Add fuzz tests for json_object/point/array apis

Extends the coverage of fuzz tests executed in OSS-Fuzz.
2024-11-08 22:20:40 -05:00
parent 565f181f65
commit 839fbe0d63
7 changed files with 190 additions and 0 deletions
--- a/fuzz/json_array_fuzzer.cc
+++ b/fuzz/json_array_fuzzer.cc
@@ -0,0 +1,27 @@
 #include <fuzzer/FuzzedDataProvider.h>
 #include "json.h"
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 	FuzzedDataProvider fdp(data, size);
 	json_object *my_array = json_object_new_array();
 	for (int i = 0; i < 3; ++i) {
 		json_object *jso = json_tokener_parse(fdp.ConsumeRandomLengthString(10).c_str());
 		if (jso == NULL) {
 			continue;
 		}
 		json_object_array_add(my_array, jso);
 	}
 	json_object_array_insert_idx(my_array, fdp.ConsumeIntegralInRange<size_t>(0, 10),
 	                             json_object_new_int(fdp.ConsumeIntegral<int>()));
 	json_object_array_get_idx(my_array, fdp.ConsumeIntegralInRange<size_t>(0, 10));
 	json_object_array_put_idx(my_array, fdp.ConsumeIntegralInRange<size_t>(0, 10),
 	                          json_object_new_int(fdp.ConsumeIntegral<int>()));
 	json_object_array_del_idx(my_array, fdp.ConsumeIntegralInRange<size_t>(0, 10),
 	                          fdp.ConsumeIntegralInRange<size_t>(0, 10));
 	json_object_array_shrink(my_array, fdp.ConsumeIntegralInRange<size_t>(0, 10));
 	json_object_array_sort(my_array, [](const void *a, const void *b) { return 0; });
 	json_object_array_length(my_array);
 	json_object_put(my_array);
 	return 0;
 }
--- a/fuzz/json_array_fuzzer.dict
+++ b/fuzz/json_array_fuzzer.dict
@@ -0,0 +1,21 @@
 "{"
 "}"
 ","
 "["
 "]"
 ","
 ":"
 "e"
 "e+"
 "e-"
 "E"
 "E+"
 "E-"
 "\""
 "null"
 "1"
 "1.234"
 "3e4"
 "NaN"
 "Infinity"
 "-Infinity"
--- a/fuzz/json_object_fuzzer.cc
+++ b/fuzz/json_object_fuzzer.cc
@@ -0,0 +1,44 @@
 #include <fuzzer/FuzzedDataProvider.h>
 #include "json.h"
 #include "json_visit.h"
 // Function to test json_c_visit
 static int emit_object(json_object *jso, int flags, json_object *parent_jso, const char *jso_key,
                       size_t *jso_index, void *userarg) {
 	return JSON_C_VISIT_RETURN_CONTINUE;
 }
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 	FuzzedDataProvider fdp(data, size);
 	json_object *jso = json_tokener_parse(fdp.ConsumeRandomLengthString(20).c_str());
 	json_object_get_boolean(jso);
 	json_object_get_double(jso);
 	json_object_get_int(jso);
 	json_object_get_int64(jso);
 	json_object_get_uint64(jso);
 	json_object_get_string(jso);
 	json_object_get_string_len(jso);
 	json_object_get_object(jso);
 	json_object_get_array(jso);
 	json_object_get_type(jso);
 	json_c_visit(jso, 0, emit_object, NULL);
 	json_object_set_int(jso, fdp.ConsumeIntegral<int>());
 	json_object_set_int64(jso, fdp.ConsumeIntegral<int64_t>());
 	json_object_set_uint64(jso, fdp.ConsumeIntegral<uint64_t>());
 	json_object_set_double(jso, fdp.ConsumeFloatingPoint<double>());
 	json_object_set_string(jso, fdp.ConsumeRandomLengthString(10).c_str());
 	json_object_set_boolean(jso, fdp.ConsumeBool());
 	std::string str = fdp.ConsumeRandomLengthString(10);
 	json_object_set_string_len(jso, str.c_str(), str.size());
 	json_object *dst = NULL;
 	json_object_deep_copy(jso, &dst, json_c_shallow_copy_default);
 	json_object_put(dst);
 	json_object_put(jso);
 	return 0;
 }
--- a/fuzz/json_object_fuzzer.dict
+++ b/fuzz/json_object_fuzzer.dict
@@ -0,0 +1,21 @@
 "{"
 "}"
 ","
 "["
 "]"
 ","
 ":"
 "e"
 "e+"
 "e-"
 "E"
 "E+"
 "E-"
 "\""
 "null"
 "1"
 "1.234"
 "3e4"
 "NaN"
 "Infinity"
 "-Infinity"
--- a/fuzz/json_pointer_fuzzer.cc
+++ b/fuzz/json_pointer_fuzzer.cc
@@ -0,0 +1,53 @@
 #include <fuzzer/FuzzedDataProvider.h>
 #include "json.h"
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 	FuzzedDataProvider fdp(data, size);
 	struct json_tokener *tokener =
 	    json_tokener_new_ex(fdp.ConsumeIntegralInRange<int>(1, JSON_TOKENER_DEFAULT_DEPTH));
 	int flags = 0;
 	if (fdp.ConsumeBool()) {
 		flags |= JSON_TOKENER_VALIDATE_UTF8;
 	}
 	if (fdp.ConsumeBool()) {
 		flags |= JSON_TOKENER_ALLOW_TRAILING_CHARS;
 	}
 	if (fdp.ConsumeBool()) {
 		flags |= JSON_TOKENER_STRICT;
 	}
 	json_tokener_set_flags(tokener, flags);
 	std::string path = fdp.ConsumeRandomLengthString(5);
 	std::string sub_json_str = fdp.ConsumeRandomLengthString(10);
 	bool use_format_string = fdp.ConsumeBool();
 	std::string json_str = fdp.ConsumeRemainingBytesAsString();
 	struct json_object *jo1 = json_tokener_parse_ex(tokener, json_str.c_str(), json_str.size());
 	struct json_object *sub_json = json_tokener_parse(sub_json_str.c_str());
 	if (sub_json == NULL) {
 		sub_json = json_object_new_object();
 	}
 	struct json_object *jo2 = NULL;
 	if (use_format_string) {
 		json_pointer_getf(jo1, &jo2, "%s", path.c_str());
 		if (json_pointer_setf(&jo1, sub_json, "%s", path.c_str()))
 		{
 			json_object_put(sub_json);
 		}
 	} else {
 		json_pointer_get(jo1, path.c_str(), &jo2);
 		if (json_pointer_set(&jo1, path.c_str(), sub_json))
 		{
 			json_object_put(sub_json);
 		}
 	}
 	// Clean up the main JSON object
 	json_object_put(jo1);
 	json_tokener_free(tokener);
 	return 0;
 }
--- a/fuzz/json_pointer_fuzzer.dict
+++ b/fuzz/json_pointer_fuzzer.dict
@@ -0,0 +1,21 @@
 "{"
 "}"
 ","
 "["
 "]"
 ","
 ":"
 "e"
 "e+"
 "e-"
 "E"
 "E+"
 "E-"
 "\""
 "null"
 "1"
 "1.234"
 "3e4"
 "NaN"
 "Infinity"
 "-Infinity"
--- a/fuzz/tokener_parse_ex_fuzzer.dict
+++ b/fuzz/tokener_parse_ex_fuzzer.dict
@@ -16,3 +16,6 @@
 "1"
 "1.234"
 "3e4"
 "NaN"
 "Infinity"
 "-Infinity"