From 6bda921da0f996fc389caac77950d39cd05c855e Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Mon, 2 Nov 2015 06:53:48 +0100 Subject: [PATCH] [ftfuzzer] Update README file. --- src/tools/ftfuzzer/README | 67 ++++++++++++++++++++++++++++++--------- 1 file changed, 52 insertions(+), 15 deletions(-) diff --git a/src/tools/ftfuzzer/README b/src/tools/ftfuzzer/README index 7248bb7b1..f827d5ed1 100644 --- a/src/tools/ftfuzzer/README +++ b/src/tools/ftfuzzer/README @@ -1,23 +1,60 @@ ftfuzzer --------- +======== -ftfuzzer.cc contains a target function for FreeType fuzzing. -It can be used with libFuzzer (http://llvm.org/docs/LibFuzzer.html) -or potentially any other similar fuzzer. + +ftfuzzer.cc +----------- + +This file contains a target function for FreeType fuzzing. It can be used +with libFuzzer (http://llvm.org/docs/LibFuzzer.html) or potentially any +other similar fuzzer. Usage: - 1. Build libfreetype.a and ftfuzzer.cc using the most recent clang compiler - with these flags: - -fsanitize-coverage=edge,8bit-counters # for fuzzer coverage feedback - -fsanitize=address,signed-integer-overflow,shift # for bug checking - 2. Link with libFuzzer (it contains main()). + + 1. Build `libfreetype.a' and `ftfuzzer.cc' using the most recent clang + compiler with these flags: + + -fsanitize-coverage=edge,8bit-counters # for fuzzer coverage feedback + -fsanitize=address,signed-integer-overflow,shift # for bug checking + + You also need the header files from `libarchive' for handling tar files + (see `ftmutator.cc' below for more). + + 2. Link with `libFuzzer' (it contains main()) and `libarchive'. + 3. Run the fuzzer on some test corpus. The exact flags and commands may vary. -There is a continuous fuzzing bot that runs ftfuzzer: -https://github.com/google/libfuzzer-bot/tree/master/freetype. -Check the bot confituration for the most current settings. -runinput.cc contains a convenience main() function to run the target function -on a set of input files. Link it with ftfuzzer.cc and libfreetype.a -and run like "./a.out my_tests_inputs/*" + +There is a continuous fuzzing bot that runs ftfuzzer. + + https://github.com/google/libfuzzer-bot/tree/master/freetype + +Check the bot configuration for the most current settings. + + +ftmutator.cc +------------ + +FreeType has the ability to `attach' auxiliary files to a font file, +providing additional information. The main usage is to load AFM files for +PostScript Type 1 fonts. + +However, libFuzzer currently only supports mutation of a single input file. +For this reason, `ftmutator.cc' contains a custom fuzzer mutator that uses +an uncompressed tar file archive as the input. The first file in such a +tarball gets opened by FreeType as a font, all other files are treated as +input for `FT_Attach_Stream'. + +Compilation is similar to `ftfuzzer.c'. + + +runinput.cc +----------- + +To run the target function on a set of input files, this file contains a +convenience main() function. Link it with `ftfuzzer.cc', `libfreetype.a', +and `libarchive' and run like + + ./a.out my_tests_inputs/*