We can also try to fuzz the table sizes directly. Our goal is it to find count[] (or code_lengths[]) values that lead to an overflowing huffman table.
By default we are fuzzing the last table (distance table). Change the values if you want to fuzz one of the color tables.
// values for the distance table with 40 symbols
#define SYMS 40 // 256
// we can also increase this value to find larger overflows
#define TABLE_SIZE 410 // 630See afl documentation on persistent fuzzing.
The fuzz_test.c file requires to be placed within the libpwebp sources.
See the Dockerfile for the details.
docker build -t webp_persistent2 .
docker run -d --rm -it -v "$PWD:/pwd" --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --platform linux/amd64 --name webp_persistent2 webp_persistent2
docker exec -it webp_persistent2 screen -rd master # detach from screen with CTRL+A D
docker exec -it webp_persistent2 screen -rd asan # detach from screen with CTRL+A D
docker stop webp_persistent2Check the results
docker exec -it webp_persistent /bin/bash # shell inside container
for file in /pwd/out/*/crashes/*; do
/root/fuzz_test < $file \
&& echo " $file" ;
done;See the Dockerfile for the details.
# get webp
cd ./persistent-fuzzing/
git clone https://chromium.googlesource.com/webm/libwebp
cd libwebp
# built vulnerable version
git checkout v1.3.1
./autogen.sh
./configure
# I forgot if we also need `make install` to get lib webp (-lwebp)
make clean all
cp ../../fuzz_test.c .
gcc -g -I. fuzz_test.c -lwebp -o fuzz_test
afl-clang-fast -I. fuzz_test.c -lwebp -o fuzz_test
AFL_USE_ASAN=1 afl-clang-fast -I. fuzz_test.c -lwebp -o fuzz_test_asan