Add new fuzzer wget_read_hunk_fuzzer.c

* fuzz/Makefile.am: Add wget_read_hunk_fuzzer
* fuzz/wget_read_hunk_fuzzer.c: New file
* fuzz/wget_read_hunk_fuzzer.in/*: Fuzz corpora
* src/connect.c: Add connect_cleanup()
* src/connect.h: Add prototype for connect_cleanup()

fuzz/Makefile.am

@@ -16,7 +16,8 @@ WGET_TESTS = \
  wget_netrc_fuzzer$(EXEEXT) \
  wget_options_fuzzer$(EXEEXT) \
  wget_robots_fuzzer$(EXEEXT) \
- wget_url_fuzzer$(EXEEXT)
+ wget_url_fuzzer$(EXEEXT) \
+ wget_read_hunk_fuzzer$(EXEEXT)
 
 if FUZZING
   bin_PROGRAMS = $(WGET_TESTS)
@@ -60,6 +61,9 @@ wget_robots_fuzzer_LDADD = ../src/libunittest.a $(LDADD)
 wget_url_fuzzer_SOURCES = wget_url_fuzzer.c $(MAIN)
 wget_url_fuzzer_LDADD = ../src/libunittest.a $(LDADD)
 
+wget_read_hunk_fuzzer_SOURCES = wget_read_hunk_fuzzer.c $(MAIN)
+wget_read_hunk_fuzzer_LDADD = ../src/libunittest.a $(LDADD)
+
 #EXTRA_DIST = $(wildcard *.options) $(wildcard *.dict) \
 # $(wildcard *.in) $(wildcard *.repro)
 

fuzz/wget_read_hunk_fuzzer.c

@@ -0,0 +1,204 @@
+/*
+ * Copyright (c) 2019 Free Software Foundation, Inc.
+ *
+ * This file is part of GNU Wget.
+ *
+ * GNU Wget is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GNU Wget is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Wget.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <stdint.h> // uint8_t
+#include <stdio.h>  // fmemopen
+#include <string.h>  // strncmp
+#include <stdlib.h>  // free
+#include <unistd.h>  // close
+#include <fcntl.h>  // open flags
+#include <unistd.h>  // close
+#include <unistd.h>  // close
+
+#include "wget.h"
+#include "connect.h"
+#undef fopen_wgetrc
+
+#ifdef __cplusplus
+  extern "C" {
+#endif
+  #include "retr.h"
+
+  // declarations for wget internal functions
+  int main_wget(int argc, const char **argv);
+  void cleanup(void);
+//  FILE *fopen_wget(const char *pathname, const char *mode);
+//  FILE *fopen_wgetrc(const char *pathname, const char *mode);
+  void exit_wget(int status);
+#ifdef __cplusplus
+  }
+#endif
+
+#include "fuzzer.h"
+
+FILE *fopen_wget(const char *pathname, const char *mode)
+{
+	return fopen("/dev/null", mode);
+}
+
+FILE *fopen_wgetrc(const char *pathname, const char *mode)
+{
+	return NULL;
+}
+
+#ifdef FUZZING
+void exit_wget(int status)
+{
+}
+#endif
+
+static const uint8_t *g_data;
+static size_t g_size, g_read;
+
+struct my_context {
+	int peeklen;
+	char peekbuf[512];
+};
+
+static int my_peek (int fd _GL_UNUSED, char *buf, int bufsize, void *arg)
+{
+	if (g_read < g_size) {
+		struct my_context *ctx = (struct my_context *) arg;
+		int n = rand() % (g_size - g_read);
+		if (n > bufsize)
+			n = bufsize;
+		if (n > sizeof(ctx->peekbuf))
+			n = sizeof(ctx->peekbuf);
+		memcpy(buf, g_data + g_read, n);
+		memcpy(ctx->peekbuf, g_data + g_read, n);
+		g_read += n;
+		ctx->peeklen=n;
+		return n;
+	}
+	return 0;
+}
+static int my_read (int fd _GL_UNUSED, char *buf, int bufsize, void *arg)
+{
+	struct my_context *ctx = (struct my_context *) arg;
+
+	if (ctx->peeklen) {
+      /* If we have any peek data, simply return that. */
+      int copysize = MIN (bufsize, ctx->peeklen);
+      memcpy (buf, ctx->peekbuf, copysize);
+      ctx->peeklen -= copysize;
+      if (ctx->peeklen)
+        memmove (ctx->peekbuf, ctx->peekbuf + copysize, ctx->peeklen);
+
+      return copysize;
+	}
+
+	if (g_read < g_size) {
+		int n = rand() % (g_size - g_read);
+		if (n > bufsize)
+			n = bufsize;
+		memcpy(buf, g_data + g_read, n);
+		g_read += n;
+		return n;
+	}
+
+	return 0;
+}
+static int my_write (int fd _GL_UNUSED, char *buf _GL_UNUSED, int bufsize, void *arg _GL_UNUSED)
+{
+	return bufsize;
+}
+static int my_poll (int fd _GL_UNUSED, double timeout _GL_UNUSED, int wait_for _GL_UNUSED, void *arg)
+{
+	struct my_context *ctx = (struct my_context *) arg;
+
+   return ctx->peeklen || g_read < g_size;
+}
+static const char *my_errstr (int fd _GL_UNUSED, void *arg _GL_UNUSED)
+{
+	return "Success";
+}
+static void my_close (int fd _GL_UNUSED, void *arg _GL_UNUSED)
+{
+}
+
+static struct transport_implementation my_transport =
+{
+  my_read, my_write, my_poll,
+  my_peek, my_errstr, my_close
+};
+
+/* copied from wget's http.c */
+static const char *
+response_head_terminator (const char *start, const char *peeked, int peeklen)
+{
+  const char *p, *end;
+
+  /* If at first peek, verify whether HUNK starts with "HTTP".  If
+     not, this is a HTTP/0.9 request and we must bail out without
+     reading anything.  */
+  if (start == peeked && 0 != memcmp (start, "HTTP", MIN (peeklen, 4)))
+    return start;
+
+  /* Look for "\n[\r]\n", and return the following position if found.
+     Start two chars before the current to cover the possibility that
+     part of the terminator (e.g. "\n\r") arrived in the previous
+     batch.  */
+  p = peeked - start < 2 ? start : peeked - 2;
+  end = peeked + peeklen;
+
+  /* Check for \n\r\n or \n\n anywhere in [p, end-2). */
+  for (; p < end - 2; p++)
+    if (*p == '\n')
+      {
+        if (p[1] == '\r' && p[2] == '\n')
+          return p + 3;
+        else if (p[1] == '\n')
+          return p + 2;
+      }
+  /* p==end-2: check for \n\n directly preceding END. */
+  if (p[0] == '\n' && p[1] == '\n')
+    return p + 2;
+
+  return NULL;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	char *hunk;
+
+	if (size > 4096) // same as max_len = ... in .options file
+		return 0;
+
+//	CLOSE_STDERR
+
+	g_data = data;
+	g_size = size;
+	g_read = 0;
+
+	struct my_context *ctx = calloc(1, sizeof(struct my_context));
+	fd_register_transport(99, &my_transport, ctx);
+
+	while ((hunk = fd_read_hunk(99, response_head_terminator, 512, 65536)))
+		free(hunk);
+
+   connect_cleanup();
+	free(ctx);
+
+//	RESTORE_STDERR
+
+	return 0;
+}

fuzz/wget_read_hunk_fuzzer.in/0223d9b49784338193078cc1ce4937d1ae0843ee

@@ -0,0 +1,3 @@
+HTTP
+
+'

fuzz/wget_read_hunk_fuzzer.in/03324eed2a844c2c712c3a736395dd996ff5da3a

@@ -0,0 +1,2 @@
+HTTP
+<EFBFBD>

fuzz/wget_read_hunk_fuzzer.in/04a822e65bb1e8bb2c19f09b187004bb3f8b1650

@@ -0,0 +1,5 @@
+HTTPHH~:þ±
+
+QHTTPHH~:þ±
+
+QTT)÷)÷ÿ

fuzz/wget_read_hunk_fuzzer.in/06f4cdeb821523a02351795dc305b330196dd95e

@@ -0,0 +1,3 @@
+H
+
+<EFBFBD>

fuzz/wget_read_hunk_fuzzer.in/09543c8214d579ab15c96c09267a61c8aaf8c9ef

@@ -0,0 +1 @@
+HTTP<EFBFBD><EFBFBD>)<29>M<EFBFBD><4D>

fuzz/wget_read_hunk_fuzzer.in/0e3db6c438a6d2126102efdfdd9d7485d2a985d1

@@ -0,0 +1 @@
+HTTP<EFBFBD><EFBFBD><EFBFBD><EFBFBD>)<29><><EFBFBD><EFBFBD><EFBFBD>HTTP<54><50>

fuzz/wget_read_hunk_fuzzer.in/15c59fa0420280649a7844b6298b961865efdd76

@@ -0,0 +1 @@
+HHT

fuzz/wget_read_hunk_fuzzer.in/200e3883469d4d99b28d29167bf9a48d33efcf5b

@@ -0,0 +1 @@
+H!T'<27>

fuzz/wget_read_hunk_fuzzer.in/223e49ca36b549c406edaee2b04a68bdb2baeb08

@@ -0,0 +1 @@
+HTT~~~

fuzz/wget_read_hunk_fuzzer.in/25db0570cd4eeeafb131bd3698f4c544f40017e1

@@ -0,0 +1,3 @@
+HTTPH
+<EFBFBD>
+~

fuzz/wget_read_hunk_fuzzer.in/2a4630b84731f6f7ae444a86c0f1026faca44d82

@@ -0,0 +1 @@
+HHH;

fuzz/wget_read_hunk_fuzzer.in/2bcb1b518040217690b627761d4f5c904bf437d8

@@ -0,0 +1,2 @@
+HTTH
+:

fuzz/wget_read_hunk_fuzzer.in/35cc83ddacfa942592c1f8ca25f2889772739b5c

@@ -0,0 +1 @@
+'!<21><>!

fuzz/wget_read_hunk_fuzzer.in/3da72e604871236487499a2669c0edd6e462d543

@@ -0,0 +1 @@
+HTTPHHH

fuzz/wget_read_hunk_fuzzer.in/40a50e5bfeaf182fb9def6c12891c11f4259f81b

@@ -0,0 +1 @@
+HIHHT

fuzz/wget_read_hunk_fuzzer.in/4c93a532486c2f5736dcba17309daf0f66315821

@@ -0,0 +1,4 @@
+HTP
+

+
H
+
ｫｽ

fuzz/wget_read_hunk_fuzzer.in/4dbe2f639ae782ad317f578f150d8960d5d45798

@@ -0,0 +1,3 @@
+H
+
+
T

fuzz/wget_read_hunk_fuzzer.in/63451c9bbffc0dc2d1b6b2cd83b039ad73a4aad4

@@ -0,0 +1,3 @@
+HTTP<EFBFBD>
+
+<EFBFBD>

fuzz/wget_read_hunk_fuzzer.in/64c38cf29a15ea03a3844b4bbabeaa53f7a42d28

@@ -0,0 +1 @@
+HT

fuzz/wget_read_hunk_fuzzer.in/6837896608e80848e5b6b1df5da5e05d484a616a

@@ -0,0 +1 @@
+HTH

fuzz/wget_read_hunk_fuzzer.in/6d528a0c51d29738948554967691cdc796957122

@@ -0,0 +1 @@
+HHHT

fuzz/wget_read_hunk_fuzzer.in/6e1075c0489eab6cc8eb88e9538018a3599f2e55

@@ -0,0 +1,2 @@
+tk
+

fuzz/wget_read_hunk_fuzzer.in/80bfe133b08cabda0426de4a5f3bb02527f4959f

@@ -0,0 +1 @@
+HTH<EFBFBD>

fuzz/wget_read_hunk_fuzzer.in/8159742cbdaf7a6da35ccd92c17ccbfcde622604

@@ -0,0 +1 @@
+HT	HHT

fuzz/wget_read_hunk_fuzzer.in/82ca7a52d589e9dbae37ebf1c59fac7ad876eb7c

@@ -0,0 +1 @@
+HTT

fuzz/wget_read_hunk_fuzzer.in/8626fd796c662c653271519258a41cde9a1c171c

@@ -0,0 +1,5 @@
+HTTP
+
+HTTP
+
+'

fuzz/wget_read_hunk_fuzzer.in/87f636c13a8eab70dd3098448e1f1cccef596614

@@ -0,0 +1,3 @@
+HT
+
+Q

fuzz/wget_read_hunk_fuzzer.in/8cdfd91f8eb4d0876e11de77e4513014c0d08e6a

@@ -0,0 +1,5 @@
+HTTP77737
+
+HTTP
+
+'