Report generation date: 2025-08-25

Project overview: libredwg

High level conclusions

Fuzzers reach 13.92% of cyclomatic complexity.

Fuzzers reach 18.50% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

537 / 2902

Cyclomatic complexity statically reachable by fuzzers

4097 / 29426

Runtime code coverage of functions

268 / 2902

Fuzzers overview

Fuzzer	Fuzzer filename	Functions Reached	Functions unreached	Fuzzer depth	Files reached	Basic blocks reached	Cyclomatic complexity	Details
llvmfuzz	examples/llvmfuzz.c	1157	2365	10	23	3473	4130	llvmfuzz.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer details

Fuzzer: llvmfuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 4413 78.3%

gold [1:9] 196 3.47%

yellow [10:29] 114 2.02%

greenyellow [30:49] 47 0.83%

lawngreen 50+ 864 15.3%

All colors 5634 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	4413	78.3%
gold	[1:9]	196	3.47%
yellow	[10:29]	114	2.02%
greenyellow	[30:49]	47	0.83%
lawngreen	50+	864	15.3%
All colors	5634	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
806	4824	dwg_model_space_object	call site: 04824	dwg_write_dxfb
448	4374	is_type_stable	call site: 04374	dwg_write_dxf
311	2482	in_hex2bin	call site: 02482	_set_struct_field
285	876	bit_read_fixed	call site: 00876	read_2004_section_classes
174	1447	read_sections_map	call site: 01447	read_2007_section_classes
148	4102	bit_write_RLL_BE	call site: 04102	encode_classes
147	587	resolve_objectref_vector	call site: 00587	decode_R2004
130	1622	bit_convert_TU	call site: 01622	read_2007_section_handles
120	751	bit_write_RC	call site: 00751	read_R2004_section_info
118	3598	dwg_free_eed	call site: 03598	add_DUMMY_eed
105	1283	read_file_header	call site: 01283	decompress_r2007
100	3996	dwg_dynapi_entity_set_value	call site: 03996	encode_preR13_section

Runtime coverage analysis

Covered functions

857

Functions that are reachable but not covered

790

Reachable functions

1157

Percentage of reachable functions covered

31.72%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
examples/llvmfuzz.c	23
src/decode.c	138
src/hash.c	10
src/decode_r11.c	13
src/dwg_api.c	44
src/dwg.c	57
src/bits.c	58
src/codepages.c	5
src/common.c	12
src/print.c	91
src/decode_r2007.c	93
src/free.c	197
src/classes.c	10
src/in_json.c	126
src/dynapi.c	30
src/objects.c	3
src/in_dxf.c	78
src/encode.c	150
test/unit-testing/pointcloud.c	6
test/unit-testing/tests_common.h	4
src/out_dxf.c	144
src/out_dxfb.c	133
src/out_json.c	147

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	instr count	bb count	cyclomatic complexity	Reachable functions	total cyclomatic complexity	Unreached complexity
`test_dynapi`	/src/libredwg/test/unit-testing/dynapi_test.c	1	['char*']	10	14	2	3	798	19075	17633
`new_object`	/src/libredwg/src/in_dxf.c	6	['char', 'char', 'Bit_Chain', 'Dwg_Data', 'BITCODE_BL', 'BITCODE_BL*']	8	624	148	253	143	1020	559
`json_xdata`	/src/libredwg/src/out_json.c	2	['Bit_Chain', 'Dwg_Object_XRECORD']	5	547	167	163	156	396	257
`add_MULTILEADER`	/src/libredwg/src/in_dxf.c	3	['Dwg_Object', 'Bit_Chain', 'Dxf_Pair*']	4	448	129	176	20	280	241
`add_HATCH`	/src/libredwg/src/in_dxf.c	3	['Dwg_Object', 'Bit_Chain', 'Dxf_Pair*']	8	530	115	173	70	571	229
`dwg_add_dat`	/src/libredwg/examples/dwgadd.c	2	['Dwg_Data*', 'Bit_Chain']	11	499	93	144	674	2789	220
`decode_preR13_entities`	/src/libredwg/src/decode.c	7	['BITCODE_RL', 'BITCODE_RL', 'unsigned', 'BITCODE_RL', 'Bit_Chain', 'Dwg_Data', 'EntitySectionIndexR11']	7	362	91	113	90	304	181

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

949 / 2902

Cyclomatic complexity statically reachable by fuzzers

23417 / 29426

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

examples/llvmfuzz.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['dwg_model_space_object', 'is_type_stable', 'in_hex2bin', 'bit_read_fixed', 'read_sections_map', 'bit_write_RLL_BE', 'resolve_objectref_vector', 'bit_convert_TU', 'bit_write_RC', 'dwg_free_eed']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
LLVMFuzzerTestOneInput	131	71	54.19%
bit_write_H	36	14	38.88%	['llvmfuzz']
bit_write_TV	38	16	42.10%	['llvmfuzz']
bit_utf8_to_TV	134	29	21.64%	['llvmfuzz']
bit_read_CMC	38	8	21.05%	['llvmfuzz']
dwg_fixup_BLOCKS_entities	171	35	20.46%	['llvmfuzz']
dwg_decode_xdata	208	47	22.59%	['llvmfuzz']
read_r2007_meta_data	76	29	38.15%	['llvmfuzz']
read_sections_map	179	9	5.027%	['llvmfuzz']
dwg_resolve_handleref	33	10	30.30%	['llvmfuzz']
dwg_model_space_ref	35	15	42.85%
dwg_model_space_object	35	7	20.0%	['llvmfuzz']
dwg_find_dictionary	36	10	27.77%	['llvmfuzz']
dwg_ctrl_table	137	44	32.11%	['llvmfuzz']
dwg_decode_BLOCK_HEADER_private	118	62	52.54%
dwg_decode_LAYER_private	135	68	50.37%
dwg_decode_VPORT_private	173	64	36.99%
dwg_decode_DIMENSION_LINEAR_private	41	16	39.02%
dwg_decode_DIMENSION_ALIGNED_private	35	14	40.0%
dwg_decode_DIMENSION_ANG3PT_private	42	14	33.33%
dwg_decode_DIMENSION_ANG2LN_private	48	18	37.5%
dwg_decode_MTEXT_private	92	27	29.34%
dwg_decode_LAYOUT_private	122	67	54.91%
dwg_free_HATCH_private	192	104	54.16%
dwg_free_INSERT_private	163	87	53.37%
dwg_free_JUMP_private	49	4	8.163%
dwg_free_LIGHT_private	66	30	45.45%
dwg_free_MINSERT_private	118	46	38.98%
dwg_free_MTEXT_private	92	27	29.34%
dwg_free_MULTILEADER_private	147	59	40.13%
dwg_free_POINTCLOUD_private	52	22	42.30%
dwg_free_TABLE_private	432	34	7.870%
dwg_free_VERTEX_2D_private	76	39	51.31%
dwg_free_LAYER_private	135	73	54.07%
dwg_free_LAYOUT_private	122	58	47.54%
dwg_free_LTYPE_private	126	56	44.44%
dwg_free_TABLEGEOMETRY_private	38	13	34.21%
dwg_free_TABLESTYLE_private	68	23	33.82%
dwg_free_VPORT_private	173	84	48.55%
dwg_free_XRECORD_private	52	19	36.53%
dwg_encode_TEXT_private	146	27	18.49%
dwg_encode_ATTRIB_private	185	38	20.54%
dwg_encode_ATTDEF_private	194	40	20.61%
dwg_encode_INSERT_private	163	22	13.49%
dwg_encode_VERTEX_2D_private	76	19	25.0%
dwg_encode_VERTEX_PFACE_FACE_private	31	13	41.93%
dwg_encode_POLYLINE_2D_private	84	25	29.76%
dwg_encode_POLYLINE_3D_private	55	23	41.81%
dwg_encode_LINE_private	66	15	22.72%
dwg_encode_DIMENSION_ORDINATE_private	43	15	34.88%
dwg_encode_DIMENSION_LINEAR_private	41	17	41.46%
dwg_encode_DIMENSION_ALIGNED_private	35	14	40.0%
dwg_encode_DIMENSION_ANG3PT_private	42	14	33.33%
dwg_encode_DIMENSION_ANG2LN_private	48	14	29.16%
dwg_encode__3DFACE_private	92	25	27.17%
dwg_encode_POLYLINE_PFACE_private	42	19	45.23%
dwg_encode_POLYLINE_MESH_private	66	25	37.87%
dwg_encode_SHAPE_private	46	11	23.91%
dwg_encode_VIEWPORT_private	125	21	16.8%
dwg_insert_entity	113	37	32.74%	['llvmfuzz']
dwg_add_DICTIONARY	32	12	37.5%
dwg_dynapi_common_value	46	22	47.82%	['llvmfuzz']
dwg_dynapi_common_set_value	83	32	38.55%	['llvmfuzz']
dynapi_set_helper	44	21	47.72%	['llvmfuzz']
dwg_encode	1137	138	12.13%	['llvmfuzz']
dwg_encode_get_class	59	5	8.474%	['llvmfuzz']
in_postprocess_SEQEND	186	59	31.72%
in_postprocess_handles	77	36	46.75%
remove_EXEMPT_FROM_CAD_STANDARDS_APPID	48	11	22.91%	['llvmfuzz']
encode_preR13_entities	237	102	43.03%	['llvmfuzz']
dwg_encode_entity	49	21	42.85%	['llvmfuzz']
dwg_free_variable_type	33	18	54.54%	['llvmfuzz']
dxf_read_string	83	43	51.80%	['llvmfuzz']
matches_type	56	29	51.78%	['llvmfuzz']
dxf_tables_read	222	111	50.0%
new_table_control	227	85	37.44%	['llvmfuzz']
add_eed	310	108	34.83%	['llvmfuzz']
new_object	3194	954	29.86%	['llvmfuzz']
add_MLINE	221	55	24.88%	['llvmfuzz']
add_HATCH	843	173	20.52%	['llvmfuzz']
add_CellStyle	413	66	15.98%	['llvmfuzz']
get_numfield_value	31	11	35.48%	['llvmfuzz']
add_MULTILEADER	503	6	1.192%	['llvmfuzz']
add_TABLESTYLE	152	38	25.0%	['llvmfuzz']
add_TABLEGEOMETRY_Cell	170	91	53.52%	['llvmfuzz']
resolve_postponed_header_refs	48	6	12.5%
resolve_postponed_eed_refs	36	4	11.11%	['llvmfuzz']
dxf_blocks_read	189	92	48.67%
resolve_postponed_object_refs	100	45	45.0%
add_to_BLOCK_HEADER	32	6	18.75%
json_string	54	19	35.18%	['llvmfuzz']
json_HEADER	185	57	30.81%	['llvmfuzz']
json_OBJECTS	579	70	12.08%	['llvmfuzz']

Fuzz driver synthesis

New fuzzers

The below fuzzers are templates and suggestions for how to target the set of optimal functions above

dynapi_test.c

Target file: /src/libredwg/test/unit-testing/dynapi_test.c
Target functions: test_dynapi

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target test_dynapi */
  char *new_var0 = ada_safe_get_char_p();
  test_dynapi(new_var0);

  af_safe_gb_cleanup();
}

in_dxf.c

Target file: /src/libredwg/src/in_dxf.c
Target functions: new_object, add_MULTILEADER, add_HATCH

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target new_object */
  char *new_var1 = ada_safe_get_char_p();
  char *new_var2 = ada_safe_get_char_p();
  UNKNOWN_TYPE unknown_3;
  UNKNOWN_TYPE unknown_4;
  UNKNOWN_TYPE unknown_5;
  UNKNOWN_TYPE unknown_6;
  new_object(new_var1, new_var2, unknown_3, unknown_4, unknown_5, unknown_6);

  /* target add_MULTILEADER */
  UNKNOWN_TYPE unknown_9;
  UNKNOWN_TYPE unknown_10;
  UNKNOWN_TYPE unknown_11;
  add_MULTILEADER(unknown_9, unknown_10, unknown_11);

  /* target add_HATCH */
  UNKNOWN_TYPE unknown_12;
  UNKNOWN_TYPE unknown_13;
  UNKNOWN_TYPE unknown_14;
  add_HATCH(unknown_12, unknown_13, unknown_14);

  af_safe_gb_cleanup();
}

out_json.c

Target file: /src/libredwg/src/out_json.c
Target functions: json_xdata

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target json_xdata */
  UNKNOWN_TYPE unknown_7;
  UNKNOWN_TYPE unknown_8;
  json_xdata(unknown_7, unknown_8);

  af_safe_gb_cleanup();
}

dwgadd.c

Target file: /src/libredwg/examples/dwgadd.c
Target functions: dwg_add_dat

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target dwg_add_dat */
  UNKNOWN_TYPE unknown_15;
  UNKNOWN_TYPE unknown_16;
  dwg_add_dat(unknown_15, unknown_16);

  af_safe_gb_cleanup();
}

decode.c

Target file: /src/libredwg/src/decode.c
Target functions: decode_preR13_entities

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target decode_preR13_entities */
  UNKNOWN_TYPE unknown_17;
  UNKNOWN_TYPE unknown_18;
  UNKNOWN_TYPE unknown_19;
  UNKNOWN_TYPE unknown_20;
  UNKNOWN_TYPE unknown_21;
  UNKNOWN_TYPE unknown_22;
  UNKNOWN_TYPE unknown_23;
  decode_preR13_entities(unknown_17, unknown_18, unknown_19, unknown_20, unknown_21, unknown_22, unknown_23);

  af_safe_gb_cleanup();
}

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
/src/libredwg/programs/my_stat.h	[]	[]
/src/libredwg/programs/getopt.c	[]	[]
/src/libredwg/src/dwg_api.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/src/dynapi.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/programs/dwggrep.c	[]	[]
/src/libredwg/src/bits.h	[]	[]
/src/libredwg/test/xmlsuite/testsuite.c	[]	[]
/src/libredwg/src/logging.h	[]	[]
/src/libredwg/src/dec_macros.h	[]	[]
/src/libredwg/src/dwg.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/src/objects.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/src/reedsolomon.c	[]	[]
/src/libredwg/src/hash.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/src/decode_r2007.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/src/bits.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/test/unit-testing/decode_test.c	[]	[]
/src/libredwg/src/out_json.c	['llvmfuzz']	[]
/src/libredwg/src/in_json.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/src/decode_r11.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/src/dxfclasses.c	[]	[]
/src/libredwg/programs/dwgbmp.c	[]	[]
/src/libredwg/src/free.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/src/out_dxfb.c	['llvmfuzz']	[]
/src/libredwg/examples/load_dwg.c	[]	[]
/src/libredwg/test/unit-testing/dxf_test.c	[]	[]
/src/libredwg/src/print.c	['llvmfuzz']	[]
/src/libredwg/src/in_dxf.h	[]	[]
/src/libredwg/src/myalloca.h	[]	[]
/src/libredwg/test/unit-testing/encode_test.c	[]	[]
/src/libredwg/programs/dwg2SVG.c	[]	[]
/src/libredwg/src/out_dxf.c	['llvmfuzz']	[]
/src/libredwg/examples/unknown.c	[]	[]
/src/libredwg/test/unit-testing/dynapi_test.c	[]	[]
/src/libredwg/src/common.h	[]	[]
/src/libredwg/test/unit-testing/common.c	[]	[]
/src/libredwg/include/dwg_api.h	[]	[]
/src/libredwg/src/common.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/programs/escape.c	[]	[]
/src/libredwg/src/codepages.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/test/xmlsuite/common.c	[]	[]
/src/libredwg/examples/dwg2svg2.c	[]	[]
/src/libredwg/src/out_geojson.c	[]	[]
/src/libredwg/src/spec.h	[]	[]
/src/libredwg/test/unit-testing/material.c	[]	[]
/src/libredwg/programs/dxf2dwg.c	[]	[]
/src/libredwg/include/dwg.h	[]	[]
/src/libredwg/test/unit-testing/add_test.c	[]	[]
/src/libredwg/src/encode.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/examples/llvmfuzz.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/test/unit-testing/bits_test.c	[]	[]
/src/libredwg/programs/dwg2ps.c	[]	[]
/src/libredwg/src/classes.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/test/unit-testing/imagedef_reactor.c	[]	[]
/src/libredwg/src/geom.c	[]	[]
/src/libredwg/examples/dwgfuzz.c	[]	[]
/src/libredwg/src/dynapi.h	[]	[]
/src/libredwg/examples/bits.c	[]	[]
/src/libredwg/src/in_dxf.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/src/decode.c	['llvmfuzz']	['llvmfuzz']
/src/libredwg/test/unit-testing/tests_common.h	['llvmfuzz']	[]
/src/libredwg/test/unit-testing/common_test.c	[]	[]
/src/libredwg/examples/dwgadd.c	[]	[]

Directories in report

Directory
/src/libredwg/src/
/src/libredwg/examples/
/src/libredwg/include/
/src/libredwg/test/xmlsuite/
/src/libredwg/programs/
/src/libredwg/test/unit-testing/

Function call coverage

This section shows a list of 3rd party function calls and their relative coverage information. By static analysis of the target project code, all of the 3rd party function call and their caller information, including the source file and line number that initiate the call are captured. The caller source code file and line number are shown in column 2 while column 1 is the function name of the 3rd party function call. Each occurrent of the 3rd party function call will occuply a separate row. Column 3 of each row indicate if the 3rd party call in the source file line is unreachable. Column 4 lists all fuzzers that have covered that particular system call in that specific location (source file and line)during their dynamic fuzzing.

Function in each files in report

Target sink	Callsite location	Reached by fuzzer	Covered by Fuzzers

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file

llvmfuzz fuzzerLogFile-llvmfuzz.data fuzzerLogFile-llvmfuzz.data.yaml llvmfuzz.covreport

Fuzzer	Calltree file	Program data file	Coverage file
llvmfuzz	fuzzerLogFile-llvmfuzz.data	fuzzerLogFile-llvmfuzz.data.yaml	llvmfuzz.covreport

Sink analyser for CWEs

No sink functions/methods found in the target project.

Table of contents

Project overview: libredwg

High level conclusions

Reachability and coverage overview

Fuzzers overview

Project functions overview

Fuzzer details

Fuzzer: llvmfuzz

Call tree

Fuzz blockers

Runtime coverage analysis

Files reached

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

All functions overview

Fuzz engine guidance

examples/llvmfuzz.c

Dictionary

Fuzzer function priority

Runtime coverage analysis

Complex functions with low coverage

Fuzz driver synthesis

New fuzzers

dynapi_test.c

in_dxf.c

out_json.c

dwgadd.c

decode.c

Files and Directories in report

Files in report

Directories in report

Function call coverage

Function in each files in report

Metadata section

Sink analyser for CWEs