Code and corpora for curl and libcurl fuzzing.
Great! Run ./mainline.sh. It will download you a fresh copy of curl, compile
it with clang, install it to a temporary directory, then compile the fuzzer
against curl. It'll also run the regression testcases.
If you have a local copy of curl that you want to use instead, pass the path as
an argument to ./mainline.sh. It will compile and install that curl to a
temporary directory instead.
./mainline.sh is run regressibly by Travis CI.
Run ./codecoverage.sh. It will download you a fresh copy of curl, compile it
with gcc, install it, then compile the fuzzer against it. It'll then run a
coverage run and work out the coverage of the test cases, using lcov to
generate coverage information.
./codecoverage.sh is run regressibly by Travis CI.
Setting the FUZZ_VERBOSE environment variable turns on curl verbose logging.
This can be useful when debugging a single testcase.
The easiest way to do this is to follow the instructions over at
https://github.com/google/oss-fuzz to run the curl project.
To look at the contents of a testcase, run
python read_corpus.py --input <path/to/file>
This will print out a list of contents inside the file.
To generate a new testcase, run python generate_corpus.py with appropriate
options.
Wonderful! Here's a bit of information you may need to know.
Testcases are written in a Type-Length-Value or TLV format. Each TLV has:
- 16 bits for the Type
- 32 bits for the Length of the TLV data
- 0 - length bytes of data.
TLV type numbers are defined in both corpus.py and curl_fuzzer.h.
To add a new TLV:
- Add support for it in the Python scripts:
generate_corpus.py,corpus.py. This means adding options for reading the value of the TLV from the user (or from a file, or from test data) - Add support for it in the fuzzer:
curl_fuzzer.cc,curl_fuzzer.h. This likely means adding handling of the TLV tofuzz_parse_tlv().