OSSFuzz Integration (#365)

* Initial commit - two fuzzing harnesses and build script * Avoid double-zip, just copy the zip * Fixed zip path * Add OSSFuzz build pipeline
kuba-- · Dec 23, 2024 · 27034d3 · 27034d3
1 parent 81314ff
commit 27034d3
Show file tree

Hide file tree

Showing 7 changed files with 139 additions and 0 deletions.
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -0,0 +1,39 @@
+name: CIFuzz
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+permissions: {}
+jobs:
+  Fuzzing:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+    - name: Build Fuzzers
+      id: build
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'zip'
+        language: c
+    - name: Run Fuzzers
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'zip'
+        language: c
+        fuzz-seconds: 800
+        output-sarif: true
+    - name: Upload Crash
+      uses: actions/upload-artifact@v3
+      if: failure() && steps.build.outcome == 'success'
+      with:
+        name: artifacts
+        path: ./out/artifacts
+    - name: Upload Sarif
+      if: always() && steps.build.outcome == 'success'
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        # Path to SARIF file relative to the root of the repository
+        sarif_file: cifuzz-sarif/results.sarif
+        checkout_path: cifuzz-sarif
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -16,6 +16,7 @@ endif ()
 option(CMAKE_ENABLE_SANITIZERS "Enable zip sanitizers" OFF)
 option(ZIP_STATIC_PIC "Build static zip with PIC" ON)
 option(ZIP_BUILD_DOCS "Generate API documentation with Doxygen" OFF)
+option(ZIP_BUILD_FUZZ "Build fuzz targets" OFF)
 
 if(ZIP_ENABLE_SHARABLE_FILE_OPEN)
 	add_definitions(-DZIP_ENABLE_SHARABLE_FILE_OPEN)
@@ -73,6 +74,16 @@ elseif ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU" OR
 endif (MSVC)
 
 ####
+
+# fuzz
+if (ZIP_BUILD_FUZZ)
+    if (NOT DEFINED ENV{LIB_FUZZING_ENGINE})
+        message(FATAL_ERROR "LIB_FUZZING_ENGINE is not defined")
+    endif()
+    add_subdirectory(fuzz)
+endif()
+###
+
 set(CONFIG_INSTALL_DIR "lib/cmake/${PROJECT_NAME}")
 set(INCLUDE_INSTALL_DIR "include")
 

diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
@@ -0,0 +1,24 @@
+# Utilized by OSSFuzz to build the harness(es) for continuous fuzz-testing
+# OSSFuzz defines the following environment variables, that this target relies upon:
+# CXX, CFLAGS, LIB_FUZZING_ENGINE, OUT
+
+set(CMAKE_C_STANDARD 23)
+
+add_definitions(-DNDEBUG)  # Do not want assertions
+
+if (DEFINED ENV{CFLAGS})
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} $ENV{CFLAGS}")
+endif ()
+
+add_executable(read_entry_fuzzer read_entry_fuzzer.c)
+target_link_libraries(read_entry_fuzzer PRIVATE ${PROJECT_NAME} $ENV{LIB_FUZZING_ENGINE})
+
+add_executable(create_zip_fuzzer create_zip_fuzzer.c)
+target_link_libraries(create_zip_fuzzer PRIVATE ${PROJECT_NAME} $ENV{LIB_FUZZING_ENGINE})
+
+if (DEFINED ENV{OUT})
+    install(TARGETS read_entry_fuzzer DESTINATION $ENV{OUT})
+    install(TARGETS create_zip_fuzzer DESTINATION $ENV{OUT})
+else ()
+    message(WARNING "Cannot install if $OUT is not defined!")
+endif ()
diff --git a/fuzz/build.sh b/fuzz/build.sh
@@ -0,0 +1,8 @@
+cd $SRC/zip
+
+mkdir -p build
+cmake -S . -B build -DCMAKE_C_COMPILER_WORKS=1 -DZIP_BUILD_FUZZ=ON && cmake --build build --target install
+
+# Prepare corpora
+zip -q $OUT/read_entry_fuzzer_seed_corpus.zip fuzz/corpus/*
+cp $OUT/read_entry_fuzzer_seed_corpus.zip $OUT/create_zip_fuzzer_seed_corpus.zip
diff --git a/fuzz/corpus/seed.zip b/fuzz/corpus/seed.zip
diff --git a/fuzz/create_zip_fuzzer.c b/fuzz/create_zip_fuzzer.c
@@ -0,0 +1,19 @@
+#include "zip.h"
+#include <stdint.h>
+#include <stdlib.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, const size_t size)
+{
+    char *outbuf = NULL;
+    size_t outbufsize = 0;
+
+    struct zip_t *zip = zip_stream_open(NULL, 0, ZIP_DEFAULT_COMPRESSION_LEVEL, 'w');
+
+    zip_entry_open(zip, "test");
+    zip_entry_write(zip, data, size);
+    zip_entry_close(zip);
+    zip_stream_copy(zip, (void **) &outbuf, &outbufsize);
+    zip_stream_close(zip);
+    free(outbuf);
+    return 0;
+}
diff --git a/fuzz/read_entry_fuzzer.c b/fuzz/read_entry_fuzzer.c
@@ -0,0 +1,38 @@
+#include "zip.h"
+#include <stdint.h>
+#include <stdlib.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, const size_t size)
+{
+    void *buf = NULL;
+    size_t bufsize = 0;
+
+    struct zip_t *zip = zip_stream_open((const char *)data, size, 0, 'r');
+    if (NULL == zip)
+    {
+        goto end;
+    }
+
+    const ssize_t zip_entries_count = zip_entries_total(zip);
+
+    if (zip_entries_count <= 0)
+    {
+        goto end;
+    }
+
+    if (0 != zip_entry_openbyindex(zip, 0))
+    {
+        goto end;
+    }
+
+    zip_entry_read(zip, &buf, &bufsize);
+
+end:
+    zip_entry_close(zip);
+    if (NULL != zip)
+    {
+        zip_close(zip);
+    }
+    free(buf);
+    return 0;
+}