quickjs-done-nextgen/fuzz.c

// clang -g -O1 -fsanitize=fuzzer -o fuzz fuzz.c
#include "quickjs.h"
#include "quickjs.c"
#include "cutils.c"
#include "libbf.c"
#include "libregexp.c"
#include "libunicode.c"
#include <stdlib.h>

int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
{
    JSRuntime *rt = JS_NewRuntime();
    if (!rt)
        exit(1);
    JSContext *ctx = JS_NewContext(rt);
    if (!ctx)
        exit(1);
    JSValueConst val = JS_ReadObject(ctx, buf, len, /*flags*/0);
    JS_FreeValue(ctx, val);
    JS_FreeContext(ctx);
    JS_FreeRuntime(rt);
    return 0;
}
Fix crash in deserializer (#602) Check inside the deserializer that const atoms are indeed const, don't trust the input. The serializer only writes type 0 records for const atoms but the byte stream may have been corrupted or manipulated. Overlooked during review of c25aad7 ("Add ability to (de)serialize symbols") Found with libfuzzer and it found it _really_ fast. Great tool. 2024-10-17 06:45:04 +00:00			`// clang -g -O1 -fsanitize=fuzzer -o fuzz fuzz.c`
			`#include "quickjs.h"`
			`#include "quickjs.c"`
			`#include "cutils.c"`
			`#include "libbf.c"`
			`#include "libregexp.c"`
			`#include "libunicode.c"`
			`#include <stdlib.h>`

			`int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)`
			`{`
			`JSRuntime *rt = JS_NewRuntime();`
			`if (!rt)`
			`exit(1);`
			`JSContext *ctx = JS_NewContext(rt);`
			`if (!ctx)`
			`exit(1);`
			`JSValueConst val = JS_ReadObject(ctx, buf, len, /flags/0);`
			`JS_FreeValue(ctx, val);`
			`JS_FreeContext(ctx);`
			`JS_FreeRuntime(rt);`
			`return 0;`
			`}`