    return 1;
+}
+
+static yajl_callbacks callbacks = {
+    yajl_found_null,
+    yajl_found_boolean,
+    NULL,
+    NULL,
+    yajl_found_number,
+    yajl_found_string,
+    yajl_found_start_object,
+    yajl_found_object_key,
+    yajl_found_end_object,
+    yajl_found_start_array,
+    yajl_found_end_array
+};
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+    context ctx = {
+        .arrayLevel = 0,
+        .objectLevel = 0,
+    };
+    yajl_parser_config cfg = {
+        .allowComments = 1,
+        .checkUTF8 = 1,
+    };
+    yajl_handle parser = yajl_alloc(&callbacks, &cfg, NULL, (void*)&ctx);
+
+    (void)yajl_parse(parser, data, size);
+    yajl_free(parser);
+
+    return 0;
+}

fuzz/json_fuzzer.dict

@@ -0,0 +1,20 @@
+"{"
+"}"
+","
+"["
+"]"
+","
+":"
+"e"
+"e+"
+"e-"
+"E"
+"E+"
+"E-"
+"\""
+"\\"
+" "
+"null"
+"1"
+"1.234"
+"3e4"

fuzz/lex_peek_fuzzer.c

@@ -0,0 +1,97 @@
+/*
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+*/
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "yajl_lex.h"
+#include "yajl_alloc.h"
+#include "api/yajl_common.h"
+
+// Default allocation functions
+static void * malloc_wrapper(void *ctx, unsigned int sz) {
+    return malloc(sz);
+}
+
+static void * realloc_wrapper(void *ctx, void *ptr, unsigned int sz) {
+    return realloc(ptr, sz);
+}
+
+static void free_wrapper(void *ctx, void *ptr) {
+    free(ptr);
+}
+
+static yajl_alloc_funcs allocFuncs = {
+    malloc_wrapper,
+    realloc_wrapper,
+    free_wrapper,
+    NULL
+};
+
+// Test that peek doesn't affect subsequent lexing
+static void test_peek_and_lex(yajl_lexer lexer, const unsigned char* json_text, 
+                             size_t json_len, unsigned int offset) {
+    const unsigned char *outBuf1, *outBuf2;
+    unsigned int outLen1, outLen2;
+    unsigned int testOffset = offset;
+
+    // First peek at token
+    yajl_tok peek_tok = yajl_lex_peek(lexer, json_text, json_len, offset);
+    
+    // Now actually lex the token
+    yajl_tok lex_tok = yajl_lex_lex(lexer, json_text, json_len, &testOffset,
+                                   &outBuf1, &outLen1);
+    
+    // Verify that peek and actual lex return same token type
+    if (peek_tok != lex_tok && peek_tok != yajl_tok_eof) {
+        abort(); // Keep the abort to detect inconsistencies
+    }
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size == 0) {
+        return 0;
+    }
+
+    // Create lexer with different comment/UTF8 validation combinations
+    unsigned int allowComments = data[0] & 1;
+    unsigned int validateUTF8 = data[0] & 2;
+    
+    // Use explicit allocation functions instead of NULL
+    yajl_lexer lexer = yajl_lex_alloc(&allocFuncs, allowComments, validateUTF8);
+    if (!lexer) {
+        return 0;
+    }
+
+    const unsigned char *json_text = data + 1;
+    size_t json_len = size - 1;
+    
+    // Test peeking at different offsets through the input
+    for (unsigned int offset = 0; offset < json_len; offset++) {
+        test_peek_and_lex(lexer, json_text, json_len, offset);
+        
+        yajl_lexer new_lexer = yajl_lex_realloc(lexer);
+        if (!new_lexer) break;
+        lexer = new_lexer;
+    }
+
+    yajl_lex_free(lexer);
+    return 0;
+}

fuzz/lex_peek_fuzzer.dict

@@ -0,0 +1,38 @@
+# Tokens
+"{"
+"}"
+"["
+"]"
+","
+":"
+"true"
+"false"
+"null"
+"\\""
+"\\n"
+"\\r"
+"\\t"
+"\\u"
+
+# Numbers
+"123"
+"-123"
+"0.123"
+"1e10"
+"1e-10"
+
+# Special sequences
+"/*"
+"//"
+"\\u0000"
+"\\u001F"
+"\\uD800"
+"\\uDBFF"
+"\\uDC00"
+"\\uDFFF"
+
+# Common fragments
+"string"
+"number"
+"object"
+"array"