src/scripts/test_fuzzers.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

#!/usr/bin/python

import sys
import os
import subprocess

def main(args=None):
    if args is None:
        args = sys.argv

    if len(args) != 3:
        print("Usage: %s <corpus_dir> <fuzzers_dir>" % (args[0]))
        return 1

    corpus_dir = args[1]
    fuzzer_dir = args[2]

    if not os.access(corpus_dir, os.R_OK):
        print("Error could not access corpus directory '%s'" % (corpus_dir))
        return 1

    if not os.access(fuzzer_dir, os.R_OK):
        print("Error could not access fuzzers directory '%s'" % (fuzzer_dir))
        return 1

    fuzzers = set([])
    for fuzzer in os.listdir(fuzzer_dir):
        if fuzzer.endswith('.zip'):
            continue
        fuzzers.add(fuzzer)

    corpii = set([])
    for corpus in os.listdir(corpus_dir):
        if corpus in ['.git', 'readme.txt']:
            continue
        corpii.add(corpus)

    fuzzers_without_corpus = fuzzers - corpii
    corpus_without_fuzzers = corpii - fuzzers

    for f in sorted(list(fuzzers_without_corpus)):
        print("Warning: Fuzzer %s has no corpus" % (f))
    for c in sorted(list(corpus_without_fuzzers)):
        print("Warning: Corpus %s has no fuzzer" % (c))

    fuzzers_with_corpus = fuzzers & corpii

    any_crashes = False

    for f in sorted(list(fuzzers_with_corpus)):
        fuzzer_bin = os.path.join(fuzzer_dir, f)
        corpus_files = os.path.join(corpus_dir, f)
        for corpus_file in sorted(list(os.listdir(corpus_files))):
            corpus_fd = open(os.path.join(corpus_files, corpus_file), 'r')
            fuzzer_proc = subprocess.Popen([fuzzer_bin], stdin=corpus_fd,
                                           stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True)
            (stdout, stderr) = fuzzer_proc.communicate()
            corpus_fd.close()

            if fuzzer_proc.returncode != 0:
                print("Fuzzer %s crashed with input %s returncode %d" % (f, corpus_file, fuzzer_proc.returncode))
                any_crashes = True

            if len(stdout) != 0:
                stdout = stdout.decode('ascii')
                print("Fuzzer %s produced stdout on input %s:\n%s" % (f, corpus_file, stdout))

            if len(stderr) != 0:
                stderr = stderr.decode('ascii')
                print("Fuzzer %s produced stderr on input %s:\n%s" % (f, corpus_file, stderr))

    if any_crashes:
        return 2
    return 0


if __name__ == '__main__':
    sys.exit(main())