From f7edafe8487757587def1ff3bdc4a498beedca8b Mon Sep 17 00:00:00 2001 From: Google AutoFuzz Team Date: Tue, 30 Jul 2019 14:45:31 -0400 Subject: [PATCH 1/9] Modify fuzzer for OSS-Fuzz --- src/test_lib_json/fuzz.cpp | 95 +++++++++++++++++++++++++------------- 1 file changed, 62 insertions(+), 33 deletions(-) diff --git a/src/test_lib_json/fuzz.cpp b/src/test_lib_json/fuzz.cpp index f79f19ffe..686cadd46 100644 --- a/src/test_lib_json/fuzz.cpp +++ b/src/test_lib_json/fuzz.cpp @@ -5,45 +5,74 @@ #include "fuzz.h" -#include -#include -#include -#include -#include +#include #include -namespace Json { -class Exception; -} +#include "jsoncpp/config.h" +#include "jsoncpp/features.h" +#include "jsoncpp/reader.h" +#include "jsoncpp/value.h" +#include "jsoncpp/writer.h" -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - Json::CharReaderBuilder builder; +// #include +// #include +// #include +// #include +// #include +// #include - if (size < sizeof(uint32_t)) { +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + std::string json_string(reinterpret_cast(data), size); + Json::Reader reader(Json::Features::strictMode()); + Json::Value value; + const bool success = reader.parse(json_string, value, false); + if (!success) { return 0; } - uint32_t hash_settings = *(const uint32_t*)data; - data += sizeof(uint32_t); - - builder.settings_["failIfExtra"] = hash_settings & (1 << 0); - builder.settings_["allowComments_"] = hash_settings & (1 << 1); - builder.settings_["strictRoot_"] = hash_settings & (1 << 2); - builder.settings_["allowDroppedNullPlaceholders_"] = hash_settings & (1 << 3); - builder.settings_["allowNumericKeys_"] = hash_settings & (1 << 4); - builder.settings_["allowSingleQuotes_"] = hash_settings & (1 << 5); - builder.settings_["failIfExtra_"] = hash_settings & (1 << 6); - builder.settings_["rejectDupKeys_"] = hash_settings & (1 << 7); - builder.settings_["allowSpecialFloats_"] = hash_settings & (1 << 8); - - std::unique_ptr reader(builder.newCharReader()); - - Json::Value root; - const char* data_str = reinterpret_cast(data); - try { - reader->parse(data_str, data_str + size, &root, nullptr); - } catch (Json::Exception const&) { - } - // Whether it succeeded or not doesn't matter. + // Write with StyledWriter + Json::StyledWriter styled_writer; + styled_writer.write(value); + + // Write with StyledStreamWriter + Json::StyledStreamWriter styled_stream_writer; + JSONCPP_OSTRINGSTREAM sstream; + styled_stream_writer.write(sstream, value); return 0; } + +// namespace Json { +// class Exception; +// } + +// extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { +// Json::CharReaderBuilder builder; + +// if (size < sizeof(uint32_t)) { +// return 0; +// } + +// uint32_t hash_settings = *(const uint32_t*)data; +// data += sizeof(uint32_t); + +// builder.settings_["failIfExtra"] = hash_settings & (1 << 0); +// builder.settings_["allowComments_"] = hash_settings & (1 << 1); +// builder.settings_["strictRoot_"] = hash_settings & (1 << 2); +// builder.settings_["allowDroppedNullPlaceholders_"] = hash_settings & (1 << 3); +// builder.settings_["allowNumericKeys_"] = hash_settings & (1 << 4); +// builder.settings_["allowSingleQuotes_"] = hash_settings & (1 << 5); +// builder.settings_["failIfExtra_"] = hash_settings & (1 << 6); +// builder.settings_["rejectDupKeys_"] = hash_settings & (1 << 7); +// builder.settings_["allowSpecialFloats_"] = hash_settings & (1 << 8); + +// std::unique_ptr reader(builder.newCharReader()); + +// Json::Value root; +// const char* data_str = reinterpret_cast(data); +// try { +// reader->parse(data_str, data_str + size, &root, nullptr); +// } catch (Json::Exception const&) { +// } +// // Whether it succeeded or not doesn't matter. +// return 0; +// } From f561b895a94ae6aa91da755e313147c342fb8c53 Mon Sep 17 00:00:00 2001 From: Google AutoFuzz Team Date: Tue, 30 Jul 2019 14:55:05 -0400 Subject: [PATCH 2/9] Update fuzz.cpp --- src/test_lib_json/fuzz.cpp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/test_lib_json/fuzz.cpp b/src/test_lib_json/fuzz.cpp index 686cadd46..a635c056a 100644 --- a/src/test_lib_json/fuzz.cpp +++ b/src/test_lib_json/fuzz.cpp @@ -8,11 +8,11 @@ #include #include -#include "jsoncpp/config.h" -#include "jsoncpp/features.h" -#include "jsoncpp/reader.h" -#include "jsoncpp/value.h" -#include "jsoncpp/writer.h" +#include "json/config.h" +#include "json/features.h" +#include "json/reader.h" +#include "json/value.h" +#include "json/writer.h" // #include // #include From 3362035101b3de499054b7674991fa4450a873ea Mon Sep 17 00:00:00 2001 From: Google AutoFuzz Team Date: Tue, 30 Jul 2019 15:24:19 -0400 Subject: [PATCH 3/9] got rid of decapracated --- src/test_lib_json/fuzz.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/test_lib_json/fuzz.cpp b/src/test_lib_json/fuzz.cpp index a635c056a..aa27c4959 100644 --- a/src/test_lib_json/fuzz.cpp +++ b/src/test_lib_json/fuzz.cpp @@ -23,7 +23,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { std::string json_string(reinterpret_cast(data), size); - Json::Reader reader(Json::Features::strictMode()); + Json::CharReader reader(Json::Features::strictMode()); Json::Value value; const bool success = reader.parse(json_string, value, false); if (!success) { @@ -31,11 +31,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } // Write with StyledWriter - Json::StyledWriter styled_writer; + Json::StreamWriterBuilder styled_writer; styled_writer.write(value); // Write with StyledStreamWriter - Json::StyledStreamWriter styled_stream_writer; + Json::StreamWriterBuilder styled_stream_writer; JSONCPP_OSTRINGSTREAM sstream; styled_stream_writer.write(sstream, value); return 0; From 6ad1612514d03a2318e1009f7231da6971014424 Mon Sep 17 00:00:00 2001 From: Google AutoFuzz Team Date: Tue, 30 Jul 2019 15:28:03 -0400 Subject: [PATCH 4/9] Update fuzz.cpp --- src/test_lib_json/fuzz.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/test_lib_json/fuzz.cpp b/src/test_lib_json/fuzz.cpp index aa27c4959..a635c056a 100644 --- a/src/test_lib_json/fuzz.cpp +++ b/src/test_lib_json/fuzz.cpp @@ -23,7 +23,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { std::string json_string(reinterpret_cast(data), size); - Json::CharReader reader(Json::Features::strictMode()); + Json::Reader reader(Json::Features::strictMode()); Json::Value value; const bool success = reader.parse(json_string, value, false); if (!success) { @@ -31,11 +31,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } // Write with StyledWriter - Json::StreamWriterBuilder styled_writer; + Json::StyledWriter styled_writer; styled_writer.write(value); // Write with StyledStreamWriter - Json::StreamWriterBuilder styled_stream_writer; + Json::StyledStreamWriter styled_stream_writer; JSONCPP_OSTRINGSTREAM sstream; styled_stream_writer.write(sstream, value); return 0; From 8f67878f215a892df96919be383e3006c99a8bc1 Mon Sep 17 00:00:00 2001 From: Google AutoFuzz Team Date: Tue, 30 Jul 2019 15:33:53 -0400 Subject: [PATCH 5/9] Create fuzz.dict --- src/test_lib_json/fuzz.dict | 52 +++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 src/test_lib_json/fuzz.dict diff --git a/src/test_lib_json/fuzz.dict b/src/test_lib_json/fuzz.dict new file mode 100644 index 000000000..e08245a21 --- /dev/null +++ b/src/test_lib_json/fuzz.dict @@ -0,0 +1,52 @@ +# +# AFL dictionary for JSON +# ----------------------- +# +# Just the very basics. +# +# Inspired by a dictionary by Jakub Wilk +# + +"0" +",0" +":0" +"0:" +"-1.2e+3" + +"true" +"false" +"null" + +"\"\"" +",\"\"" +":\"\"" +"\"\":" + +"{}" +",{}" +":{}" +"{\"\":0}" +"{{}}" + +"[]" +",[]" +":[]" +"[0]" +"[[]]" + +"''" +"\\" +"\\b" +"\\f" +"\\n" +"\\r" +"\\t" +"\\u0000" +"\\x00" +"\\0" +"\\uD800\\uDC00" +"\\uDBFF\\uDFFF" + +"\"\":0" +"//" +"/**/" From d3121d73fc6e429aec96d69ed95492ef85642c8a Mon Sep 17 00:00:00 2001 From: Google AutoFuzz Team Date: Tue, 30 Jul 2019 15:47:46 -0400 Subject: [PATCH 6/9] Get rid of unnecessary comments --- src/test_lib_json/fuzz.cpp | 43 -------------------------------------- 1 file changed, 43 deletions(-) diff --git a/src/test_lib_json/fuzz.cpp b/src/test_lib_json/fuzz.cpp index a635c056a..c441b281c 100644 --- a/src/test_lib_json/fuzz.cpp +++ b/src/test_lib_json/fuzz.cpp @@ -14,13 +14,6 @@ #include "json/value.h" #include "json/writer.h" -// #include -// #include -// #include -// #include -// #include -// #include - extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { std::string json_string(reinterpret_cast(data), size); Json::Reader reader(Json::Features::strictMode()); @@ -40,39 +33,3 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { styled_stream_writer.write(sstream, value); return 0; } - -// namespace Json { -// class Exception; -// } - -// extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { -// Json::CharReaderBuilder builder; - -// if (size < sizeof(uint32_t)) { -// return 0; -// } - -// uint32_t hash_settings = *(const uint32_t*)data; -// data += sizeof(uint32_t); - -// builder.settings_["failIfExtra"] = hash_settings & (1 << 0); -// builder.settings_["allowComments_"] = hash_settings & (1 << 1); -// builder.settings_["strictRoot_"] = hash_settings & (1 << 2); -// builder.settings_["allowDroppedNullPlaceholders_"] = hash_settings & (1 << 3); -// builder.settings_["allowNumericKeys_"] = hash_settings & (1 << 4); -// builder.settings_["allowSingleQuotes_"] = hash_settings & (1 << 5); -// builder.settings_["failIfExtra_"] = hash_settings & (1 << 6); -// builder.settings_["rejectDupKeys_"] = hash_settings & (1 << 7); -// builder.settings_["allowSpecialFloats_"] = hash_settings & (1 << 8); - -// std::unique_ptr reader(builder.newCharReader()); - -// Json::Value root; -// const char* data_str = reinterpret_cast(data); -// try { -// reader->parse(data_str, data_str + size, &root, nullptr); -// } catch (Json::Exception const&) { -// } -// // Whether it succeeded or not doesn't matter. -// return 0; -// } From 0c23fa540b4e3ec8cd9fde5fd2a0d99016afce2b Mon Sep 17 00:00:00 2001 From: Google AutoFuzz Team Date: Thu, 1 Aug 2019 13:05:23 -0400 Subject: [PATCH 7/9] Update fuzz.cpp --- src/test_lib_json/fuzz.cpp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/test_lib_json/fuzz.cpp b/src/test_lib_json/fuzz.cpp index c441b281c..0eab2fced 100644 --- a/src/test_lib_json/fuzz.cpp +++ b/src/test_lib_json/fuzz.cpp @@ -3,11 +3,9 @@ // recognized in your jurisdiction. // See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE -#include "fuzz.h" - #include #include - +#include "fuzz.h" #include "json/config.h" #include "json/features.h" #include "json/reader.h" From a457fa955f7a1050fab4ffbd4c9158e672f93377 Mon Sep 17 00:00:00 2001 From: Google AutoFuzz Team Date: Tue, 27 Aug 2019 10:36:40 -0400 Subject: [PATCH 8/9] Update fuzz.cpp --- src/test_lib_json/fuzz.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test_lib_json/fuzz.cpp b/src/test_lib_json/fuzz.cpp index 0eab2fced..30dc6539e 100644 --- a/src/test_lib_json/fuzz.cpp +++ b/src/test_lib_json/fuzz.cpp @@ -13,7 +13,7 @@ #include "json/writer.h" extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - std::string json_string(reinterpret_cast(data), size); + const std::string json_string(reinterpret_cast(data), size); Json::Reader reader(Json::Features::strictMode()); Json::Value value; const bool success = reader.parse(json_string, value, false); From 716be0f4876139aea9e6c2171f0e8da01b53415b Mon Sep 17 00:00:00 2001 From: Google AutoFuzz Team Date: Tue, 27 Aug 2019 10:38:37 -0400 Subject: [PATCH 9/9] Add link --- src/test_lib_json/fuzz.dict | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/test_lib_json/fuzz.dict b/src/test_lib_json/fuzz.dict index e08245a21..725423d2f 100644 --- a/src/test_lib_json/fuzz.dict +++ b/src/test_lib_json/fuzz.dict @@ -6,6 +6,8 @@ # # Inspired by a dictionary by Jakub Wilk # +# https://github.com/rc0r/afl-fuzz/blob/master/dictionaries/json.dict +# "0" ",0"