91 lines
2.1 KiB
Markdown
91 lines
2.1 KiB
Markdown
# Fuzzing lib/base
|
|
|
|
This directory contains a fuzzer for the JSON parser (`json.c`).
|
|
|
|
## fuzz_json
|
|
|
|
Fuzzes `heim_json_create_with_bytes()` and `heim_json_copy_serialize()` with
|
|
various parsing flags and depth limits.
|
|
|
|
### Building
|
|
|
|
#### Standalone (for testing)
|
|
|
|
```bash
|
|
cd build
|
|
make -C lib/base fuzz_json
|
|
```
|
|
|
|
#### With libFuzzer + AddressSanitizer (recommended)
|
|
|
|
```bash
|
|
cd build
|
|
CC=clang CXX=clang++ \
|
|
CFLAGS="-fsanitize=fuzzer-no-link,address -g -O1" \
|
|
LDFLAGS="-fsanitize=fuzzer,address" \
|
|
../configure --enable-maintainer-mode --enable-developer
|
|
|
|
make -C lib/base fuzz_json
|
|
```
|
|
|
|
#### With AFL++
|
|
|
|
```bash
|
|
cd build
|
|
CC=afl-clang-fast CXX=afl-clang-fast++ \
|
|
../configure --enable-maintainer-mode --enable-developer
|
|
|
|
make -C lib/base fuzz_json
|
|
```
|
|
|
|
### Running
|
|
|
|
#### Standalone mode (reads from files or stdin)
|
|
|
|
```bash
|
|
# Test with corpus files
|
|
./lib/base/fuzz_json ../lib/base/fuzz_json_corpus/*.json
|
|
|
|
# Test single input
|
|
echo '{"test": [1,2,3]}' | ./lib/base/fuzz_json
|
|
```
|
|
|
|
#### libFuzzer mode
|
|
|
|
```bash
|
|
# Basic fuzzing
|
|
./lib/base/fuzz_json ../lib/base/fuzz_json_corpus/
|
|
|
|
# With options
|
|
./lib/base/fuzz_json ../lib/base/fuzz_json_corpus/ \
|
|
-max_len=262144 \
|
|
-timeout=10 \
|
|
-jobs=4 \
|
|
-workers=4
|
|
```
|
|
|
|
#### AFL++ mode
|
|
|
|
```bash
|
|
afl-fuzz -i ../lib/base/fuzz_json_corpus -o findings -- ./lib/base/fuzz_json @@
|
|
```
|
|
|
|
### Seed Corpus
|
|
|
|
The `fuzz_json_corpus/` directory contains seed inputs covering:
|
|
|
|
- Basic JSON types (null, true, false, numbers, strings)
|
|
- Unicode literals and escape sequences (`\uXXXX`)
|
|
- Arrays and objects (empty, nested, deep)
|
|
- Edge cases (empty keys, whitespace variations, huge integers)
|
|
- Malformed inputs (unclosed brackets, missing values, trailing commas)
|
|
- JWT-like payloads (common real-world use case)
|
|
|
|
### What it tests
|
|
|
|
1. **Default parsing** - `heim_json_create_with_bytes()` with depth limit 10
|
|
2. **Strict mode** - `HEIM_JSON_F_STRICT` flag (rejects some permissive inputs)
|
|
3. **Shallow depth** - Depth limit 2 (rejects deep nesting)
|
|
4. **Null handling** - `HEIM_JSON_F_NO_C_NULL` flag
|
|
5. **Round-trip** - Parse, serialize, re-parse to verify consistency
|