From c5a09a32a9ca1ca6c614a2b61db69350beeedadc Mon Sep 17 00:00:00 2001
From: Max Bruckner <max@maxbruckner.de>
Date: Sat, 18 Feb 2017 02:31:42 +0100
Subject: [PATCH] fuzzing: Fuzz different print methods

This is achieved by encoding the type of function used in the first two
bytes.

First byte:
b: buffered

Second byte:
f: formatted
---
 fuzzing/afl.c           | 28 +++++++++++++++++++++++++---
 fuzzing/inputs/test1    |  2 +-
 fuzzing/inputs/test10   |  2 +-
 fuzzing/inputs/test11   |  2 +-
 fuzzing/inputs/test2    |  2 +-
 fuzzing/inputs/test3    |  4 ++--
 fuzzing/inputs/test3.bu | 26 ++++++++++++++++++++++++++
 fuzzing/inputs/test3.uf | 26 ++++++++++++++++++++++++++
 fuzzing/inputs/test3.uu | 26 ++++++++++++++++++++++++++
 fuzzing/inputs/test4    |  4 ++--
 fuzzing/inputs/test5    |  2 +-
 fuzzing/inputs/test6    |  4 ++--
 fuzzing/inputs/test7    |  2 +-
 fuzzing/inputs/test8    |  2 +-
 fuzzing/inputs/test9    |  2 +-
 15 files changed, 117 insertions(+), 17 deletions(-)
 create mode 100644 fuzzing/inputs/test3.bu
 create mode 100644 fuzzing/inputs/test3.uf
 create mode 100644 fuzzing/inputs/test3.uu

diff --git a/fuzzing/afl.c b/fuzzing/afl.c
index f2452de..59bbca7 100644
--- a/fuzzing/afl.c
+++ b/fuzzing/afl.c
@@ -101,12 +101,12 @@ int main(int argc, char** argv)
     filename = argv[1];
 
     json = read_file(filename);
-    if (json == NULL)
+    if ((json == NULL) || (json[0] == '\0') || (json[1] == '\0'))
     {
         status = EXIT_FAILURE;
         goto cleanup;
     }
-    item = cJSON_Parse(json);
+    item = cJSON_Parse(json + 2);
     if (item == NULL)
     {
         goto cleanup;
@@ -114,7 +114,29 @@ int main(int argc, char** argv)
 
     if ((argc == 3) && (strncmp(argv[2], "yes", 3) == 0))
     {
-        printed_json = cJSON_Print(item);
+        int do_format = 0;
+        if (json[1] == 'f')
+        {
+            do_format = 1;
+        }
+
+        if (json[0] == 'b')
+        {
+            /* buffered printing */
+            printed_json = cJSON_PrintBuffered(item, 1, do_format);
+        }
+        else
+        {
+            /* unbuffered printing */
+            if (do_format)
+            {
+                printed_json = cJSON_Print(item);
+            }
+            else
+            {
+                printed_json = cJSON_PrintUnformatted(item);
+            }
+        }
         if (printed_json == NULL)
         {
             status = EXIT_FAILURE;
diff --git a/fuzzing/inputs/test1 b/fuzzing/inputs/test1
index eacfbf5..6a0c0d7 100644
--- a/fuzzing/inputs/test1
+++ b/fuzzing/inputs/test1
@@ -1,4 +1,4 @@
-{
+bf{
     "glossary": {
         "title": "example glossary",
 		"GlossDiv": {
diff --git a/fuzzing/inputs/test10 b/fuzzing/inputs/test10
index d19eb8b..01e9a82 100644
--- a/fuzzing/inputs/test10
+++ b/fuzzing/inputs/test10
@@ -1 +1 @@
-["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"]
+bf["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"]
diff --git a/fuzzing/inputs/test11 b/fuzzing/inputs/test11
index eaf43e6..818c6e0 100644
--- a/fuzzing/inputs/test11
+++ b/fuzzing/inputs/test11
@@ -1,4 +1,4 @@
-{
+bf{
 "name": "Jack (\"Bee\") Nimble", 
 "format": {"type":       "rect", 
 "width":      1920, 
diff --git a/fuzzing/inputs/test2 b/fuzzing/inputs/test2
index 5600991..3fdf8cb 100644
--- a/fuzzing/inputs/test2
+++ b/fuzzing/inputs/test2
@@ -1,4 +1,4 @@
-{"menu": {
+bf{"menu": {
   "id": "file",
   "value": "File",
   "popup": {
diff --git a/fuzzing/inputs/test3 b/fuzzing/inputs/test3
index 5662b37..7143163 100644
--- a/fuzzing/inputs/test3
+++ b/fuzzing/inputs/test3
@@ -1,4 +1,4 @@
-{"widget": {
+bf{"widget": {
     "debug": "on",
     "window": {
         "title": "Sample Konfabulator Widget",
@@ -23,4 +23,4 @@
         "alignment": "center",
         "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;"
     }
-}}    
\ No newline at end of file
+}}    
diff --git a/fuzzing/inputs/test3.bu b/fuzzing/inputs/test3.bu
new file mode 100644
index 0000000..6fc93d3
--- /dev/null
+++ b/fuzzing/inputs/test3.bu
@@ -0,0 +1,26 @@
+bu{"widget": {
+    "debug": "on",
+    "window": {
+        "title": "Sample Konfabulator Widget",
+        "name": "main_window",
+        "width": 500,
+        "height": 500
+    },
+    "image": { 
+        "src": "Images/Sun.png",
+        "name": "sun1",
+        "hOffset": 250,
+        "vOffset": 250,
+        "alignment": "center"
+    },
+    "text": {
+        "data": "Click Here",
+        "size": 36,
+        "style": "bold",
+        "name": "text1",
+        "hOffset": 250,
+        "vOffset": 100,
+        "alignment": "center",
+        "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;"
+    }
+}}    
diff --git a/fuzzing/inputs/test3.uf b/fuzzing/inputs/test3.uf
new file mode 100644
index 0000000..d48df61
--- /dev/null
+++ b/fuzzing/inputs/test3.uf
@@ -0,0 +1,26 @@
+uf{"widget": {
+    "debug": "on",
+    "window": {
+        "title": "Sample Konfabulator Widget",
+        "name": "main_window",
+        "width": 500,
+        "height": 500
+    },
+    "image": { 
+        "src": "Images/Sun.png",
+        "name": "sun1",
+        "hOffset": 250,
+        "vOffset": 250,
+        "alignment": "center"
+    },
+    "text": {
+        "data": "Click Here",
+        "size": 36,
+        "style": "bold",
+        "name": "text1",
+        "hOffset": 250,
+        "vOffset": 100,
+        "alignment": "center",
+        "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;"
+    }
+}}    
diff --git a/fuzzing/inputs/test3.uu b/fuzzing/inputs/test3.uu
new file mode 100644
index 0000000..ad6ae54
--- /dev/null
+++ b/fuzzing/inputs/test3.uu
@@ -0,0 +1,26 @@
+uu{"widget": {
+    "debug": "on",
+    "window": {
+        "title": "Sample Konfabulator Widget",
+        "name": "main_window",
+        "width": 500,
+        "height": 500
+    },
+    "image": { 
+        "src": "Images/Sun.png",
+        "name": "sun1",
+        "hOffset": 250,
+        "vOffset": 250,
+        "alignment": "center"
+    },
+    "text": {
+        "data": "Click Here",
+        "size": 36,
+        "style": "bold",
+        "name": "text1",
+        "hOffset": 250,
+        "vOffset": 100,
+        "alignment": "center",
+        "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;"
+    }
+}}    
diff --git a/fuzzing/inputs/test4 b/fuzzing/inputs/test4
index d540b57..e24ae9b 100644
--- a/fuzzing/inputs/test4
+++ b/fuzzing/inputs/test4
@@ -1,4 +1,4 @@
-{"web-app": {
+bf{"web-app": {
   "servlet": [   
     {
       "servlet-name": "cofaxCDS",
@@ -85,4 +85,4 @@
  
   "taglib": {
     "taglib-uri": "cofax.tld",
-    "taglib-location": "/WEB-INF/tlds/cofax.tld"}}}
\ No newline at end of file
+    "taglib-location": "/WEB-INF/tlds/cofax.tld"}}}
diff --git a/fuzzing/inputs/test5 b/fuzzing/inputs/test5
index 49980ca..f6cc84e 100644
--- a/fuzzing/inputs/test5
+++ b/fuzzing/inputs/test5
@@ -1,4 +1,4 @@
-{"menu": {
+bf{"menu": {
     "header": "SVG Viewer",
     "items": [
         {"id": "Open"},
diff --git a/fuzzing/inputs/test6 b/fuzzing/inputs/test6
index d5cb28f..af27975 100644
--- a/fuzzing/inputs/test6
+++ b/fuzzing/inputs/test6
@@ -1,4 +1,4 @@
-<!DOCTYPE html>
+bf<!DOCTYPE html>
     <html>
     <head>
       <meta name="viewport" content="width=device-width, initial-scale=1">
@@ -13,4 +13,4 @@
         <p>Application Error</p>
       </iframe>
     </body>
-    </html>
\ No newline at end of file
+    </html>
diff --git a/fuzzing/inputs/test7 b/fuzzing/inputs/test7
index 3308536..4a3c0b7 100644
--- a/fuzzing/inputs/test7
+++ b/fuzzing/inputs/test7
@@ -1,4 +1,4 @@
-[
+bf[
 	 {
 	 "precision": "zip",
 	 "Latitude":  37.7668,
diff --git a/fuzzing/inputs/test8 b/fuzzing/inputs/test8
index 4b1f5b9..3ffe570 100644
--- a/fuzzing/inputs/test8
+++ b/fuzzing/inputs/test8
@@ -1,4 +1,4 @@
-{
+bf{
 		"Image": {
 			"Width":  800,
 			"Height": 600,
diff --git a/fuzzing/inputs/test9 b/fuzzing/inputs/test9
index 2a939b9..28c9033 100644
--- a/fuzzing/inputs/test9
+++ b/fuzzing/inputs/test9
@@ -1,4 +1,4 @@
-[
+bf[
     [0, -1, 0],
     [1, 0, 0],
     [0, 0, 1]