[librsvg/wip-afl-fuzz] Add a basic fuzzer with the afl crate
- From: Federico Mena Quintero <federico src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [librsvg/wip-afl-fuzz] Add a basic fuzzer with the afl crate
- Date: Thu, 6 Jun 2019 18:42:10 +0000 (UTC)
commit db44ac007d6fa553c148b6802c8086e8db93d131
Author: Federico Mena Quintero <federico gnome org>
Date: Thu Jun 6 13:36:46 2019 -0500
Add a basic fuzzer with the afl crate
Fuzzer code courtesy of Bastien Orivel <eijebong bananium fr>
We need a dictionary suitable for SVG/CSS, it seems.
Cargo.toml | 1 +
afl-fuzz/Cargo.toml | 21 +++++++++++++++++++++
afl-fuzz/README.md | 23 +++++++++++++++++++++++
afl-fuzz/input/0000.svg | 6 ++++++
afl-fuzz/input/0002.svg | 6 ++++++
afl-fuzz/input/0003.svg | 11 +++++++++++
afl-fuzz/input/0004.svg | 24 ++++++++++++++++++++++++
afl-fuzz/input/0005.svg | 4 ++++
afl-fuzz/input/0007.svg | 6 ++++++
afl-fuzz/input/0008.svg | 12 ++++++++++++
afl-fuzz/input/0009.svg | 12 ++++++++++++
afl-fuzz/input/0010.svg | 2 ++
afl-fuzz/input/0011.svg | 2 ++
afl-fuzz/input/0012.svg | 4 ++++
afl-fuzz/input/0013.svg | 4 ++++
afl-fuzz/input/0014.svg | 5 +++++
afl-fuzz/input/0015.svg | 2 ++
afl-fuzz/src/main.rs | 33 +++++++++++++++++++++++++++++++++
18 files changed, 178 insertions(+)
---
diff --git a/Cargo.toml b/Cargo.toml
index 9bde4269..f0daa0dc 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -3,6 +3,7 @@ members = [
"librsvg_crate",
"rsvg_internals",
]
+exclude = [ "afl-fuzz" ]
[profile.release]
lto = true
diff --git a/afl-fuzz/Cargo.toml b/afl-fuzz/Cargo.toml
new file mode 100644
index 00000000..2dd0dca4
--- /dev/null
+++ b/afl-fuzz/Cargo.toml
@@ -0,0 +1,21 @@
+[package]
+name = "rsvg-afl-fuzz"
+version = "0.0.1"
+authors = [
+ "Bastien Orivel <eijebong bananium fr>",
+]
+edition = "2018"
+
+[dependencies]
+afl = "0.4"
+cairo-rs = { version = "0.6.0", features=["svg"] }
+glib = "0.7.0"
+gio = { version="0.6.0", features=["v2_48"] } # per configure.ac
+librsvg = { path = "../librsvg_crate/" }
+
+[profile.release]
+lto = true
+debug = true
+
+[profile.bench]
+lto = true
diff --git a/afl-fuzz/README.md b/afl-fuzz/README.md
new file mode 100644
index 00000000..afed17f8
--- /dev/null
+++ b/afl-fuzz/README.md
@@ -0,0 +1,23 @@
+Fuzzing with afl-fuzz
+=====================
+
+FIXME: this README sucks, and running these commands sucks, too. Need
+a script or something.
+
+```
+cargo afl build --release
+AFL_SKIP_CPUFREQ=1 cargo afl fuzz -i input/ -o out -S f0 target/release/rsvg-afl-fuzz
+```
+
+For each CPU core, change `-S f0` for `-S f1`, `-S f2`, etc.
+
+AFL complained when my kernel's configuration for corefiles was this:
+
+```
+$ cat /proc/sys/kernel/core_pattern
+|/bin/false
+```
+
+Set it with `echo core > /proc/sys/kernel/core_pattern` and AFL was
+happy.
+
diff --git a/afl-fuzz/input/0000.svg b/afl-fuzz/input/0000.svg
new file mode 100644
index 00000000..49cfd07e
--- /dev/null
+++ b/afl-fuzz/input/0000.svg
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg"; width="50" height="50">
+ <g opacity="0.5">
+ <rect x="10" y="10" width="30" height="30" fill="blue"/>
+ </g>
+</svg>
diff --git a/afl-fuzz/input/0002.svg b/afl-fuzz/input/0002.svg
new file mode 100644
index 00000000..47bf9f77
--- /dev/null
+++ b/afl-fuzz/input/0002.svg
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg"; width="100" height="100">
+ <g transform="translate(20, 20)">
+ <rect x="0" y="0" width="60" height="60" style="fill:blue; opacity:0.5;"/>
+ </g>
+</svg>
diff --git a/afl-fuzz/input/0003.svg b/afl-fuzz/input/0003.svg
new file mode 100644
index 00000000..1057b4bd
--- /dev/null
+++ b/afl-fuzz/input/0003.svg
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg version="1.1" baseProfile="basic" id="svg-root"
+ width="100%" height="100%" viewBox="0 0 480 360"
+ xmlns="http://www.w3.org/2000/svg"; xmlns:xlink="http://www.w3.org/1999/xlink";>
+ <g>
+ <g opacity="0.5">
+ <rect x="60" y="230" width="80" height="40" fill="#0000ff" opacity=".5"/>
+ <rect x="70" y="240" width="80" height="40" fill="#00ff00" opacity=".5"/>
+ </g>
+ </g>
+</svg>
diff --git a/afl-fuzz/input/0004.svg b/afl-fuzz/input/0004.svg
new file mode 100644
index 00000000..1285dc31
--- /dev/null
+++ b/afl-fuzz/input/0004.svg
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg"; xmlns:xlink="http://www.w3.org/1999/xlink";
width="321.00" height="27.00" viewBox="0 0 6420 540">
+ <defs>
+ <mask id="Mask_big_ex_small" maskUnits="userSpaceOnUse" x="0" y="0" width="6420" height="540">
+ <g>
+ <use xlink:href="#big" fill="white"/>
+ <use xlink:href="#small" fill="black"/>
+ </g>
+ </mask>
+ <g id="big_ex_small">
+ <use xlink:href="#big" mask="url(#Mask_big_ex_small)"/>
+ </g>
+ <mask id="Region0" maskUnits="userSpaceOnUse" x="0" y="0" width="6420" height="540" fill-rule="nonzero">
+ <use xlink:href="#big_ex_small" fill="white"/>
+ </mask>
+ <rect id="big" x="0" y="0" width="6420" height="540"/>
+ <rect id="small" x="2760" y="20" width="900" height="480"/>
+ </defs>
+ <g mask="url(#Region0)">
+ <g transform="matrix(1.66667 0 0 1.66667 0 0)">
+ <rect x="0" y="0" width="6420" height="540" fill="black"/>
+ </g>
+ </g>
+</svg>
diff --git a/afl-fuzz/input/0005.svg b/afl-fuzz/input/0005.svg
new file mode 100644
index 00000000..0b515caa
--- /dev/null
+++ b/afl-fuzz/input/0005.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg"; width="48" height="48">
+ <rect x="8" y="8" width="32" height="32" fill="blue"/>
+</svg>
diff --git a/afl-fuzz/input/0007.svg b/afl-fuzz/input/0007.svg
new file mode 100644
index 00000000..48012d13
--- /dev/null
+++ b/afl-fuzz/input/0007.svg
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg"; width="48" height="48">
+ <g transform="translate(-10, -10)">
+ <path fill="blue" d="M 18 18 l 32 0 l 0 32 l -32 0 z"/>
+ </g>
+</svg>
diff --git a/afl-fuzz/input/0008.svg b/afl-fuzz/input/0008.svg
new file mode 100644
index 00000000..b5cbbc47
--- /dev/null
+++ b/afl-fuzz/input/0008.svg
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg"; width="100" height="100">
+ <defs>
+ <clipPath id="one" clipPathUnits="objectBoundingBox">
+ <path d="M 0.5 0.0 L 1.0 0.5 L 0.5 1.0 L 0.0 0.5 Z"/>
+ </clipPath>
+ </defs>
+ <g clip-path="url(#one)">
+ <rect x="10" y="10" width="40" height="40" fill="blue"/>
+ <rect x="50" y="50" width="40" height="40" fill="#00ff00"/>
+ </g>
+</svg>
diff --git a/afl-fuzz/input/0009.svg b/afl-fuzz/input/0009.svg
new file mode 100644
index 00000000..887bbff1
--- /dev/null
+++ b/afl-fuzz/input/0009.svg
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg"; width="100" height="100">
+ <defs>
+ <mask id="one" maskContentUnits="objectBoundingBox">
+ <path d="M 0.5 0.0 L 1.0 0.5 L 0.5 1.0 L 0.0 0.5 Z" fill="white"/>
+ </mask>
+ </defs>
+ <g mask="url(#one)">
+ <rect x="10" y="10" width="40" height="40" fill="blue"/>
+ <rect x="50" y="50" width="40" height="40" fill="#00ff00"/>
+ </g>
+</svg>
diff --git a/afl-fuzz/input/0010.svg b/afl-fuzz/input/0010.svg
new file mode 100644
index 00000000..b9d264c0
--- /dev/null
+++ b/afl-fuzz/input/0010.svg
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg"/>
diff --git a/afl-fuzz/input/0011.svg b/afl-fuzz/input/0011.svg
new file mode 100644
index 00000000..a9af2805
--- /dev/null
+++ b/afl-fuzz/input/0011.svg
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg"; width="10cm" height="20" viewBox="0 0 100 200"/>
diff --git a/afl-fuzz/input/0012.svg b/afl-fuzz/input/0012.svg
new file mode 100644
index 00000000..56afa25f
--- /dev/null
+++ b/afl-fuzz/input/0012.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg"; width="100%" height="100%">
+ <rect x="10" y="20" width="30" height="40"/>
+</svg>
diff --git a/afl-fuzz/input/0013.svg b/afl-fuzz/input/0013.svg
new file mode 100644
index 00000000..37b343ce
--- /dev/null
+++ b/afl-fuzz/input/0013.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg"; width="100%" height="100%">
+ <rect id="foo" x="10" y="20" width="30" height="40"/>
+</svg>
diff --git a/afl-fuzz/input/0014.svg b/afl-fuzz/input/0014.svg
new file mode 100644
index 00000000..850fba3e
--- /dev/null
+++ b/afl-fuzz/input/0014.svg
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg"; width="100" height="400" viewBox="0 0 100 400">
+ <rect id="one" x="0" y="0" width="100" height="200" fill="rgb(0,255,0)"/>
+ <rect id="two" x="0" y="200" width="100" height="200" fill="rgb(0,0,255)"/>
+</svg>
diff --git a/afl-fuzz/input/0015.svg b/afl-fuzz/input/0015.svg
new file mode 100644
index 00000000..1137d0af
--- /dev/null
+++ b/afl-fuzz/input/0015.svg
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg"; width="100%" height="100%"/>
diff --git a/afl-fuzz/src/main.rs b/afl-fuzz/src/main.rs
new file mode 100644
index 00000000..cfc4ee25
--- /dev/null
+++ b/afl-fuzz/src/main.rs
@@ -0,0 +1,33 @@
+#[macro_use]
+extern crate afl;
+extern crate cairo;
+extern crate glib;
+extern crate librsvg;
+
+fn main() {
+ fuzz!(|data: &[u8]| {
+ let width = 96.;
+ let height = 96.;
+ let output = "/dev/null";
+
+ let bytes = glib::Bytes::from(data);
+ let stream = gio::MemoryInputStream::new_from_bytes(&bytes);
+ let handle = librsvg::Loader::new().read_stream(&stream, None, None);
+ if let Ok(handle) = handle {
+ let renderer = librsvg::CairoRenderer::new(&handle);
+
+ let surface = cairo::svg::File::new(width, height, output);
+ let cr = cairo::Context::new(&surface);
+ renderer.render_element_to_viewport(
+ &cr,
+ None,
+ &cairo::Rectangle {
+ x: 0.0,
+ y: 0.0,
+ width,
+ height,
+ },
+ );
+ }
+ });
+}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
