/src/CMake/Tests/Fuzzing/cmListFileLexerFuzzer.cxx

Source
/* Distributed under the OSI-approved BSD 3-Clause License.  See accompanying
   file LICENSE.rst or https://cmake.org/licensing for details.  */

/*
 * Fuzzer for CMake's ListFile lexer (CMakeLists.txt parser)
 *
 * This fuzzer targets cmListFileLexer which tokenizes CMakeLists.txt files.
 * It's a critical attack surface as malicious CMakeLists.txt files could be
 * encountered when building untrusted projects.
 *
 * Coverage targets:
 * - Token parsing (identifiers, strings, brackets, comments)
 * - BOM handling (UTF-8, UTF-16, UTF-32)
 * - Bracket argument/comment parsing
 * - Error recovery for malformed input
 */

#include <cstddef>
#include <cstdint>

#include "cmListFileLexer.h"

// Limit input size to avoid timeouts on complex inputs
static constexpr size_t kMaxInputSize = 64 * 1024; // 64KB

extern "C" int LLVMFuzzerTestOneInput(uint8_t const* data, size_t size)
{
  // Skip overly large inputs
  if (size == 0 || size > kMaxInputSize) {
    return 0;
  }

  cmListFileLexer* lexer = cmListFileLexer_New();
  if (!lexer) {
    return 0;
  }

  // Parse from string (not file) for efficiency
  if (cmListFileLexer_SetString(lexer, reinterpret_cast<char const*>(data),
                                size)) {
    // Consume all tokens until EOF or error
    cmListFileLexer_Token* token;
    while ((token = cmListFileLexer_Scan(lexer)) != nullptr) {
      // Access token fields to ensure they're valid
      (void)token->type;
      (void)token->text;
      (void)token->length;
      (void)token->line;
      (void)token->column;

      // Get type as string for additional coverage
      (void)cmListFileLexer_GetTypeAsString(lexer, token->type);
    }

    // Exercise position tracking
    (void)cmListFileLexer_GetCurrentLine(lexer);
    (void)cmListFileLexer_GetCurrentColumn(lexer);
  }

  cmListFileLexer_Delete(lexer);
  return 0;
}

Line	Count	Source
1		/* Distributed under the OSI-approved BSD 3-Clause License. See accompanying
2		file LICENSE.rst or https://cmake.org/licensing for details. */
3
4		/*
5		* Fuzzer for CMake's ListFile lexer (CMakeLists.txt parser)
6		*
7		* This fuzzer targets cmListFileLexer which tokenizes CMakeLists.txt files.
8		* It's a critical attack surface as malicious CMakeLists.txt files could be
9		* encountered when building untrusted projects.
10		*
11		* Coverage targets:
12		* - Token parsing (identifiers, strings, brackets, comments)
13		* - BOM handling (UTF-8, UTF-16, UTF-32)
14		* - Bracket argument/comment parsing
15		* - Error recovery for malformed input
16		*/
17
18		#include <cstddef>
19		#include <cstdint>
20
21		#include "cmListFileLexer.h"
22
23		// Limit input size to avoid timeouts on complex inputs
24		static constexpr size_t kMaxInputSize = 64 * 1024; // 64KB
25
26		extern "C" int LLVMFuzzerTestOneInput(uint8_t const* data, size_t size)
27	1.26k	{
28		// Skip overly large inputs
29	1.26k	if (size == 0 \|\| size > kMaxInputSize) {
30	8	return 0;
31	8	}
32
33	1.25k	cmListFileLexer* lexer = cmListFileLexer_New();
34	1.25k	if (!lexer) {
35	0	return 0;
36	0	}
37
38		// Parse from string (not file) for efficiency
39	1.25k	if (cmListFileLexer_SetString(lexer, reinterpret_cast<char const*>(data),
40	1.25k	size)) {
41		// Consume all tokens until EOF or error
42	1.25k	cmListFileLexer_Token* token;
43	218k	while ((token = cmListFileLexer_Scan(lexer)) != nullptr) {
44		// Access token fields to ensure they're valid
45	217k	(void)token->type;
46	217k	(void)token->text;
47	217k	(void)token->length;
48	217k	(void)token->line;
49	217k	(void)token->column;
50
51		// Get type as string for additional coverage
52	217k	(void)cmListFileLexer_GetTypeAsString(lexer, token->type);
53	217k	}
54
55		// Exercise position tracking
56	1.25k	(void)cmListFileLexer_GetCurrentLine(lexer);
57	1.25k	(void)cmListFileLexer_GetCurrentColumn(lexer);
58	1.25k	}
59
60	1.25k	cmListFileLexer_Delete(lexer);
61	1.25k	return 0;
62	1.25k	}

Coverage Report

Created: 2026-02-09 06:05