1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176name: ๐ง Cargo Fuzz Check
on:
push:
pull_request:
schedule:
- cron: '0 21 * * *'
env:
CARGO_TERM_COLOR: always
jobs:
cargo-check-ci:
runs-on: ubuntu-24.04
# Remember, fuzz target should be same as folders in src/crates
strategy:
fail-fast: false
matrix:
include:
- name: IMAGE
fuzz_target: image
timeout: 18000
files: "AA_IMAGE_VALID_FILES.7z"
# - name: HAYRO
# fuzz_target: hayro
# timeout: 18000
# files: "AA_PDF_VALID_FILES2.7z"
# - name: ZUNE
# fuzz_target: zune
# timeout: 18000
# files: "AA_IMAGE_VALID_FILES.7z"
# - name: SYMPHONIA1
# fuzz_target: symphonia
# timeout: 18000
# files: "AA_MUSIC_VALID_FILES.7z"
# - name: VIDDUPLICATE
# fuzz_target: vidduplicate
# timeout: 18000
# files: "AA_VIDEO_VALID_FILES.7z"
# - name: NOM_EXIF
# fuzz_target: nom_exif
# timeout: 18000
# files: "AA_NOM_EXIF_VALID_FILES.7z"
# - name: HAYRO
# fuzz_target: hayro
# timeout: 18000
# files: "AA_PDF_VALID_FILES2.7z"
# - name: RAWLER
# fuzz_target: rawler
# timeout: 18000
# files: "AA_RAW_VALID_FILES.7z"
# - name: FONT_KIT # https://github.com/servo/font-kit/issues/250
# fuzz_target: font_kit
# timeout: 18000
# files: "AA_FONT_VALID_FILES_MORE.7z"
# - name: PDF_RS # TODO - not implemented - not know how to load from memory
# fuzz_target: pdf_rs
# timeout: 18000
# files: "AA_PDF_VALID_FILES2.7z"
# - name: RSBUZZ
# fuzz_target: rsbuzz
# timeout: 18000
# files: "AA_FONT_VALID_FILES_MORE.7z"
steps:
- uses: actions/checkout@v4
- name: Setup rust version
run: |
rustup default nightly
rustup component add rust-src --toolchain nightly-x86_64-unknown-linux-gnu
rustup component add llvm-tools-preview --toolchain nightly-x86_64-unknown-linux-gnu
- name: Install dependencies
run: |
sudo apt update
sudo apt install -y wget earlyoom libasan8 llvm
sudo apt install -y pkg-config libfreetype6-dev libfontconfig1-dev # For font_kit
- name: Install cargo fuzz and minimizer
run: cargo install cargo-fuzz minimizer
- name: Install crate
run: |
cd src/crates/${{ matrix.fuzz_target }}
cargo update
cargo install --path .
cd ../../..
- name: Download and prepare data files
run: |
CURR_DIR=$(pwd)
mkdir -p /opt/INPUT_FILES_DIR || true
cd /opt/INPUT_FILES_DIR
if [ -z "$(ls -A /opt/INPUT_FILES_DIR)" ]; then
python3 "$CURR_DIR/download_helper.py" "${{ matrix.files }}"
fi
cd $CURR_DIR
- name: Configure fuzzer
run: |
cd fuzz
cargo update
cd ../
- name: Build Fuzzer
run: |
cd fuzz
export RUST_BACKTRACE=1
export ASAN_SYMBOLIZER_PATH=$(which llvm-symbolizer-18)
export ASAN_OPTIONS=symbolize=1
export RUSTFLAGS="-Zsanitizer=address"
cargo fuzz build ${{ matrix.fuzz_target }} --release --features "${{ matrix.fuzz_target }}_f"
cd ../
# Examples
# cargo +nightly fuzz run slint /home/rafal/Downloads/slint --release --features "slint_f" -- -max_len=99999 -max_total_time=3600 -rss_limit_mb=20000
# cargo +nightly fuzz run hayro /home/rafal/Desktop/ASS --release --features "hayro_f" -- -max_len=99999 -max_total_time=3600 -rss_limit_mb=20000
# cargo +nightly fuzz run rawler /home/rafal/Desktop/ASS --release --features "rawler_f" -- -max_len=99999 -max_total_time=3600 -rss_limit_mb=20000
- name: Run Fuzzer
run: |
export RUST_BACKTRACE=1
export ASAN_SYMBOLIZER_PATH=$(which llvm-symbolizer-18)
export ASAN_OPTIONS="symbolize=1:allocator_may_return_null=1"
export RUSTFLAGS="-Zsanitizer=address"
cargo fuzz run ${{ matrix.fuzz_target }} /opt/INPUT_FILES_DIR/ -j4 --release --features "${{ matrix.fuzz_target }}_f" -- -max_len=99999 -max_total_time=${{ matrix.timeout }} -rss_limit_mb=20000 || true
- name: Remove slow files
run: |
find fuzz/artifacts/ -type f -name 'slow*' -exec rm {} +
- name: Store fuzz results before minimization
uses: actions/upload-artifact@v4
with:
if-no-files-found: ignore
name: ___broken___CARGO_FUZZ___${{ matrix.name }}
path: fuzz/artifacts
- name: Store fuzz corpus
uses: actions/upload-artifact@v4
with:
if-no-files-found: ignore
name: ___corpus___CARGO_FUZZ___${{ matrix.name }}
path: /opt/INPUT_FILES_DIR
# Minimizing, but not with builtin cargo fuzz minimizer, but minimizer command which should look like this:
# minimizer --input-file input.webp --output-file output --command "image {}" --attempts 100000 -r --broken-info "overflow" -v
- name: Minimize with minimizer
run: |
export RUST_BACKTRACE=1
export ASAN_SYMBOLIZER_PATH=$(which llvm-symbolizer-18)
export ASAN_OPTIONS="symbolize=1:allocator_may_return_null=1"
export RUSTFLAGS="-Zsanitizer=address"
if [ -d "fuzz/artifacts/${{ matrix.fuzz_target }}" ] && [ "$(ls -A fuzz/artifacts/${{ matrix.fuzz_target }})" ]; then
for file in fuzz/artifacts/${{ matrix.fuzz_target }}/*; do
minimizer --input-file "$file" --output-file "fuzz/artifacts/${{ matrix.fuzz_target }}/$(basename "$file")_minimized" --command "timeout -v 100 ${{ matrix.fuzz_target }} {}" --attempts 10000 -r -b "RUST_BACKTRACE" -b "panicked at" -b "AddressSanitizer" -b "LeakSanitizer" -b "ThreadSanitizer" -b "timeout: sending signal" -b "timeout: the monitored command dumped core" -b "memory allocation of" -v -t 1200 -s general_multi
done
fi
- name: Store fuzz results after minimization
uses: actions/upload-artifact@v4
with:
if-no-files-found: ignore
name: minimized___CARGO_FUZZ___${{ matrix.name }}
path: fuzz/artifacts
- name: Exit when found broken files
run: |
[ "$(ls -A fuzz/artifacts/${{ matrix.fuzz_target }})" ] && exit 1 || true