Code and corpora for curl and libcurl fuzzing.

Great! Run ./mainline.sh. It will download you a fresh copy of curl, compile it with clang, install it to a temporary directory, then compile the fuzzer against curl. It'll also run the regression testcases.

If you have a local copy of curl that you want to use instead, pass the path as an argument to ./mainline.sh. It will compile and install that curl to a temporary directory instead.

./mainline.sh is run regressibly by Travis CI.

Run ./codecoverage.sh. It will download you a fresh copy of curl, compile it with gcc, install it, then compile the fuzzer against it. It'll then run a coverage run and work out the coverage of the test cases, using lcov to generate coverage information.

./codecoverage.sh is run regressibly by Travis CI.

Setting the FUZZ_VERBOSE environment variable turns on curl verbose logging. This can be useful when debugging a single testcase.

Check out REPRODUCING.md for more detailed instructions.

To look at the contents of a testcase, run

python read_corpus.py --input <path/to/file>

This will print out a list of contents inside the file.

To generate a new testcase, run python generate_corpus.py with appropriate options.

Wonderful! Here's a bit of information you may need to know.

Testcases are written in a Type-Length-Value or TLV format. Each TLV has:

• 16 bits for the Type
• 32 bits for the Length of the TLV data
• 0 - length bytes of data.

TLV type numbers are defined in both corpus.py and curl_fuzzer.h.

To add a new TLV:

• Add support for it in the Python scripts: generate_corpus.py, corpus.py. This means adding options for reading the value of the TLV from the user (or from a file, or from test data)
• Add support for it in the fuzzer: curl_fuzzer.cc, curl_fuzzer.h. This likely means adding handling of the TLV to fuzz_parse_tlv().