v2

build.sh

@@ -0,0 +1,27 @@
+#!/bin/bash -e
+args=(-DBUILD_EXAMPLES=ON -DENABLE_OPENGL=OFF -DBUILD_SHARED_LIBS=OFF)
+
+export CC=afl-clang-fast
+export CXX=afl-clang-fast++
+export LD=$CXX
+unset AFL_USE_ASAN
+if ! grep -Fq '/afl-' build2/CMakeCache.txt; then
+	rm -rf build2
+	cmake -S . -B build2 "${args[@]}"
+fi
+nice make -C build2 clean
+nice make -C build2 -j10
+for f in build2/bin/Linux/*; do
+	ln -snfv "../../$f" "bin/Linux/${f##*/}_noasan"
+done
+
+export CC=afl-clang-lto
+export CXX=afl-clang-lto++
+export LD=$CXX
+export AFL_USE_ASAN=1
+if ! grep -Fq '/afl-' CMakeCache.txt; then
+	rm -f CMakeCache.txt
+	cmake . "${args[@]}"
+fi
+nice make clean
+nice make -j10

examples/CMakeLists.txt

@@ -2,9 +2,10 @@ set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
 
 set(IRREXAMPLES
-	# removed
+	LoadTexture
+	LoadMesh
 )
-if(UNIX)
+if(FALSE)
 	list(APPEND IRREXAMPLES AutomatedTest)
 endif()
 

examples/LoadMesh/main.cpp

@@ -0,0 +1,44 @@
+#include <irrlicht.h>
+#include <iostream>
+
+using namespace irr;
+
+int main(int argc, char *argv[])
+{
+	if (argc < 2)
+		return 1;
+
+	SIrrlichtCreationParameters p;
+	p.DriverType = video::EDT_NULL;
+	p.WindowSize = core::dimension2du(640, 480);
+	p.LoggingLevel = ELL_DEBUG;
+
+	auto *device = createDeviceEx(p);
+	if (!device)
+		return 1;
+	auto *smgr = device->getSceneManager();
+
+	while (__AFL_LOOP(10000)) {
+		auto *mfile = device->getFileSystem()->createAndOpenFile(argv[1]);
+		if (!mfile)
+			continue;
+		scene::IAnimatedMesh *mesh;
+		// Irrlicht matches on file extension so we have to do this by hand
+		for (u32 i = 0; i < smgr->getMeshLoaderCount(); i++) {
+			mfile->seek(0);
+			mesh = smgr->getMeshLoader(i)->createMesh(mfile);
+			if (mesh) {
+				core::stringc msg("Loaded using loader #");
+				msg += core::stringc(i);
+				device->getLogger()->log(msg.c_str(), ELL_DEBUG);
+				break;
+			}
+		}
+		if (mesh)
+			mesh->drop();
+		mfile->drop();
+	}
+
+	device->drop();
+	return 0;
+}

examples/LoadTexture/main.cpp

@@ -0,0 +1,29 @@
+#include <irrlicht.h>
+#include <iostream>
+
+using namespace irr;
+
+int main(int argc, char *argv[])
+{
+	if (argc < 2)
+		return 1;
+
+	SIrrlichtCreationParameters p;
+	p.DriverType = video::EDT_NULL;
+	p.WindowSize = core::dimension2du(640, 480);
+	p.LoggingLevel = ELL_DEBUG;
+
+	auto *device = createDeviceEx(p);
+	if (!device)
+		return 1;
+	auto *driver = device->getVideoDriver();
+
+	while (__AFL_LOOP(10000)) {
+		auto *tex = driver->getTexture(argv[1]);
+		if (tex)
+			driver->removeTexture(tex);
+	}
+
+	device->drop();
+	return 0;
+}

repro.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+aflout=out/default
+myout=out_rep
+exe=./bin/Linux/LoadMesh
+rm -rf "$myout" && mkdir -p "$myout"
+find $aflout/crashes -name 'id:*' -print | \
+while read file; do
+	echo "➤ Testing $file..."
+	short=${file##*/}
+	short=${short%%,*}
+	fout=$myout/$short.txt
+	$exe "$file" >"$fout" 2>&1
+	r=$?
+	if grep -Fq '==ERROR: AddressSanitizer: SEGV on unknown address' "$fout"; then
+		gdb -q --batch -iex 'set confirm off' -ex r -ex bt --args \
+			${exe}_noasan "$file" >"$fout" 2>&1
+		if grep -Eq '^(Thread|Program).*received signal' "$fout"; then
+			cp "$file" "$myout/$short.bin"
+			echo "✔ Reproduced (gdb)"
+		else
+			echo "✗ Not reproduced (gdb)"
+			rm -f "$fout"
+		fi
+		continue
+	fi
+	grep -Fq '==ABORTING' "$fout" && r=1
+	if [ $r -eq 0 ]; then
+		echo "✗ Not reproduced (asan)"
+		rm -f "$fout"
+		continue
+	fi
+	cp "$file" "$myout/$short.bin"
+	echo "✔ Reproduced (asan)"
+done

run.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+export AFL_SKIP_CPUFREQ=1
+export AFL_TMPDIR=/dev/shm
+exe=./bin/Linux/LoadMesh
+opts=(
+	-t 100
+	-i sample_u/
+	-o out/
+)
+if ! [ -d sample_u ]; then
+	mkdir sample_u
+	afl-cmin.bash -T 4 -i sample/ -o sample_u/ -- $exe @@
+	echo; echo
+fi
+exec afl-fuzz \
+	"${opts[@]}" "$@" \
+	-- $exe @@