Fuzz pkcs7, punycode, x509 ##fuzz

libr/util/punycode.c

@@ -298,6 +298,10 @@ R_API char *r_punycode_decode(const char *src, int srclen, int *dstlen) {
 		org_i = i;
 
 		for (w = 1, k = BASE;; k += BASE) {
+			if (si >= srclen) {
+				free (dst);
+				return NULL;
+			}
 			digit = decode_digit (src[si++]);
 
 			if (digit == UT32_MAX) {

libr/util/x509.c

@@ -181,6 +181,9 @@ R_API bool r_x509_parse_tbscertificate(RX509TBSCertificate *tbsc, RASN1Object *o
 	if (shift < object->list.length && elems[shift]->klass == CLASS_UNIVERSAL && elems[shift]->tag == TAG_INTEGER) {
 		tbsc->serialNumber = r_asn1_stringify_integer (elems[shift]->sector, elems[shift]->length);
 	}
+	if (object->list.length < shift + 6) {
+		return false;
+	}
 	r_x509_parse_algorithmidentifier (&tbsc->signature, elems[shift + 1]);
 	r_x509_parse_name (&tbsc->issuer, elems[shift + 2]);
 	r_x509_parse_validity (&tbsc->validity, elems[shift + 3]);

test/fuzz/fuzz_pkcs7_parse.c

@@ -0,0 +1,17 @@
+#include <r_types.h>
+#include <r_util/pj.h>
+#include <r_util/r_asn1.h>
+#include <r_util/r_log.h>
+#include <r_util/r_x509.h>
+#include <r_util/r_pkcs7.h>
+
+int LLVMFuzzerInitialize(int *lf_argc, char ***lf_argv) {
+	r_log_set_quiet (true);
+	return 0;
+}
+
+int LLVMFuzzerTestOneInput(const ut8 *data, size_t len) {
+	RCMS *out = r_pkcs7_parse_cms (data, len);
+	free (out);
+	return 0;
+}

test/fuzz/fuzz_punycode_decode.c

@@ -0,0 +1,15 @@
+#include <r_types.h>
+#include <r_util/r_log.h>
+#include <r_util/r_punycode.h>
+
+int LLVMFuzzerInitialize(int *lf_argc, char ***lf_argv) {
+	r_log_set_quiet (true);
+	return 0;
+}
+
+int LLVMFuzzerTestOneInput(const ut8 *data, size_t len) {
+	int dstlen;
+	char *out = r_punycode_decode ((const char*)data, (int)len, &dstlen);
+	free (out);
+	return 0;
+}

test/fuzz/fuzz_x509_parse.c

@@ -0,0 +1,16 @@
+#include <r_types.h>
+#include <r_util/pj.h>
+#include <r_util/r_asn1.h>
+#include <r_util/r_log.h>
+#include <r_util/r_x509.h>
+
+int LLVMFuzzerInitialize(int *lf_argc, char ***lf_argv) {
+	r_log_set_quiet (true);
+	return 0;
+}
+
+int LLVMFuzzerTestOneInput(const ut8 *data, size_t len) {
+	RX509Certificate *out = r_x509_parse_certificate2 (data, len);
+	free (out);
+	return 0;
+}

test/fuzz/meson.build

@@ -2,7 +2,10 @@ if get_option('enable_libfuzzer')
   targets = [
     'bin',
     'bin_demangle',
+    'pkcs7_parse',
+    'punycode_decode',
     'run_parseline',
+    'x509_parse',
   ]
 
   foreach target : targets