afl-fuzz

2024-11-08 08:43:51 +01:00 · 2023-09-17 23:40:31 +02:00 · 2023-09-17 23:40:31 +02:00 · 4ca90e3dfd
commit 4ca90e3dfd
parent 679dfd3343
5 changed files with 103 additions and 2 deletions
--- a/build.sh
+++ b/build.sh
@ -0,0 +1,21 @@
+#!/bin/bash
+export CC=afl-clang-lto
+export CXX=afl-clang-lto++
+export LD=$CXX
+
+args=(-DBUILD_EXAMPLES=ON -DENABLE_OPENGL=OFF -DBUILD_SHARED_LIBS=OFF)
+
+unset AFL_USE_ASAN
+grep -Fq '/afl-' build2/CMakeCache.txt || rm -rf build2
+cmake -S . -B build2 "${args[@]}"
+nice make -C build2 clean
+nice make -C build2 -j10
+for f in build2/bin/Linux/*; do
+	ln -sv "../../$f" "bin/Linux/${f##*/}_noasan"
+done
+
+export AFL_USE_ASAN=1
+grep -Fq '/afl-' CMakeCache.txt || rm -f CMakeCache.txt
+cmake . "${args[@]}"
+nice make clean
+nice make -j10
--- a/examples/CMakeLists.txt
+++ b/examples/CMakeLists.txt
@ -2,9 +2,9 @@ set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)

 set(IRREXAMPLES
-	# removed
+	LoadTexture
 )
-if(UNIX)
+if(FALSE)
 	list(APPEND IRREXAMPLES AutomatedTest)
 endif()

--- a/examples/LoadTexture/main.cpp
+++ b/examples/LoadTexture/main.cpp
@ -0,0 +1,29 @@
+#include <irrlicht.h>
+#include <iostream>
+
+using namespace irr;
+
+int main(int argc, char *argv[])
+{
+	if (argc < 2)
+		return 1;
+
+	SIrrlichtCreationParameters p;
+	p.DriverType = video::EDT_NULL;
+	p.WindowSize = core::dimension2du(640, 480);
+	p.LoggingLevel = ELL_DEBUG;
+
+	auto *device = createDeviceEx(p);
+	if (!device)
+		return 1;
+	auto *driver = device->getVideoDriver();
+
+	while (__AFL_LOOP(10000)) {
+		auto *tex = driver->getTexture(argv[1]);
+		if (tex)
+			driver->removeTexture(tex);
+	}
+
+	device->drop();
+	return 0;
+}
--- a/repro.sh
+++ b/repro.sh
@ -0,0 +1,34 @@
+#!/bin/bash
+aflout=out/default
+myout=out_rep
+exe=./bin/Linux/LoadTexture
+rm -rf "$myout" && mkdir -p "$myout"
+find $aflout/crashes -name 'id:*' -print | \
+while read file; do
+	echo "➤ Testing $file..."
+	short=${file##*/}
+	short=${short%%,*}
+	fout=$myout/$short.txt
+	$exe "$file" >"$fout" 2>&1
+	r=$?
+	if grep -Fq '==ERROR: AddressSanitizer: SEGV on unknown address' "$fout"; then
+		gdb -q --batch -iex 'set confirm off' -ex r -ex bt --args \
+			${exe}_noasan "$file" >"$fout" 2>&1
+		if grep -q '^Thread.*received signal'; then
+			cp "$file" "$myout/$short.bin"
+			echo "✔ Reproduced (gdb)"
+		else
+			echo "✗ Not reproduced (gdb)"
+			rm -f "$fout"
+		fi
+		continue
+	fi
+	grep -Fq '==ABORTING' "$fout" && r=1
+	if [ $r -eq 0 ]; then
+		echo "✗ Not reproduced (asan)"
+		rm -f "$fout"
+		continue
+	fi
+	cp "$file" "$myout/$short.bin"
+	echo "✔ Reproduced (asan)"
+done
--- a/run.sh
+++ b/run.sh
@ -0,0 +1,17 @@
+#!/bin/bash
+export AFL_SKIP_CPUFREQ=1
+export AFL_TMPDIR=/dev/shm
+opts=(
+	-t 100
+	-i sample_u/
+	-o out/
+)
+exe=./bin/Linux/LoadTexture
+if ! [ -d sample_u ]; then
+	mkdir sample_u
+	afl-cmin.bash -i sample/ -o sample_u/ -- $exe @@
+	echo; echo
+fi
+exec afl-fuzz \
+	"${opts[@]}" "$@" \
+	-- $exe @@