test: add one first fuzz target

re google/oss-fuzz#5137 for oss-fuzz integration

Author: catenacyber

.github/workflows/ci.yml

@@ -44,3 +44,21 @@ jobs:
           cd build
           cp /usr/x86_64-w64-mingw32/lib/libwinpthread-1.dll test/ || true # used only for MinGW tests, ok to fail for other cases
           ctest --output-on-failure
+  fuzzing_build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install Ubuntu Build Dependencies
+        run: |
+          sudo apt update
+          sudo apt install libsdl2-dev liblzo2-dev libssl-dev gnutls-dev libgcrypt-dev mingw-w64-x86-64-dev binutils-mingw-w64-x86-64 gcc-mingw-w64-x86-64 wine clang
+      - name: Build
+        env:
+          CC: "clang"
+          LIB_FUZZING_ENGINE: "-fsanitize=fuzzer"
+          CFLAGS: "-fsanitize=address,fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1"
+        run: |
+          mkdir build
+          cd build
+          cmake ..
+          cmake --build .

CMakeLists.txt

@@ -647,6 +647,12 @@ endif(WITH_EXAMPLES)
 
 if(WITH_TESTS)
 
+# First fuzzing
+if(DEFINED ENV{LIB_FUZZING_ENGINE})
+  add_executable(fuzz_server ${TESTS_DIR}/fuzz_server.c)
+  target_link_libraries(fuzz_server vncserver ${CMAKE_THREAD_LIBS_INIT} ${CARBON_LIBRARY} ${IOKIT_LIBRARY} ${IOSURFACE_LIBRARY} $ENV{LIB_FUZZING_ENGINE})
+endif()
+
 if(UNIX)
     set(ADDITIONAL_TEST_LIBS m)
 endif(UNIX)

libvncserver/rfbserver.c

@@ -358,6 +358,7 @@ rfbNewTCPOrUDPClient(rfbScreenInfoPtr rfbScreen,
       rfbReleaseClientIterator(iterator);
       rfbLog("  %lu other clients\n", (unsigned long) otherClientsCount);
 
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
       if(!rfbSetNonBlocking(sock)) {
 	rfbCloseSocket(sock);
 	return NULL;
@@ -370,6 +371,7 @@ rfbNewTCPOrUDPClient(rfbScreenInfoPtr rfbScreen,
 
       FD_SET(sock,&(rfbScreen->allFds));
 		rfbScreen->maxFd = rfbMax(sock,rfbScreen->maxFd);
+#endif
 
       INIT_MUTEX(cl->outputMutex);
       INIT_MUTEX(cl->refCountMutex);
@@ -469,6 +471,7 @@ rfbNewTCPOrUDPClient(rfbScreenInfoPtr rfbScreen,
       cl->pipe_notify_client_thread[1] = -1;
 #endif
 
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
       /*
        * Wait a few ms for the client to send WebSockets connection (TLS/SSL or plain)
@@ -480,6 +483,7 @@ rfbNewTCPOrUDPClient(rfbScreenInfoPtr rfbScreen,
         return NULL;
       }
 #endif
+#endif
 
 #ifdef LIBVNCSERVER_HAVE_LIBZ
       cl->enableExtendedClipboard = FALSE;

libvncserver/sockets.c

@@ -545,6 +545,9 @@ rfbDisconnectUDPSock(rfbScreenInfoPtr rfbScreen)
 void
 rfbCloseClient(rfbClientPtr cl)
 {
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    cl->sock = RFB_INVALID_SOCKET;
+#endif
     rfbExtensionData* extension;
 
     for(extension=cl->extensions; extension; extension=extension->next)
@@ -638,6 +641,12 @@ rfbConnect(rfbScreenInfoPtr rfbScreen,
     return sock;
 }
 
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+size_t fuzz_offset;
+size_t fuzz_size;
+const uint8_t *fuzz_data;
+#endif
+
 /*
  * ReadExact reads an exact number of bytes from a client.  Returns 1 if
  * those bytes have been read, 0 if the other end has closed, or -1 if an error
@@ -647,6 +656,14 @@ rfbConnect(rfbScreenInfoPtr rfbScreen,
 int
 rfbReadExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout)
 {
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    if (fuzz_offset + len <= fuzz_size) {
+        memcpy(buf, fuzz_data + fuzz_offset, len);
+        fuzz_offset += len;
+        return 1;
+    }
+    return 0;
+#endif
     rfbSocket sock = cl->sock;
     int n;
     fd_set fds;
@@ -739,6 +756,14 @@ int rfbReadExact(rfbClientPtr cl,char* buf,int len)
 int
 rfbPeekExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout)
 {
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    if (fuzz_offset + len <= fuzz_size) {
+        memcpy(buf, fuzz_data + fuzz_offset, len);
+        fuzz_offset += len;
+        return 1;
+    }
+    return 0;
+#endif
     rfbSocket sock = cl->sock;
     int n;
     fd_set fds;
@@ -817,6 +842,9 @@ rfbWriteExact(rfbClientPtr cl,
               const char *buf,
               int len)
 {
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    return 1;
+#endif
     rfbSocket sock = cl->sock;
     int n;
     fd_set fds;

test/fuzz_server.c

@@ -0,0 +1,31 @@
+#include <rfb/rfb.h>
+
+static int initialized = 0;
+rfbScreenInfoPtr server;
+char *fakeargv[] = {"fuzz_server"};
+
+extern size_t fuzz_offset;
+extern size_t fuzz_size;
+extern const uint8_t *fuzz_data;
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+    if (initialized == 0) {
+        int fakeargc=1;
+        server=rfbGetScreen(&fakeargc,fakeargv,400,300,8,3,4);
+        server->frameBuffer=malloc(400*300*4);
+        rfbInitServer(server);
+        initialized = 1;
+    }
+    rfbClientPtr cl = rfbNewClient(server, RFB_INVALID_SOCKET - 1);
+
+    fuzz_data = Data;
+    fuzz_offset = 0;
+    fuzz_size = Size;
+    while (cl->sock != RFB_INVALID_SOCKET) {
+        rfbProcessClientMessage(cl);
+    }
+    rfbClientConnectionGone(cl);
+    return 0;
+}
+