/src/libvncserver/test/fuzz_server.c

Source
/*
  Fuzzing server for LibVNCServer.

  This is used by OSS-Fuzz at https://android.googlesource.com/platform/external/oss-fuzz/+/refs/heads/upstream-master/projects/libvnc
  which is integrated into our CI at `.github/workflows/cifuzz.yaml`.
  OSS-Fuzz basically runs every executable in the $OUT dir with LLVMFuzzerTestOneInput in it,
  so other fuzzers can be added later on as well.

  If you want to run the fuzzer locally, you have to build like that:

  ```
  mkdir build
  cd build
  CC=clang LIB_FUZZING_ENGINE="-fsanitize=fuzzer" CFLAGS="-fsanitize=address,fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1" cmake ..
  cmake --build .
  ```

  and then execute `build/fuzz_server`. You can add some command line options, based on
  the fuzzing engine you have used to compile it, see https://llvm.org/docs/LibFuzzer.html

 */


#include <rfb/rfb.h>

static int initialized = 0;
rfbScreenInfoPtr server;
char *fakeargv[] = {"fuzz_server"};

extern size_t fuzz_offset;
extern size_t fuzz_size;
extern const uint8_t *fuzz_data;


int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
    if (initialized == 0) {
        int fakeargc=1;
        server=rfbGetScreen(&fakeargc,fakeargv,400,300,8,3,4);
        server->frameBuffer=malloc(400*300*4);
        rfbInitServer(server);
        initialized = 1;
    }
    rfbClientPtr cl = rfbNewClient(server, RFB_INVALID_SOCKET - 1);

    fuzz_data = Data;
    fuzz_offset = 0;
    fuzz_size = Size;
    while (cl->sock != RFB_INVALID_SOCKET) {
        rfbProcessClientMessage(cl);
    }
    rfbClientConnectionGone(cl);
    return 0;
}


Line	Count	Source
1		/*
2		Fuzzing server for LibVNCServer.
3
4		This is used by OSS-Fuzz at https://android.googlesource.com/platform/external/oss-fuzz/+/refs/heads/upstream-master/projects/libvnc
5		which is integrated into our CI at `.github/workflows/cifuzz.yaml`.
6		OSS-Fuzz basically runs every executable in the $OUT dir with LLVMFuzzerTestOneInput in it,
7		so other fuzzers can be added later on as well.
8
9		If you want to run the fuzzer locally, you have to build like that:
10
11		```
12		mkdir build
13		cd build
14		CC=clang LIB_FUZZING_ENGINE="-fsanitize=fuzzer" CFLAGS="-fsanitize=address,fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1" cmake ..
15		cmake --build .
16		```
17
18		and then execute `build/fuzz_server`. You can add some command line options, based on
19		the fuzzing engine you have used to compile it, see https://llvm.org/docs/LibFuzzer.html
20
21		*/
22
23
24		#include <rfb/rfb.h>
25
26		static int initialized = 0;
27		rfbScreenInfoPtr server;
28		char *fakeargv[] = {"fuzz_server"};
29
30		extern size_t fuzz_offset;
31		extern size_t fuzz_size;
32		extern const uint8_t *fuzz_data;
33
34
35	2.68k	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
36	2.68k	if (initialized == 0) {
37	1	int fakeargc=1;
38	1	server=rfbGetScreen(&fakeargc,fakeargv,400,300,8,3,4);
39	1	server->frameBuffer=malloc(4003004);
40	1	rfbInitServer(server);
41	1	initialized = 1;
42	1	}
43	2.68k	rfbClientPtr cl = rfbNewClient(server, RFB_INVALID_SOCKET - 1);
44
45	2.68k	fuzz_data = Data;
46	2.68k	fuzz_offset = 0;
47	2.68k	fuzz_size = Size;
48	59.5k	while (cl->sock != RFB_INVALID_SOCKET) {
49	56.8k	rfbProcessClientMessage(cl);
50	56.8k	}
51	2.68k	rfbClientConnectionGone(cl);
52	2.68k	return 0;
53	2.68k	}
54

Coverage Report

Created: 2023-06-07 06:43