Add a simple fuzz test for jsoncpp.

ssbr · ssbr · commit b78e7e320ae9 · 2017-08-08T19:25:15.000-07:00
The idea is to then add it to the google oss-fuzz project and get jsoncpp regularly tested for bugs. https://github.com/google/oss-fuzz/ I've followed the instructions at: https://github.com/google/oss-fuzz/blob/master/docs/ideal_integration.md Tested using a simple oss-fuzz setup and with the modified jsoncpp unit tests (cmake . && make). I don't really know git, so also I've royally screwed up the commit history, and artificially flattened it into this one commit. :)
diff --git a/AUTHORS b/AUTHORS
@@ -37,6 +37,7 @@ datadiode <jochen.neubeck@vodafone.de>
 David Seifert <soap@gentoo.org>
 David West <david-west@idexx.com>
 dawesc <chris.dawes@eftlab.co.uk>
+Devin Jeanpierre <jeanpierreda@google.com>
 Dmitry Marakasov <amdmi3@amdmi3.ru>
 dominicpezzuto <dom@dompezzuto.com>
 Don Milham <dmilham@gmail.com>
diff --git a/src/test_lib_json/CMakeLists.txt b/src/test_lib_json/CMakeLists.txt
@@ -3,6 +3,8 @@
 ADD_EXECUTABLE( jsoncpp_test 
                 jsontest.cpp
                 jsontest.h
+                fuzz.cpp
+                fuzz.h
                 main.cpp
                 )
 
diff --git a/src/test_lib_json/fuzz.cpp b/src/test_lib_json/fuzz.cpp
@@ -0,0 +1,57 @@
+// Copyright 2007-2010 The JsonCpp Authors
+// Distributed under MIT license, or public domain if desired and
+// recognized in your jurisdiction.
+// See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE
+
+#include "fuzz.h"
+
+#include <json/config.h>
+#include <json/json.h>
+#include <memory>
+#include <string>
+#include <stdint.h>
+
+namespace {
+// https://en.wikipedia.org/wiki/Jenkins_hash_function#one-at-a-time
+uint32_t JenkinsOneAtATimeHash(const uint8_t* data, size_t size) {
+  uint32_t hash = 0;
+  for (size_t i = 0; i < size; i++) {
+    hash += data[i];
+    hash += hash << 10;
+    hash ^= hash >> 6;
+  }
+  hash += hash << 3;
+  hash ^= hash >> 11;
+  hash += hash << 15;
+  return hash;
+}
+}  // namespace
+
+namespace Json {
+class Exception;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  Json::CharReaderBuilder builder;
+
+  uint32_t hash_settings = JenkinsOneAtATimeHash(data, size);
+  builder.settings_["failIfExtra"] = hash_settings & (1 << 0);
+  builder.settings_["allowComments_"] = hash_settings & (1 << 1);
+  builder.settings_["strictRoot_"] = hash_settings & (1 << 2);
+  builder.settings_["allowDroppedNullPlaceholders_"] = hash_settings & (1 << 3);
+  builder.settings_["allowNumericKeys_"] = hash_settings & (1 << 4);
+  builder.settings_["allowSingleQuotes_"] = hash_settings & (1 << 5);
+  builder.settings_["failIfExtra_"] = hash_settings & (1 << 6);
+  builder.settings_["rejectDupKeys_"] = hash_settings & (1 << 7);
+  builder.settings_["allowSpecialFloats_"] = hash_settings & (1 << 8);
+
+  std::unique_ptr<Json::CharReader> reader(builder.newCharReader());
+
+  Json::Value root;
+  const char* data_str = reinterpret_cast<const char*>(data);
+  try {
+    reader->parse(data_str, data_str + size, &root, nullptr);
+  } catch (Json::Exception const&) {}
+  // Whether it succeeded or not doesn't matter.
+  return 0;
+}
diff --git a/src/test_lib_json/fuzz.h b/src/test_lib_json/fuzz.h
@@ -0,0 +1,14 @@
+// Copyright 2007-2010 The JsonCpp Authors
+// Distributed under MIT license, or public domain if desired and
+// recognized in your jurisdiction.
+// See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE
+
+#ifndef FUZZ_H_INCLUDED
+#define FUZZ_H_INCLUDED
+
+#include <stddef.h>
+#include <stdint.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+#endif // ifndef FUZZ_H_INCLUDED
diff --git a/src/test_lib_json/main.cpp b/src/test_lib_json/main.cpp
@@ -4,6 +4,7 @@
 // See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE
 
 #include "jsontest.h"
+#include "fuzz.h"
 #include <json/config.h>
 #include <json/json.h>
 #include <cstring>
@@ -2510,6 +2511,19 @@ JSONTEST_FIXTURE(RValueTest, moveConstruction) {
 #endif
 }
 
+struct FuzzTest : JsonTest::TestCase {};
+
+// Build and run the fuzz test without any fuzzer, so that it's guaranteed not
+// go out of date, even if it's never run as an actual fuzz test.
+JSONTEST_FIXTURE(FuzzTest, fuzzDoesntCrash) {
+  const std::string example = "{}";
+  JSONTEST_ASSERT_EQUAL(
+      0,
+      LLVMFuzzerTestOneInput(
+          reinterpret_cast<const uint8_t*>(example.c_str()),
+          example.size()));
+}
+
 int main(int argc, const char* argv[]) {
   JsonTest::Runner runner;
   JSONTEST_REGISTER_FIXTURE(runner, ValueTest, checkNormalizeFloatingPointStr);
@@ -2585,5 +2599,7 @@ int main(int argc, const char* argv[]) {
 
   JSONTEST_REGISTER_FIXTURE(runner, RValueTest, moveConstruction);
 
+  JSONTEST_REGISTER_FIXTURE(runner, FuzzTest, fuzzDoesntCrash);
+
   return runner.runCommandLine(argc, argv);
 }

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,8 @@`
`3`	`3`	`ADD_EXECUTABLE( jsoncpp_test`
`4`	`4`	`jsontest.cpp`
`5`	`5`	`jsontest.h`
	`6`	`+ fuzz.cpp`
	`7`	`+ fuzz.h`
`6`	`8`	`main.cpp`
`7`	`9`	`)`
`8`	`10`