Added MessagePack fuzzing

fuzzing/Makefile

@@ -5,15 +5,18 @@ CXXFLAGS += -I../src
 all: \
 	$(OUT)/json_fuzzer \
 	$(OUT)/json_fuzzer_seed_corpus.zip \
-	$(OUT)/json_fuzzer.options
+	$(OUT)/json_fuzzer.options \
+	$(OUT)/msgpack_fuzzer \
+	$(OUT)/msgpack_fuzzer_seed_corpus.zip \
+	$(OUT)/msgpack_fuzzer.options
 
-$(OUT)/json_fuzzer: fuzzer.cpp $(shell find ../src -type f)
+$(OUT)/%_fuzzer: %_fuzzer.cpp $(shell find ../src -type f)
 	$(CXX) $(CXXFLAGS) $< -o$@ $(LIB_FUZZING_ENGINE)
 
-$(OUT)/json_fuzzer_seed_corpus.zip: seed_corpus/*
+$(OUT)/%_fuzzer_seed_corpus.zip: %_seed_corpus/*
 	zip -j $@ $?
 
-$(OUT)/json_fuzzer.options:
+$(OUT)/%_fuzzer.options:
 	@echo "[libfuzzer]" > $@
 	@echo "max_len = 256" >> $@
 	@echo "timeout = 10" >> $@

fuzzing/fuzzer.cpp

@@ -1,27 +0,0 @@
-#include <ArduinoJson.h>
-
-class memstream : public std::istream {
-  struct membuf : std::streambuf {
-    membuf(const uint8_t *p, size_t l) {
-      setg((char *)p, (char *)p, (char *)p + l);
-    }
-  };
-  membuf _buffer;
-
- public:
-  memstream(const uint8_t *p, size_t l)
-      : std::istream(&_buffer), _buffer(p, l) {
-    rdbuf(&_buffer);
-  }
-};
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  DynamicJsonDocument doc;
-  memstream json(data, size);
-  DeserializationError error = deserializeJson(doc, json);
-  if (error == DeserializationError::Ok) {
-    JsonVariant variant = doc.as<JsonVariant>();
-    variant.as<std::string>();  // <- serialize to JSON
-  }
-  return 0;
-}

fuzzing/json_fuzzer.cpp

@@ -0,0 +1,11 @@
+#include <ArduinoJson.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  DynamicJsonDocument doc;
+  DeserializationError error = deserializeJson(doc, data, size);
+  if (!error) {
+    std::string json;
+    serializeJson(doc, json);
+  }
+  return 0;
+}

fuzzing/msgpack_corpus/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

fuzzing/msgpack_fuzzer.cpp

@@ -0,0 +1,11 @@
+#include <ArduinoJson.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  DynamicJsonDocument doc;
+  DeserializationError error = deserializeMsgPack(doc, data, size);
+  if (!error) {
+    std::string json;
+    serializeMsgPack(doc, json);
+  }
+  return 0;
+}

fuzzing/msgpack_seed_corpus/false

@@ -0,0 +1 @@
+<EFBFBD>

fuzzing/msgpack_seed_corpus/fixarray

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD>hello<EFBFBD>world

fuzzing/msgpack_seed_corpus/fixint_negative

@@ -0,0 +1 @@
+<EFBFBD>

fuzzing/msgpack_seed_corpus/fixint_positive

@@ -0,0 +1 @@
+

fuzzing/msgpack_seed_corpus/fixmap

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD>one
<01>two

fuzzing/msgpack_seed_corpus/fixstr

@@ -0,0 +1 @@
+<EFBFBD>hello world

fuzzing/msgpack_seed_corpus/float32

@@ -0,0 +1 @@
+<EFBFBD>@H<><48>

fuzzing/msgpack_seed_corpus/float64

@@ -0,0 +1 @@
+<EFBFBD>@	!<21><><EFBFBD>o

fuzzing/msgpack_seed_corpus/int16

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD><EFBFBD>

fuzzing/msgpack_seed_corpus/int32

@@ -0,0 +1 @@
+Ҷi<EFBFBD>.

fuzzing/msgpack_seed_corpus/int64

@@ -0,0 +1 @@
+<EFBFBD>4Vx<56><78><EFBFBD><EFBFBD>

fuzzing/msgpack_seed_corpus/int8

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD>

fuzzing/msgpack_seed_corpus/nil

@@ -0,0 +1 @@
+<EFBFBD>

fuzzing/msgpack_seed_corpus/str8

@@ -0,0 +1 @@
+<EFBFBD>hello

fuzzing/msgpack_seed_corpus/true

@@ -0,0 +1 @@
+<EFBFBD>

fuzzing/msgpack_seed_corpus/uint16

@@ -0,0 +1 @@
+<EFBFBD>09

fuzzing/msgpack_seed_corpus/uint32

@@ -0,0 +1 @@
+<EFBFBD>4Vx

fuzzing/msgpack_seed_corpus/uint64

@@ -0,0 +1 @@
+<EFBFBD>4Vx<56><78><EFBFBD><EFBFBD>

fuzzing/msgpack_seed_corpus/uint8

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD>

scripts/oss-fuzz/Vagrantfile

@@ -2,11 +2,16 @@
 Vagrant.configure(2) do |config|
   config.vm.box = "ubuntu/xenial64"
 
-  config.vm.synced_folder "E:\\Git\\Arduino\\libraries\\ArduinoJson", "/host/ArduinoJson"
+  config.vm.synced_folder "../..", "/host/ArduinoJson"
   config.vm.synced_folder "E:\\Git\\oss-fuzz", "/host/oss-fuzz"
 
   config.vm.network "forwarded_port", guest: 8001, host: 8001
 
+  config.vm.provider "virtualbox" do |v|
+    v.memory = 2048
+    v.cpus = 2
+  end
+
   config.vm.provision "shell", privileged: false, inline: <<-SHELL
     set -x
 
@@ -18,10 +23,6 @@ Vagrant.configure(2) do |config|
     git clone https://github.com/google/fuzzer-test-suite.git FTS
     ./FTS/tutorial/install-deps.sh  # Get deps
     ./FTS/tutorial/install-clang.sh # Get fresh clang binaries
-    # Get libFuzzer sources and build it
-    svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
-    Fuzzer/build.sh
-    sudo mv libFuzzer.a /usr/local/lib/
 
     echo "export PROJECT_NAME='arduinojson'" >> $HOME/.profile
     echo "export CC='clang'" >> $HOME/.profile

scripts/travis/fuzz.sh

@@ -1,20 +1,26 @@
 #!/bin/bash -eux
 
 ROOT_DIR=$(dirname $0)/../../
-INCLUDE_DIR=$ROOT_DIR/src/
+INCLUDE_DIR=${ROOT_DIR}/src/
-FUZZING_DIR=$ROOT_DIR/fuzzing/
+FUZZING_DIR=${ROOT_DIR}/fuzzing/
-JSON_CORPUS_DIR=$FUZZING_DIR/my_corpus
-JSON_SEED_CORPUS_DIR=$FUZZING_DIR/seed_corpus
-
-CXX="clang++-$CLANG"
 CXXFLAGS="-g -fprofile-instr-generate -fcoverage-mapping -fsanitize=address,fuzzer"
 
-$CXX $CXXFLAGS -o json_fuzzer -I$INCLUDE_DIR $FUZZING_DIR/fuzzer.cpp
+fuzz() {
+	NAME="$1"
+	FUZZER="${NAME}_fuzzer"
+	FUZZER_CPP="${FUZZING_DIR}/${NAME}_fuzzer.cpp"
+	CORPUS_DIR="${FUZZING_DIR}/${NAME}_corpus"
+	SEED_CORPUS_DIR="${FUZZING_DIR}/${NAME}_seed_corpus"
 
-export ASAN_OPTIONS="detect_leaks=0"
+	clang++-${CLANG} ${CXXFLAGS} -o ${FUZZER} -I$INCLUDE_DIR ${FUZZER_CPP}
-export LLVM_PROFILE_FILE="json_fuzzer.profraw"
-./json_fuzzer "$JSON_CORPUS_DIR" "$JSON_SEED_CORPUS_DIR" -max_total_time=60
 
-llvm-profdata-$CLANG merge -sparse json_fuzzer.profraw -o json_fuzzer.profdata
+	export ASAN_OPTIONS="detect_leaks=0"
+	export LLVM_PROFILE_FILE="${FUZZER}.profraw"
+	./${FUZZER} "$CORPUS_DIR" "$SEED_CORPUS_DIR" -max_total_time=30
 
-llvm-cov-$CLANG report ./json_fuzzer -instr-profile=json_fuzzer.profdata
+	llvm-profdata-${CLANG} merge -sparse ${LLVM_PROFILE_FILE} -o ${FUZZER}.profdata
+	llvm-cov-${CLANG} report ./${FUZZER} -instr-profile=${FUZZER}.profdata
+}
+
+fuzz json
+fuzz msgpack