Commandline wrapper for using libFuzzer. Easy to use, no need to recompile LLVM!

libFuzzer needs LLVM sanitizer support, so this is x86-64 Linux-only for now. This also needs a nightly since it uses some unstable commandline flags.

This crate is currently under some churn -- in case stuff isn't working, please reinstall it (cargo install cargo-fuzz -f), and delete the cloned libfuzzer-sys folder in the fuzz/ folder. Rerunning cargo fuzz --init after moving your fuzz folder and updating this crate may get you a better generated fuzz/Cargo.toml. Expect this to settle down soon.

$ cargo install cargo-fuzz

First, set up your project for fuzzing:

$ cd /path/to/project
$ cargo fuzz init

This will create a fuzz folder, containing a fuzzing script called fuzzer_script_1 in the fuzzers/ subfolder. It is generally a good idea to check in the files generated by init.

libFuzzer is going to repeatedly call the go() function in the fuzzer script with a byte buffer data of length size, until your program hits an error condition (segfault, panic, etc). Write your go() function to hit the entry point you need.

You can add more fuzz target scripts via cargo fuzz add name_of_script. There is a Cargo.toml in the fuzz/ folder where you can add dependencies.

To fuzz a fuzz target, run:

$ cd /path/to/project
$ cargo fuzz run fuzzer_script_1 # or whatever the target is named

Then, wait till it finds something!

🏆 🏆 🏆 🏆 🏆 🏆

• toml-rs panic
• unicode-segmentation: grapheme boundary correctness, word boundary correctness
• image: 1, 2, 3, 4
• inflate: arithmetic overflow
• capnproto-rust: Multiple bugs, including a memory safety bug
• hyper: arithmetic overflow
• libpnet: arithmetic overflow
• quick-xml: arithmetic overflow
• svgparser: arithmetic overflow, bound checking panic, incorrect result, endless loop
• num: panic on BigInt parsing
• httpdate panics: "no character boundary" and arithmetic overflow
• vobsub: invalid slice 1, 2, 3, shift overflow, arithmetic overflow