From a3f81246f3f37b35e6a205f372ede15fe17de9a7 Mon Sep 17 00:00:00 2001 From: Kirill Furman Date: Tue, 25 Feb 2025 19:53:44 +0300 Subject: [PATCH 1/3] Upload fuzz_ppd harness Add fuzz_ppd harness for fuzzing, add build rules and seed corpus files. --- projects/cups/build-fuzz.sh | 1 + projects/cups/fuzzer/Makefile | 3 +- projects/cups/fuzzer/fuzz_ppd.c | 295 +++++++++++++++++++++ projects/cups/seeds/fuzz_ppd_seed_corpus/1 | Bin 0 -> 40269 bytes projects/cups/seeds/fuzz_ppd_seed_corpus/2 | Bin 0 -> 11103 bytes projects/cups/seeds/fuzz_ppd_seed_corpus/3 | Bin 0 -> 8495 bytes 6 files changed, 298 insertions(+), 1 deletion(-) create mode 100644 projects/cups/fuzzer/fuzz_ppd.c create mode 100644 projects/cups/seeds/fuzz_ppd_seed_corpus/1 create mode 100644 projects/cups/seeds/fuzz_ppd_seed_corpus/2 create mode 100644 projects/cups/seeds/fuzz_ppd_seed_corpus/3 diff --git a/projects/cups/build-fuzz.sh b/projects/cups/build-fuzz.sh index c23ded7..a31c9a1 100644 --- a/projects/cups/build-fuzz.sh +++ b/projects/cups/build-fuzz.sh @@ -25,6 +25,7 @@ popd mkdir -p fuzzing/cups/fuzz_cups_seed/ mkdir -p fuzzing/cups/fuzz_ipp_seed/ mkdir -p fuzzing/cups/fuzz_raster_seed/ +mkdir -p fuzzing/cups/fuzz_ppd_seed/ echo "" echo "Run: ./fuzzing/\${fuzzer} fuzzing/\${fuzzer}_seed fuzzing/\${fuzzer}_seed_corpus" diff --git a/projects/cups/fuzzer/Makefile b/projects/cups/fuzzer/Makefile index f82f712..55156af 100644 --- a/projects/cups/fuzzer/Makefile +++ b/projects/cups/fuzzer/Makefile @@ -2,7 +2,8 @@ TARGETS = \ fuzz_cups \ fuzz_ipp \ fuzz_raster \ - fuzz_array + fuzz_array \ + fuzz_ppd # For local build # export CC=clang diff --git a/projects/cups/fuzzer/fuzz_ppd.c b/projects/cups/fuzzer/fuzz_ppd.c new file mode 100644 index 0000000..dfe9755 --- /dev/null +++ b/projects/cups/fuzzer/fuzz_ppd.c @@ -0,0 +1,295 @@ +/* + * PPD, Cache and PWG fuzz program for CUPS + * + * This harness is a combination of + * testppd.c, testcache.c and testpwg.c + * + * Licensed under Apache License v2.0. + * See the file "LICENSE" for more information. + */ + + #include "ppd-private.h" + #include "file-private.h" + #include + #include + #include + #include + + int fuzz_ppd(char *string, int len, char *filename, char *pwgname); + void unlink_tempfile(void); + + extern int + LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) + { + /* + * We need a huge input, because it should contain + * options and ppd file + */ + if (Size < 1000) + return 1; + + atexit(unlink_tempfile); + + char *filename = (char *)malloc(sizeof(char) * 256); + char *pwgname = (char *)malloc(sizeof(char) * 256); + sprintf(filename, "/tmp/fuzz_ppd.%d.ppd", getpid()); + sprintf(pwgname, "/tmp/fuzz_ppd.%d.pwg", getpid()); + + char *string = (char *)calloc(sizeof(char), Size + 1); + memcpy(string, Data, Size); + int len = Size; + + fuzz_ppd(string, len, filename, pwgname); + + unlink_tempfile(); + free(filename); + free(pwgname); + free(string); + return 0; + } + + int fuzz_ppd(char *data, int len, char *filename, char *pwgname) + { + int num_options = 0, // number of fuzz-generated options + finishings[1024], + width, + length; + cups_option_t *options = NULL; + _ppd_cache_t *pc, + *pc2; + ppd_choice_t *ppd_bin; + ppd_attr_t *attr; + ppd_size_t minsize, + maxsize, + *size; + cups_page_header2_t header; + ipp_t *job; + + /* + * Create and fill variables (options) + * with fuzz-generated values + */ + + char *ppdsize = strdup(data); + len -= strlen(ppdsize) + 1; + if (len <= 0) + return 1; + data += strlen(ppdsize) + 1; + + char *legacy = strdup(data); + len -= strlen(legacy) + 1; + if (len <= 0) + return 1; + data += strlen(legacy) + 1; + + char *pwg = strdup(data); + len -= strlen(pwg) + 1; + if (len <= 0) + return 1; + data += strlen(pwg) + 1; + + char *ppdmedia = strdup(data); + len -= strlen(ppdmedia) + 1; + if (len <= 0) + return 1; + data += strlen(ppdmedia) + 1; + + char *marked_option = strdup(data); + len -= strlen(marked_option) + 1; + if (len <= 0) + return 1; + data += strlen(marked_option) + 1; + + char *options_str = strdup(data); + len -= strlen(options_str) + 1; + if (len <= 0) + return 1; + data += strlen(options_str) + 1; + + char buf[12] = {0}; + if (!strncpy(buf, data, 11)) + return 1; + + length = atoi(buf); + data += strlen(buf); + len -= strlen(buf); + + if (!strncpy(buf, data, 11)) + return (1); + + width = atoi(buf); + data += strlen(buf); + len -= strlen(buf); + + /* + * Create and fill the array of cups options + * and values to check correct work of + * ppdMarkOption(), cupsGetOption(), + * cupsGetConflicts(), cupsResolveConflicts() + * and ppdInstallableConflict() functions + */ + + char **cups_options = (char **)malloc(sizeof(char *) * 2); + char **cups_values = (char **)malloc(sizeof(char *) * 2); + int elem_counter = 0, counter = 0; + + for (int i = 0; i < strlen(options_str); i++) + { + cups_options[elem_counter] = (char *)malloc(sizeof(char)); + cups_values[elem_counter] = (char *)malloc(sizeof(char)); + cups_options[elem_counter][0] = '\0'; + cups_values[elem_counter][0] = '\0'; + if (!options_str[i]) + break; + + counter = 0; + while(options_str[i] != '=' && options_str[i] && options_str[i] != ' ') + { + cups_options[elem_counter] = (char *)realloc(cups_options[elem_counter], sizeof(char) * (counter + 2)); + cups_options[elem_counter][counter] = options_str[i]; + counter++; + i++; + } + cups_options[elem_counter][counter] = '\0'; + if (options_str[i] == '=') + { + ++i; + counter = 0; + while(options_str[i] != ' ' && options_str[i]) + { + cups_values[elem_counter] = (char *)realloc(cups_values[elem_counter], sizeof(char) * (counter + 2)); + cups_values[elem_counter][counter] = options_str[i]; + counter++; + i++; + } + cups_values[elem_counter][counter] = '\0'; + } + elem_counter++; + cups_options = (char **)realloc(cups_options, sizeof(char *) * (elem_counter + 1)); + cups_values = (char **)realloc(cups_values, sizeof(char *) * (elem_counter + 1)); + } + if (len <= 0) + return 1; + + /* + * Create and fill .ppd file + * with fuzz-generated data + */ + + FILE *fp = fopen(filename, "wb"); + if (!fp) + return 1; + + fwrite(data, sizeof(*data), len, fp); + fclose(fp); + + ppd_file_t *ppd = NULL; + + if ((ppd = ppdOpenFile(filename)) == NULL) + { + ppd_status_t err; /* Last error in file */ + int line; /* Line number in file */ + ppdLastError(&line); + ppdErrorString(err); + return 1; + } + + pc = _ppdCacheCreateWithPPD(NULL, ppd); + + /* + * Do pwg tests from testpwg.c + */ + + char *pagesize; + _ppdCacheWriteFile(pc, pwgname, NULL); + pc2 = _ppdCacheCreateWithFile(pwgname, NULL); + _ppdCacheDestroy(pc2); + ppdPageSize(ppd, ppdsize); + pagesize = _ppdCacheGetPageSize(pc, NULL, ppdsize, NULL); + job = ippNew(); + ippDelete(job); + pwgMediaForPWG(pwg); + pwgMediaForLegacy(legacy); + pwgMediaForPPD(ppdmedia); + pwgMediaForSize(width, length); + + num_options = cupsParseOptions(options_str, num_options, &options); + ppdMarkDefaults(ppd); + cupsMarkOptions(ppd, num_options, options); + ppdConflicts(ppd); + + _ppdCacheGetFinishingValues(ppd, pc, (int)sizeof(finishings) / sizeof(finishings[0]), finishings); + cupsRasterInterpretPPD(&header, ppd, num_options, options, NULL); + + if (strlen(marked_option) > 0) + { + char *choice = (char *)calloc(1, sizeof(char)); + for (int i = 0; i < strlen(marked_option); i++) + { + if (!marked_option[i] || marked_option[i] != ' ') + { + choice = (char *)realloc(choice, sizeof(char) * (i + 2)); + choice[i] = marked_option[i]; + choice[i + 1] = '\0'; + } + else + break; + } + ppdFindAttr(ppd, choice, marked_option + strlen(choice)); + ppdFindNextAttr(ppd, choice, NULL); + if ((ppd_bin = ppdFindMarkedChoice(ppd, choice)) != NULL) + _ppdCacheGetBin(pc, ppd_bin->choice); + char buffer[1024] = {0}; + ppdLocalizeIPPReason(ppd, choice, marked_option + strlen(choice), buffer, sizeof(buffer)); + for (int i = 0; i < elem_counter; i++) + { + ppdMarkOption(ppd, cups_options[i], cups_values[i]); + cupsGetOption(cups_options[i], num_options, options); + num_options = cupsGetConflicts(ppd, cups_options[i], cups_values[i], &options); + cupsResolveConflicts(ppd, cups_options[i], cups_values[i], &num_options, &options); + ppdInstallableConflict(ppd, cups_options[i], cups_values[i]); + } + ppdInstallableConflict(ppd, options_str, choice); + ppdLocalizeMarkerName(ppd, choice); + free(choice); + } + + for (int i = 0; i < 5; i++) + ppdEmitString(ppd, i, 0.0); + + ppdPageSizeLimits(ppd, &minsize, &maxsize); + ppdPageSize(ppd, NULL); + + for (int i = 0; i < elem_counter; i++) + { + free(cups_options[i]); + free(cups_values[i]); + } + + free(cups_options); + free(cups_values); + + cupsFreeOptions(num_options, options); + _ppdCacheDestroy(pc); + ppdClose(ppd); + + free(options_str); + free(ppdsize); + free(marked_option); + free(legacy); + free(pwg); + free(ppdmedia); + return 0; + } + + void unlink_tempfile(void) + { + char filename[256]; + sprintf(filename, "/tmp/fuzz_ppd.%d.ppd", getpid()); + unlink(filename); + sprintf(filename, "/tmp/fuzz_ppd.%d.pwg", getpid()); + unlink(filename); + sprintf(filename, "%s.N", filename); + unlink(filename); + } + \ No newline at end of file diff --git a/projects/cups/seeds/fuzz_ppd_seed_corpus/1 b/projects/cups/seeds/fuzz_ppd_seed_corpus/1 new file mode 100644 index 0000000000000000000000000000000000000000..3fa1112b1930707ebe16b96ae9c4bebb4b1c493d GIT binary patch literal 40269 zcmeHQ%WoUG8CTK;S_^&T7DPb{R%n1kjb+(!9NR^Jb)2}X-6YmVc7jC%EXEqj8hAW2 zore==4+&5dXn~%3=%EGnFX^fOMh`u0Z|SK(Q50DBBRS*@N0c-p$*-8>AR;*=hr`Fm z@9~?Dl?uDAUj6=6a>dd7KP9-{mVO{zA0@G$BtagM>i$M~{au*~iU0WHpa1fwumAS- zA9x0-vQz|@YwJ-Ey8A6-7q_i97;X8{n>m(-NFpMstEfsdkdi-36_6x7zge)>=)}jhqgxKFC}*Six6T*h7YMi1teFUOUM1EeBc~)De2@ zx_iiVk}6-}9TZq0MqSrOuUL^+MT)roo)yx!p|iPMdx*P6Wb-jde)$wTGRZ8XS8_9V zh<2*sn5bhojvJyK7`q~G{p|zNkt5$)*`Bg8HIrB)@lV~ImJxP(WTNr=t2_|@qDrN4 zGm|Do-%Bxwu-q?M@@e(C1ATtuH!=*a!~dPB;aeQ11h=>ACa6xko8C+3cHXUHXQ zhuxgpA?zrGxRV{EZdyU-OTJ_F$evhi!x=e09k=lA;p~!)jgaxKmD*KHS4`N7m*yAH zy_E&nep`lz{fE{*cF5qNwMDplcjYcxUR2zD{HwngpLn|F>%je4WeSV0ZA1^mu#1U>T@A7C4Ljxbj1uI<8$A6Ol{ zIsO|m9hjaA9u0uWAlL(1}*H<2J_`s zjN0TP3xq%I^7>Q1z!E;;Y~f}qy;Aw96sy20Z91KL8O9ZEyk*QZ%@R{DiJK;LR4z|q zRi2d4wZQG{VN#>w;%r#zm*txEu}9X6>mB-nn^sgHCn}Y{8+AZfuz<_}15fH8EI$!uI_|y)6xv5O zJ8tiwHyPI`$!YW!W~eLKGMWG#d(mZr&y-p6{Ab2ZJ1S zgFO?ZASZ+(J!`i&`|HTCt?-cU3Zm_78tnE$bhC2{Ei@YUW)~W;`gRV{n&=q<-9vQ(QYP;R=74!^gE688SfVR6`+6AF6L@6#(Q4yI) z$VB9FIz6;*I0gua4k}$?V%BFM7((R=s+}U*T>cUijVG**6w!Qm1)lpp6W^|sKsp41 zMV2M(E3r%$H;{;SM@Jxlv37O+FBx%T(!ZQnybPBI<3jv-an(gW<4jN{+@z?p*FhbDODdJ!)^&Vah{> zCx#PsjZPT(P=gDyYk(RvRXW$;u4*3jZ<~Z)NI%0b)Mcb|RV@{@q=uGi0$Be8Ayvt? z*Zw0qIv1xXax<=vvVJopkt)L2f0pNcT;g&5szOsTaKyz{v>9(kbk7lM7kaH~nIIS-1mM`=k8`G(@f+WN28XG#}V; zmi=_+FzaR&)6qWw+SL9-`;m13q$)V3%rs z9Mp3iw6JXNJ3V@Rg0tie&QIgX6d?>rT9)85sMuoTr7D#lCBdnMGP(`Ag(@m9v|zc$ zo7Y47frclPhj@Le-%)+qS0*0~>nm2w9-}CpBPlZ`)ci7#ED>2EWqwKPo8T6`J6%;% zR?zx@wMKZLWpMghqgeSxl}RV8H5zV+Q)-QV%d|%S{LMH2J%Ve>+M{HRZ~<3V%m{*# zWQ0&g0h3a!@F2@RMFmUh`DzYnlqzSuQmMy^;3xu^c~bSLl(y~yc@Z^9fsFp0_N0_S zL<(&YqEwN<3GsA8Ov&6RjX^PugpfN&B!w6_&;lj!rUSZK5VW@v1&X9NF=76uid3ur zyTv4xK?RhW7Gi=2wu_3A(vJIaiEphqnT)qFU)sm)dRnN|#&+JqM6 zVDct2U*z71Dp|Hh9)-+%O%%;ODXuI-Fcgm%)|(>x6xjO74R*)FK;=+x_roME5Z5&r zk2Mvp>s={jt1HBHeLk_u>_Kk$(=e{D~EKiPFv)Yd_g;u7lAJOkBjm0i0CrVFcE+ z*QnNnR4{^JlO=%lkAf7TkNb*zq0Wk~u%Zn2u+_r>*d4>rw{{{x6f#sH7!)@w$6SNt zxj6h3zYZzpu>%GbD$#Ga?pzZPLtvVNAY=E$%?F0hZ$gmVgeIoU@Dy~h0nih!#=Z@} zJJc&(9%kp`kjcS(?z-&;c)PipaKF-np5a}RaH&=uIstq;0ZVQs6U2=7!%+AOs(uq@Y=NGFoR_2dY_k@%03# zI{H7U$Sto<0d7}_g`Xna?t7!YU>L^2YsD!i$r*Gp*D9QVo=CJn3Me>h>3&~i3Yv<^ zK_(JvM|_$y7I>uZ1(O6NTa`wE2?PZ|a`JG{YG!*<_)!YA+jIcb*0x=M8Mk}uPrmp} zjoj^VEN_DI9c+VX%ufkGGodyhh1>dRIh`q~f&n%KcAHBk`CxzqpDVCZDL~}K!8u;iI7gV}=*k3Vs{WCZQl_MQmA=`&2sZJP$E9m}Elpf7>C5p# zF(uOwS<2e?4ZZnk3g2+2CShg~O)#~O&w6?0agNth9hxhs8K_}Su(VH-bK#TZw2Y(^ zab0~lM^u``CrPr}KlHCkk~d94H58s~>mps}xNBqfz zpkh*BEI7SX!>Gs!5lwBg(!Mz)Pt_a_N9O0nuvsN5QQNF4-;H~NcSX`U1wxE=oz+iE zwatpTotv^p*K?^o(GYX7tTT%9IDM4$X}nV6p{YPY-OB`ueQmP>N733hN5Kh~b3vqL zvk>6)!3bETiG zUv0Jm-~35;(2$x*%Vg4KtE5B5Qt$P-zBvEhGPK!>0nBpvHrHk=SU#tS=~mOYQQ~W| zbT&{}yZsMo1cf6)Rda7?`Pc{_}Q z_Q_bhwA7oUBE?MQgAXXs{z1Sko#IqK?H>dnGTJ|gJ_n5+9hN=RO}O)6AYKlo8s|VH zeXb5YC!@&Ganr@AY5yS7UQ0ICoc=*x&+fjlyuk;sYOJNkT1s;(qaV=zK_WZkdxz?T zPwmf%`!G*UqoVYB3aGZcUmOn>Gk{N6tdqm5Z)mJ#rK0_VOv7u<#lu=!0X+j6!EY20 z*Xb^E8c$rPual!e$l=s$ttRS5PUqNFv7fF#-f~;*rUT9-Js-1!g_p#Km@PO`-hT)u zT*DFCuES1;zq@i5EiWzr9mw2$UWrw%igUslz_sRJ4lutX&y-_* z6S}AC&+?6t3soDDZSU9^o8+^s<8aX+efP!Bu3mt%$>Agfeg=8wXfQaiTyZopQ28Mz z58Ac?ud(i80OXl)R=DD848SwQhp=z@w<+jE;R*CB#l=q7{+&30i+_8X$g9~y!r$;i z!YMwOZL_7)r97Kv@caao@F@mhaIlzCP+M=IC$;sKC}7l6N+GUXV63I~4??($t_8%o z3#Z2reuMa3ro?`_2gz!n<*5QKgK*q)(9SH-Qu_yC6#fLDL4&pueJmO8nX!z+8fa-7 zOro`%S=(|_@>1r&-7|d<8J`33F-Cb6YnoMujyp4~x){WQsL8n82@v5k`8AcsXOan! H`cC}+@IuiL literal 0 HcmV?d00001 diff --git a/projects/cups/seeds/fuzz_ppd_seed_corpus/2 b/projects/cups/seeds/fuzz_ppd_seed_corpus/2 new file mode 100644 index 0000000000000000000000000000000000000000..b317709d292e37645659e0f6870836b939aa8dd8 GIT binary patch literal 11103 zcmeHNO>^7E8D`R4#7lKbru3m(ww|$Ai-crbve@xVBuYxy$|lF8?deQA83;__dbhStycS?Qma+)pg8-4zIDo@ z*?Ow6XCFnlE_l$m%Q}8A5l(sElG?x5{+6r#A@^3B)A|l(s#hmZ9%PHCf8Wfj6gThH8!+G87Anqc76O34$*x`mJxC@PR|~(;iOc9>Qv) z-``)~wf$q>X7z{72lZ;>Zf5YWUp?m@Z#J9NMlayri!N)ZaV~g^3T)t9pl9E)PJ14& zHb$a36s8xtX5{!DOKA@Ux1nB{F3g(@coYY6K$kO{zviwV^u&Fv@&ZHc^N|_5QD1!1 z*_}J6XN_6M^h|8YW0lo(L3Qk-Cu}bEIhJj6&ziK^hVjqNk(zXO+1Vx2Xp2WYioO!y zS5hM@xM;l?B&GIBUAH|UVt%n&A$}y4DN~mc?tFW!rvu$Y;mz!=FmplYiA63*Mk~{Y zdT2$&FC4?un&l*1P^p|yxhQOB@yg%Yq>|Zsyw%U?V`n1IDO$}br*W)03S<`&h z%gIMHU0d>dr=)ISRdJ?-xWLttAr^5nC11)>rPPIjGX7{9G*eS82{@#%Lmoy9ZEWNq z8jO6wIxqSI(q-8?c0$#H-#Fwpi+mPQmuSo-rR=-g@3K+sSrmLiW_mWWOwaQpb_|)` zRUOZrXpE)_JN5i?j|IZkj(0-y&{!h}E?zVb zW7o}$@U~I0UjKD%BqN@5S;OITGsH9qh={5x%I!Wxq(*p4HTJ-Jysd@>H=2)o$8!c)acv_rq=l%KQ%%Xt3P zo^H-MLY;t;pB#g>VsPn*(je@d60wf&`bc12I~F856qQfXq)4_5 z0uv3i=W62+Ml+Z|Rlc9kNK9demKpG#aJU!A3=OH98;3gv_)e;3V`hUHYzrwDWVW%% zws$tMlI|InW*)nIS8$U-10kBn?7QZJ66M#BkqET3HaUvh6X_#CM*kSiLp(PT#vewwAHh?9L+ z4W4E$OLf%S6+lNAkedmmOr1na-k9Hoh#}7&Hg;wb}+8HOgI)FVd zi}TO|t+&2l>|p{>4E6&s=SM{pzVHP8=^( z@fe{>{vq`G04GXL{5sQLBI7grS2;76hdLqcj@ZPHnJG9kr)g^fVsLSvS;#;gs5g>M z${H!Br0llqp9P53g53)O+gc+gBa^idR*`06MC3|I4ji&|Myadsxf5{Db(s^fkTR!< zkDLh}`##kK!nb3K<9K*i&50zyi_m54oQ&7MjZN2yCNgzS*RC+RlX1lES!-<5Ft*n> z4aD=~3EK?<9SJes4B;jSjV&Ui*dS-7H0>VcKWnJ64$N@E2L32I2WM!l2*Aw5+WnDa zK{N%2NeSrBX(fv(F;#(i^llWiBtSVI6qxm3@YJPXLk?(zwJ9`D zEhclqIEv}4BcZOBRD#G0>w)aE2Mjp^lIE5A@L(`(LZw0Q)b!$!X+^QX2tH0-Av0F$ zQsd@m6CI~@!mQHq?4k%`BStLGGNLS7X*x=B$VsK7_zzT~49oq~FDav!^6n}1B4BJ5 zUb^4~tP9*MBDR@`tY*ode!#VB_eocqD|}M?-n(czrUONA@7`G3f!*5Scf4CLDvp*mWphvihERBvrOiC=k-I;_}Sc9@wJK(3~l zdt31G8yxo3y-N9~}ib^{kiHv;2L_d-P7r@T3eD{fL#4YAnOOsR|WJ|4&%y zA{aokkp$J;(bV*vEALCMA5#|TDBbOZK&OK=!Lq z#qc&?jm*{bTQu>9eehrr0ANI1tazSvM-Z2z>% literal 0 HcmV?d00001 diff --git a/projects/cups/seeds/fuzz_ppd_seed_corpus/3 b/projects/cups/seeds/fuzz_ppd_seed_corpus/3 new file mode 100644 index 0000000000000000000000000000000000000000..dcb3a0eb037531101745344db399c6f00094224d GIT binary patch literal 8495 zcmeHN&2G~`5Y7Q1H7|fLmm#7O1oA^cfQpa^X(I&{5~&SHT+r4YH!IBAtk;zEg1GSj zTzM0ojWX-CW7kP4N@xYGS4y(GGyCJ&`T2Gn%d)J`70aqnq3ZnN%ofAgkQmfg=MO6M z-pJZrCYZySfFavM*yabg4z*gfK9CN|4Gd5?DD25P+-*ZgOtw))0n|0K=B?H@&}EUQ z(vEf5LZwhvQx?lQ!Mee{u83Gv($= zN6cR-r6#|R9p|;<#fM)>RiMCaJu(_g={g4}zzav}v?J zuTLuVDu9sq#Q1uYAAhmsp5O#0v7!^3Sr_$@+e1Udqk97BJCThf`&F<> ziab;(6b%{ky>a71#5}GhWx`M}5V8lJ|+>kin&wi)71+gNy-! zm07r_`RC(6O-b=%;a8JRDzLLNnQy;oGGC7ci_g1T=8}`(#k|!-1UP4mAO|sPwM=74 zRR8#e;oP8*3wVJjQONQ)mJ)>|5aoQK5OTanVt5KtiWs^~V9ie}oj#N)#zhS)sFVq; z6C|+S#3Ebr>mnzxx{-Q;l!ZL+iLCO@lo?5RXDX%{$~)6kJLX5jDcMxYJJbLB(xtpJ zm3O8xb8Frwq?e+z%G{z{U#XdF_5nUIe*vI(Z_^a_!8CD}yzm%N#y9?>fJvU47as8h NhlfSp^kJYd=og~4Spfh5 literal 0 HcmV?d00001 From 282a0d19f097b2da8f16a982ab353d112d5abf1b Mon Sep 17 00:00:00 2001 From: TTFISH Date: Thu, 27 Mar 2025 23:45:37 +0800 Subject: [PATCH 2/3] update README to guide local building Signed-off-by: TTFISH Co-authored-by: k-furman --- projects/cups/README.md | 49 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/projects/cups/README.md b/projects/cups/README.md index 012c66d..420bdd7 100644 --- a/projects/cups/README.md +++ b/projects/cups/README.md @@ -1,8 +1,16 @@ -## CUPS fuzzing harness +## Fuzzing harness of cups -### Set up, build, and run. +### Build with OSS-Fuzz -#### Note: This only works in Ubuntu. +```bash +python infra/helper.py build_fuzzers --sanitizer address --engine libfuzzer --architecture x86_64 cups +``` + +The `build.sh` used in OSS-Fuzz is hosted in [oss_fuzz_build.sh](./oss_fuzz_build.sh). + +### Local build with libFuzzer + +_Note: Only tested in Ubuntu 22.04._ ```bash apt-get install zlib1g-dev libavahi-client-dev libsystemd-dev @@ -18,4 +26,39 @@ cd fuzzing/cups/ ./fuzz_cups fuzz_cups_seed/ fuzz_cups_seed_corpus/ ./fuzz_ipp fuzz_ipp_seed/ fuzz_ipp_seed_corpus/ ./fuzz_raster fuzz_raster_seed/ fuzz_raster_seed_corpus/ +./fuzz_ppd fuzz_pdd_seed/ fuzz_pdd_seed_corpus/ +``` + +### Local build with AFL++ + +```bash +# build +CC=afl-clang-lto +CXX=afl-clang-lto++ +AFL_USE_ASAN=1 +./configure --enable-static --disable-shared --host=x86_64 +make -C cups/ +make -C fuzzer/ + +# fuzz +afl-fuzz -i in/ -o out/ ./fuzz_ppd @@ ``` + +### Fuzz corpora + +#### fuzz_ppd + +From existing test input in cups, specifically cups/test.ppd and cups/test2.ppd + +```bash +echo -n -e "Letter\0na-letter\0roll_max_36.1025x3622.0472in\0 4x6\0Foo\0foo=buz option=option Foo=Buz tag=fooz\0datanum1920\0datanum1080\0" > 1 +cat cups/test.ppd >> 1 + +echo -n -e "A4\0Letter\0iso_a4_210x297mm\0 2x8\0Option\0Option=Bar Foo=Buz AL=666 Astra=Aspera\0datanum1337\0datanum4242\0 " > 2 +cat cups/test2.ppd >> 2 + +echo -n -e "A4\0A4\0iso_a4_210x297mm\0 2x8\0Astra\0Per=Aspera Ad=Astra\0datanum2048\0datanum2048\0 " > 3 +cat cups/test2.ppd >> 3 +``` + + From 1aa1db3db66425a0e6d057d6c18db2e3455ebcf0 Mon Sep 17 00:00:00 2001 From: TTFISH Date: Thu, 27 Mar 2025 23:51:26 +0800 Subject: [PATCH 3/3] Temporarily disable libppd for OSS-Fuzz Direct leak exist in fuzzing harness, need refine and fix the issue first, then enable for production OSS-Fuzz. Signed-off-by: TTFISH --- projects/cups/fuzzer/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/projects/cups/fuzzer/Makefile b/projects/cups/fuzzer/Makefile index 55156af..609086b 100644 --- a/projects/cups/fuzzer/Makefile +++ b/projects/cups/fuzzer/Makefile @@ -3,7 +3,7 @@ TARGETS = \ fuzz_ipp \ fuzz_raster \ fuzz_array \ - fuzz_ppd + # fuzz_ppd # For local build # export CC=clang