Merge pull request #4845 from pks-t/pks/object-fuzzer

Object parsing fuzzer

Merge pull request #4845 from pks-t/pks/object-fuzzer
Object parsing fuzzer
7615794c · Carlos Martín Nieto · GitHub · 9b6e4081 · a1d5fd06 · 7615794c
Unverified Commit 7615794c authored Oct 15, 2018 by Carlos Martín Nieto Committed by GitHub Oct 15, 2018
7 changed files
--- a/fuzzers/corpora/objects/blob
+++ b/fuzzers/corpora/objects/blob
--- a/fuzzers/corpora/objects/commit
+++ b/fuzzers/corpora/objects/commit
+tree 3e7ac388cadae960fe7e22175ce0da878afe9d18
+parent 8b89f362a34fcccdf1c6c5f3445895b71d9c6d56
+parent c590b41fe4057a84a9bd31a5605ceef2c309b0f8
+author Patrick Steinhardt <ps@pks.im> 1538760730 +0200
+committer GitHub <noreply@github.com> 1538760730 +0200
+gpgsig -----BEGIN PGP SIGNATURE-----
+ 
+ wsBcBAABCAAQBQJbt6AaCRBK7hj4Ov3rIwAAdHIIAKZGIpS0dAirVRt5NVFj3ZtC
+ o2Q3ADC0XpYLKkEsClhG7pVtr7MRZZ8+qaJpbxn9j9WZZ4UtEeDjseos+pMNn9Mf
+ OQQntNzGAbHSw0apyYT+mTUKaVONPev4fw9Lnc/RJ/iWwHx+4gmgNqLwV3foaCW9
+ w1JzCL+BVJyZI80jrEehihhUnpIUOuMBwGjzSt54Zn5JqviC4cIldF2sXFGQqvsq
+ 3WDNnEUYanU6cLAdb9Pd6bVBI1EJnRLxehSeYiSaRPmLhQyhkH8KZ5lSi8iuH1C4
+ bjA6HaEUwCeq0k9Le6BUu93BExEOFcuu8+zEKCrwCdSwdEQ3Iakv8dh7XlT9iUY=
+ =nGP0
+ -----END PGP SIGNATURE-----
+ 
+
+Merge pull request #4834 from pks-t/pks/v0.27.5
+
+Security release v0.27.5
\ No newline at end of file
--- a/fuzzers/corpora/objects/tag
+++ b/fuzzers/corpora/objects/tag
+object a8d447f68076d1520f69649bb52629941be7031f
+type commit
+tag testtag
+tagger Patrick Steinhardt <ps@pks.im> 1539253015 +0200
+
+Tag message
--- a/fuzzers/corpora/objects/tree
+++ b/fuzzers/corpora/objects/tree
--- a/fuzzers/objects_fuzzer.c
+++ b/fuzzers/objects_fuzzer.c
+/*
+ * libgit2 packfile fuzzer target.
+ *
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+
+#include "git2.h"
+#include "object.h"
+
+#define UNUSED(x) (void)(x)
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+	UNUSED(argc);
+	UNUSED(argv);
+
+	if (git_libgit2_init() < 0)
+		abort();
+
+	return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	const git_otype types[] = {
+		GIT_OBJ_BLOB, GIT_OBJ_TREE, GIT_OBJ_COMMIT, GIT_OBJ_TAG
+	};
+	git_object *object = NULL;
+	size_t i;
+
+	/*
+	 * Brute-force parse this as every object type. We want
+	 * to stress the parsing logic anyway, so this is fine
+	 * to do.
+	 */
+	for (i = 0; i < ARRAY_SIZE(types); i++) {
+		if (git_object__from_raw(&object, (const char *) data, size, types[i]) < 0)
+			continue;
+		git_object_free(object);
+		object = NULL;
+	}
+
+	return 0;
+}
--- a/fuzzers/standalone_driver.c
+++ b/fuzzers/standalone_driver.c
@@ -11,6 +11,7 @@
 #include <stdlib.h>
 #include <sys/types.h>

+#include "git2.h"
 #include "fileops.h"
 #include "path.h"

@@ -41,6 +42,11 @@ int main(int argc, char **argv)
 	unsigned i = 0;
 	int error = 0;

+	if (git_libgit2_init() < 0) {
+		fprintf(stderr, "Failed to initialize libgit2\n");
+		abort();
+	}
+
 	if (argc != 2) {
 		fprintf(stderr, "Usage: %s <corpus directory>\n", argv[0]);
 		error = -1;
@@ -66,5 +72,6 @@ int main(int argc, char **argv)

 exit:
 	git_vector_free_deep(&corpus_files);
+	git_libgit2_shutdown();
 	return error;
 }
--- a/src/object.c
+++ b/src/object.c
@@ -91,8 +91,10 @@ int git_object__from_raw(
 	def = &git_objects_table[type];
 	assert(def->free && def->parse_raw);

-	if ((error = def->parse_raw(object, data, size)) < 0)
+	if ((error = def->parse_raw(object, data, size)) < 0) {
 		def->free(object);
+		return error;
+	}

 	git_cached_obj_incref(object);
 	*object_out = object;