/src/tmux/fuzz/format-fuzzer.c

Source
/*
 * Copyright (c) 2026 David Korczynski <david@adalogics.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
 * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

/*
 * Fuzz the tmux format string expander (format_expand).
 *
 * This exercises:
 *   - format.c (format parsing, modifier chains, conditionals, math, regex)
 *   - colour.c (colour name and RGB parsing within formats)
 *   - utf8.c (UTF-8 width calculations in format padding)
 */

#include <stddef.h>
#include <string.h>

#include "tmux.h"

struct event_base *libevent;

int
LLVMFuzzerTestOneInput(const u_char *data, size_t size)
{
  struct format_tree  *ft;
  char      *buf, *expanded;

  if (size > 2048 || size == 0)
    return 0;

  /* Null-terminate the input for format_expand. */
  buf = malloc(size + 1);
  if (buf == NULL)
    return 0;
  memcpy(buf, data, size);
  buf[size] = '\0';

  ft = format_create(NULL, NULL, 0, FORMAT_NOJOBS);
  format_add(ft, "session_name", "%s", "fuzz-session");
  format_add(ft, "window_index", "%d", 0);
  format_add(ft, "window_name", "%s", "fuzz-window");
  format_add(ft, "pane_index", "%d", 0);
  format_add(ft, "pane_id", "%s", "%%0");
  format_add(ft, "host", "%s", "fuzzhost");
  format_add(ft, "pane_width", "%d", 80);
  format_add(ft, "pane_height", "%d", 25);

  expanded = format_expand(ft, buf);
  free(expanded);
  format_free(ft);

  free(buf);
  return 0;
}

int
LLVMFuzzerInitialize(__unused int *argc, __unused char ***argv)
{
  const struct options_table_entry  *oe;

  global_environ = environ_create();
  global_options = options_create(NULL);
  global_s_options = options_create(NULL);
  global_w_options = options_create(NULL);
  for (oe = options_table; oe->name != NULL; oe++) {
    if (oe->scope & OPTIONS_TABLE_SERVER)
      options_default(global_options, oe);
    if (oe->scope & OPTIONS_TABLE_SESSION)
      options_default(global_s_options, oe);
    if (oe->scope & OPTIONS_TABLE_WINDOW)
      options_default(global_w_options, oe);
  }
  libevent = osdep_event_init();
  socket_path = xstrdup("dummy");

  return 0;
}

Line	Count	Source
1		/*
2		* Copyright (c) 2026 David Korczynski <david@adalogics.com>
3		*
4		* Permission to use, copy, modify, and distribute this software for any
5		* purpose with or without fee is hereby granted, provided that the above
6		* copyright notice and this permission notice appear in all copies.
7		*
8		* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9		* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10		* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11		* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12		* WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
13		* IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
14		* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15		*/
16
17		/*
18		* Fuzz the tmux format string expander (format_expand).
19		*
20		* This exercises:
21		* - format.c (format parsing, modifier chains, conditionals, math, regex)
22		* - colour.c (colour name and RGB parsing within formats)
23		* - utf8.c (UTF-8 width calculations in format padding)
24		*/
25
26		#include <stddef.h>
27		#include <string.h>
28
29		#include "tmux.h"
30
31		struct event_base *libevent;
32
33		int
34		LLVMFuzzerTestOneInput(const u_char *data, size_t size)
35	3.55k	{
36	3.55k	struct format_tree *ft;
37	3.55k	char buf, expanded;
38
39	3.55k	if (size > 2048 \|\| size == 0)
40	0	return 0;
41
42		/* Null-terminate the input for format_expand. */
43	3.55k	buf = malloc(size + 1);
44	3.55k	if (buf == NULL)
45	0	return 0;
46	3.55k	memcpy(buf, data, size);
47	3.55k	buf[size] = '\0';
48
49	3.55k	ft = format_create(NULL, NULL, 0, FORMAT_NOJOBS);
50	3.55k	format_add(ft, "session_name", "%s", "fuzz-session");
51	3.55k	format_add(ft, "window_index", "%d", 0);
52	3.55k	format_add(ft, "window_name", "%s", "fuzz-window");
53	3.55k	format_add(ft, "pane_index", "%d", 0);
54	3.55k	format_add(ft, "pane_id", "%s", "%%0");
55	3.55k	format_add(ft, "host", "%s", "fuzzhost");
56	3.55k	format_add(ft, "pane_width", "%d", 80);
57	3.55k	format_add(ft, "pane_height", "%d", 25);
58
59	3.55k	expanded = format_expand(ft, buf);
60	3.55k	free(expanded);
61	3.55k	format_free(ft);
62
63	3.55k	free(buf);
64	3.55k	return 0;
65	3.55k	}
66
67		int
68		LLVMFuzzerInitialize(__unused int argc, __unused char **argv)
69	7	{
70	7	const struct options_table_entry *oe;
71
72	7	global_environ = environ_create();
73	7	global_options = options_create(NULL);
74	7	global_s_options = options_create(NULL);
75	7	global_w_options = options_create(NULL);
76	1.56k	for (oe = options_table; oe->name != NULL; oe++) {
77	1.55k	if (oe->scope & OPTIONS_TABLE_SERVER)
78	175	options_default(global_options, oe);
79	1.55k	if (oe->scope & OPTIONS_TABLE_SESSION)
80	784	options_default(global_s_options, oe);
81	1.55k	if (oe->scope & OPTIONS_TABLE_WINDOW)
82	595	options_default(global_w_options, oe);
83	1.55k	}
84	7	libevent = osdep_event_init();
85	7	socket_path = xstrdup("dummy");
86
87	7	return 0;
88	7	}

Coverage Report

Created: 2026-06-10 06:31