2.1 KiB
2.1 KiB
Fuzzing lib/base
This directory contains a fuzzer for the JSON parser (json.c).
fuzz_json
Fuzzes heim_json_create_with_bytes() and heim_json_copy_serialize() with
various parsing flags and depth limits.
Building
Standalone (for testing)
cd build
make -C lib/base fuzz_json
With libFuzzer + AddressSanitizer (recommended)
cd build
CC=clang CXX=clang++ \
CFLAGS="-fsanitize=fuzzer-no-link,address -g -O1" \
LDFLAGS="-fsanitize=fuzzer,address" \
../configure --enable-maintainer-mode --enable-developer
make -C lib/base fuzz_json
With AFL++
cd build
CC=afl-clang-fast CXX=afl-clang-fast++ \
../configure --enable-maintainer-mode --enable-developer
make -C lib/base fuzz_json
Running
Standalone mode (reads from files or stdin)
# Test with corpus files
./lib/base/fuzz_json ../lib/base/fuzz_json_corpus/*.json
# Test single input
echo '{"test": [1,2,3]}' | ./lib/base/fuzz_json
libFuzzer mode
# Basic fuzzing
./lib/base/fuzz_json ../lib/base/fuzz_json_corpus/
# With options
./lib/base/fuzz_json ../lib/base/fuzz_json_corpus/ \
-max_len=262144 \
-timeout=10 \
-jobs=4 \
-workers=4
AFL++ mode
afl-fuzz -i ../lib/base/fuzz_json_corpus -o findings -- ./lib/base/fuzz_json @@
Seed Corpus
The fuzz_json_corpus/ directory contains seed inputs covering:
- Basic JSON types (null, true, false, numbers, strings)
- Unicode literals and escape sequences (
\uXXXX) - Arrays and objects (empty, nested, deep)
- Edge cases (empty keys, whitespace variations, huge integers)
- Malformed inputs (unclosed brackets, missing values, trailing commas)
- JWT-like payloads (common real-world use case)
What it tests
- Default parsing -
heim_json_create_with_bytes()with depth limit 10 - Strict mode -
HEIM_JSON_F_STRICTflag (rejects some permissive inputs) - Shallow depth - Depth limit 2 (rejects deep nesting)
- Null handling -
HEIM_JSON_F_NO_C_NULLflag - Round-trip - Parse, serialize, re-parse to verify consistency