From 209fbb628292c8c115f8c637ff1f6eff993a669d Mon Sep 17 00:00:00 2001
From: Nikolaj Schlej <nschlej@apple.com>
Date: Mon, 13 Feb 2023 16:56:53 -0800
Subject: [PATCH] Add minimal libFuzzer-compatible harness for FfsParser

---
 .github/workflows/main.yml   | 16 ++++-----
 UEFITool/ffsfinder.cpp       |  2 +-
 fuzzing/CMakeLists.txt       | 65 ++++++++++++++++++++++++++++++++++++
 fuzzing/ffsparser_fuzzer.cpp | 31 +++++++++++++++++
 4 files changed, 105 insertions(+), 9 deletions(-)
 create mode 100644 fuzzing/CMakeLists.txt
 create mode 100644 fuzzing/ffsparser_fuzzer.cpp

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 013ffb7..95764c5 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -185,20 +185,20 @@ jobs:
         run: |
           UEFITOOL_VER=$(cat ../../../UEFITool/version.h | grep PROGRAM_VERSION | cut -d'"' -f2 | sed 's/NE alpha /A/') ; \
           7z a ../../../UEFITool/dist/UEFIFind_NE_${UEFITOOL_VER}_win32.zip UEFIFind.exe
-      - name: Create UEFITool win32 build directory
-        run: cmake -E make_directory ${{runner.workspace}}/build/UEFITool_win32
-      - name: Configure UEFITool win32
+      - name: Create UEFITool build directory
+        run: cmake -E make_directory ${{runner.workspace}}/build/UEFITool
+      - name: Configure UEFITool
         shell: bash
-        working-directory: ${{runner.workspace}}/build/UEFITool_win32
+        working-directory: ${{runner.workspace}}/build/UEFITool
         run: ../../qt-5.6.3-static-x86-msvc2017/bin/qmake.exe -tp vc ../../UEFITool/UEFITool/
-      - name: Build UEFITool win32
-        working-directory: ${{runner.workspace}}/build/UEFITool_win32
+      - name: Build UEFITool
+        working-directory: ${{runner.workspace}}/build/UEFITool
         shell: cmd
         run: |
             call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Auxiliary\Build\vcvars32.bat"
             msbuild -t:Rebuild -p:PlatformToolset=v141_xp;Configuration=Release
-      - name: Archive UEFITool win32
-        working-directory: ${{runner.workspace}}/build/UEFITool_win32/release
+      - name: Archive UEFITool
+        working-directory: ${{runner.workspace}}/build/UEFITool/release
         shell: bash
         run: |
           UEFITOOL_VER=$(cat ../../../UEFITool/version.h | grep PROGRAM_VERSION | cut -d'"' -f2 | sed 's/NE alpha /A/') ; \
diff --git a/UEFITool/ffsfinder.cpp b/UEFITool/ffsfinder.cpp
index 94c236a..588e8d5 100644
--- a/UEFITool/ffsfinder.cpp
+++ b/UEFITool/ffsfinder.cpp
@@ -1,4 +1,4 @@
-/* fssfinder.cpp
+/* ffsfinder.cpp
  
  Copyright (c) 2015, Nikolaj Schlej. All rights reserved.
  This program and the accompanying materials
diff --git a/fuzzing/CMakeLists.txt b/fuzzing/CMakeLists.txt
new file mode 100644
index 0000000..0f99ac2
--- /dev/null
+++ b/fuzzing/CMakeLists.txt
@@ -0,0 +1,65 @@
+CMAKE_MINIMUM_REQUIRED(VERSION 3.1.0 FATAL_ERROR)
+
+PROJECT(ffsparser_fuzzer)
+
+SET(CMAKE_CXX_STANDARD 11)
+SET(CMAKE_CXX_STANDARD_REQUIRED ON)
+SET(CMAKE_CXX_EXTENSIONS OFF)
+
+SET(PROJECT_SOURCES
+ ffsparser_fuzzer.cpp
+ ../common/types.cpp
+ ../common/descriptor.cpp
+ ../common/guiddatabase.cpp
+ ../common/ffs.cpp
+ ../common/nvram.cpp
+ ../common/nvramparser.cpp
+ ../common/ffsparser.cpp
+ ../common/fitparser.cpp
+ ../common/peimage.cpp
+ ../common/treeitem.cpp
+ ../common/treemodel.cpp
+ ../common/utility.cpp
+ ../common/LZMA/LzmaDecompress.c
+ ../common/LZMA/SDK/C/Bra.c
+ ../common/LZMA/SDK/C/Bra86.c
+ ../common/LZMA/SDK/C/CpuArch.c
+ ../common/LZMA/SDK/C/LzmaDec.c
+ ../common/Tiano/EfiTianoDecompress.c
+ ../common/ustring.cpp
+ ../common/bstrlib/bstrlib.c
+ ../common/bstrlib/bstrwrap.cpp
+ ../common/generated/intel_acbp_v1.cpp
+ ../common/generated/intel_acbp_v2.cpp
+ ../common/generated/intel_keym_v1.cpp
+ ../common/generated/intel_keym_v2.cpp
+ ../common/generated/intel_acm.cpp
+ ../common/kaitai/kaitaistream.cpp
+ ../common/digest/sha1.c
+ ../common/digest/sha256.c
+ ../common/digest/sha512.c
+ ../common/digest/sm3.c
+ ../common/zlib/adler32.c
+ ../common/zlib/compress.c
+ ../common/zlib/crc32.c
+ ../common/zlib/deflate.c
+ ../common/zlib/gzclose.c
+ ../common/zlib/gzlib.c
+ ../common/zlib/gzread.c
+ ../common/zlib/gzwrite.c
+ ../common/zlib/inflate.c
+ ../common/zlib/infback.c
+ ../common/zlib/inftrees.c
+ ../common/zlib/inffast.c
+ ../common/zlib/trees.c
+ ../common/zlib/uncompr.c
+ ../common/zlib/zutil.c
+)
+
+ADD_DEFINITIONS(-DU_ENABLE_NVRAM_PARSING_SUPPORT -DU_ENABLE_FIT_PARSING_SUPPORT)
+
+ADD_EXECUTABLE(ffsparser_fuzzer ${PROJECT_SOURCES})
+
+TARGET_COMPILE_OPTIONS(ffsparser_fuzzer PRIVATE -g -O1 -fsanitize=fuzzer)
+
+TARGET_LINK_LIBRARIES(ffsparser_fuzzer PRIVATE -fsanitize=fuzzer)
diff --git a/fuzzing/ffsparser_fuzzer.cpp b/fuzzing/ffsparser_fuzzer.cpp
new file mode 100644
index 0000000..2411952
--- /dev/null
+++ b/fuzzing/ffsparser_fuzzer.cpp
@@ -0,0 +1,31 @@
+/* ffsparser_fuzzer.cpp
+ 
+ Copyright (c) 2023, Nikolaj Schlej. All rights reserved.
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution.  The full text of the license may be found at
+ http://opensource.org/licenses/bsd-license.php
+ 
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+ 
+ */
+
+#include "../common/ffsparser.h"
+
+#define FUZZING_MIN_INPUT_SIZE 16
+#define FUZZING_MAX_INPUT_SIZE (128 * 1024 * 1024)
+
+extern "C" int LLVMFuzzerTestOneInput(const char *Data, long long Size) {
+    // Do not overblow the inout file size, won't change much in practical sense
+    if (Size > FUZZING_MAX_INPUT_SIZE || Size < FUZZING_MIN_INPUT_SIZE) return 0;
+
+    // Create the FFS parser
+    TreeModel* model = new TreeModel();
+    FfsParser* ffsParser = new FfsParser(model);
+
+    // Parse the image
+    (void)ffsParser->parse(UByteArray(Data, (uint32_t)Size));
+
+    return 0;
+}