Fuzz zip create (#367)

* fuzzing of zip_create * correct same name * rename fuzzers * apply clang format * update upload-artifact version * simplify file name generation
kuba-- · Feb 6, 2025 · 8d18f60 · 8d18f60
1 parent 27034d3
commit 8d18f60
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 67 deletions.
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -25,7 +25,7 @@ jobs:
         fuzz-seconds: 800
         output-sarif: true
     - name: Upload Crash
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: failure() && steps.build.outcome == 'success'
       with:
         name: artifacts

diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
@@ -10,15 +10,19 @@ if (DEFINED ENV{CFLAGS})
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} $ENV{CFLAGS}")
 endif ()
 
-add_executable(read_entry_fuzzer read_entry_fuzzer.c)
-target_link_libraries(read_entry_fuzzer PRIVATE ${PROJECT_NAME} $ENV{LIB_FUZZING_ENGINE})
+add_executable(zip_entry_read_fuzzer zip_entry_read_fuzzer.c)
+target_link_libraries(zip_entry_read_fuzzer PRIVATE ${PROJECT_NAME} $ENV{LIB_FUZZING_ENGINE})
 
-add_executable(create_zip_fuzzer create_zip_fuzzer.c)
-target_link_libraries(create_zip_fuzzer PRIVATE ${PROJECT_NAME} $ENV{LIB_FUZZING_ENGINE})
+add_executable(zip_stream_copy_fuzzer zip_stream_copy_fuzzer.c)
+target_link_libraries(zip_stream_copy_fuzzer PRIVATE ${PROJECT_NAME} $ENV{LIB_FUZZING_ENGINE})
+
+add_executable(zip_create_fuzzer zip_create_fuzzer.c)
+target_link_libraries(zip_create_fuzzer PRIVATE ${PROJECT_NAME} $ENV{LIB_FUZZING_ENGINE})
 
 if (DEFINED ENV{OUT})
-    install(TARGETS read_entry_fuzzer DESTINATION $ENV{OUT})
-    install(TARGETS create_zip_fuzzer DESTINATION $ENV{OUT})
+    install(TARGETS zip_entry_read_fuzzer DESTINATION $ENV{OUT})
+    install(TARGETS zip_stream_copy_fuzzer DESTINATION $ENV{OUT})
+    install(TARGETS zip_create_fuzzer DESTINATION $ENV{OUT})
 else ()
     message(WARNING "Cannot install if $OUT is not defined!")
-endif ()
+endif ()
diff --git a/fuzz/build.sh b/fuzz/build.sh
@@ -4,5 +4,5 @@ mkdir -p build
 cmake -S . -B build -DCMAKE_C_COMPILER_WORKS=1 -DZIP_BUILD_FUZZ=ON && cmake --build build --target install
 
 # Prepare corpora
-zip -q $OUT/read_entry_fuzzer_seed_corpus.zip fuzz/corpus/*
-cp $OUT/read_entry_fuzzer_seed_corpus.zip $OUT/create_zip_fuzzer_seed_corpus.zip
+zip -q $OUT/zip_entry_read_fuzzer_seed_corpus.zip fuzz/corpus/*
+cp $OUT/zip_entry_read_fuzzer_seed_corpus.zip $OUT/zip_stream_copy_fuzzer_seed_corpus.zip
diff --git a/fuzz/create_zip_fuzzer.c b/fuzz/create_zip_fuzzer.c
diff --git a/fuzz/read_entry_fuzzer.c b/fuzz/read_entry_fuzzer.c
diff --git a/fuzz/zip_create_fuzzer.c b/fuzz/zip_create_fuzzer.c
@@ -0,0 +1,30 @@
+#include "zip.h"
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+static char *get_tmp_file_name() {
+  char *file_name = malloc(TMP_MAX);
+  tmpnam(file_name);
+  return file_name;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, const size_t size) {
+  char *file_name = get_tmp_file_name();
+  char *zip_name = get_tmp_file_name();
+
+  FILE *file = fopen(file_name, "wb");
+  fwrite(data, size, 1, file);
+  fclose(file);
+
+  const char *filenames[] = {file_name};
+  zip_create(zip_name, filenames, 1);
+
+  unlink(file_name);
+  unlink(zip_name);
+
+  free(zip_name);
+  free(file_name);
+  return 0;
+}
diff --git a/fuzz/zip_entry_read_fuzzer.c b/fuzz/zip_entry_read_fuzzer.c
@@ -0,0 +1,33 @@
+#include "zip.h"
+#include <stdint.h>
+#include <stdlib.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, const size_t size) {
+  void *buf = NULL;
+  size_t bufsize = 0;
+
+  struct zip_t *zip = zip_stream_open((const char *)data, size, 0, 'r');
+  if (NULL == zip) {
+    goto end;
+  }
+
+  const ssize_t zip_entries_count = zip_entries_total(zip);
+
+  if (zip_entries_count <= 0) {
+    goto end;
+  }
+
+  if (0 != zip_entry_openbyindex(zip, 0)) {
+    goto end;
+  }
+
+  zip_entry_read(zip, &buf, &bufsize);
+
+end:
+  zip_entry_close(zip);
+  if (NULL != zip) {
+    zip_close(zip);
+  }
+  free(buf);
+  return 0;
+}
diff --git a/fuzz/zip_stream_copy_fuzzer.c b/fuzz/zip_stream_copy_fuzzer.c
@@ -0,0 +1,19 @@
+#include "zip.h"
+#include <stdint.h>
+#include <stdlib.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, const size_t size) {
+  char *outbuf = NULL;
+  size_t outbufsize = 0;
+
+  struct zip_t *zip =
+      zip_stream_open(NULL, 0, ZIP_DEFAULT_COMPRESSION_LEVEL, 'w');
+
+  zip_entry_open(zip, "test");
+  zip_entry_write(zip, data, size);
+  zip_entry_close(zip);
+  zip_stream_copy(zip, (void **)&outbuf, &outbufsize);
+  zip_stream_close(zip);
+  free(outbuf);
+  return 0;
+}