cli11: initial OSS-Fuzz integration (CLI parsing fuzzer)

Author: TheodorNEngoy

projects/cli11/Dockerfile

@@ -0,0 +1,6 @@
+FROM gcr.io/oss-fuzz-base/base-builder
+RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
+RUN git clone --depth=1 https://github.com/CLIUtils/CLI11.git $SRC/cli11
+COPY build.sh $SRC/
+COPY fuzzers $SRC/fuzzers
+WORKDIR $SRC

projects/cli11/build.sh

@@ -0,0 +1,9 @@
+#!/bin/bash -eu
+set -o pipefail
+for f in "$SRC"/fuzzers/*.cc; do
+  b="$(basename "$f" .cc)"
+  "$CXX" ${CXXFLAGS:-} -std=c++17 -I"$SRC/cli11/include" \
+    "$f" -o "$OUT/$b" $LIB_FUZZING_ENGINE ${LDFLAGS:-}
+done
+# Package seed corpus if present.
+[ -d "$SRC/fuzzers/corpus" ] && zip -rq "$OUT/fuzz_cli_parse_seed_corpus.zip" "$SRC/fuzzers/corpus" || true

projects/cli11/fuzzers/corpus/a

@@ -0,0 +1 @@
+--int 1 --double 2.5 -b

projects/cli11/fuzzers/corpus/b

@@ -0,0 +1 @@
+sub --sstr hello --si 7

projects/cli11/fuzzers/fuzz_cli_parse.cc

@@ -0,0 +1,42 @@
+#include <cstddef>
+#include <cstdint>
+#include <string>
+#include <vector>
+#include <cctype>
+#include "CLI/CLI.hpp"
+
+static std::vector<std::string> tokenize_ws(const std::string& s) {
+  std::vector<std::string> out; std::string cur;
+  for (unsigned char c : s) {
+    if (std::isspace(c)) { if (!cur.empty()) { out.push_back(cur); cur.clear(); if (out.size() >= 64) break; } }
+    else { if (cur.size() < 256) cur.push_back(static_cast<char>(c)); }
+  }
+  if (!cur.empty() && out.size() < 64) out.push_back(cur);
+  return out;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size == 0 || size > (1<<16)) return 0;
+  std::string s(reinterpret_cast<const char*>(data), size);
+  auto args = tokenize_ws(s);
+
+  std::vector<std::string> argv_strings; argv_strings.reserve(args.size()+1);
+  argv_strings.emplace_back("prog"); for (auto& a: args) argv_strings.push_back(a);
+  std::vector<char*> argv; for (auto& a: argv_strings) argv.push_back(a.data());
+  int argc = static_cast<int>(argv.size());
+
+  CLI::App app("fuzz");
+  int i=0, si=0; double d=0; bool b=false;
+  std::vector<int> ints; std::vector<std::string> strs, sstrs;
+  app.add_option("-i,--int", i);
+  app.add_option("-d,--double", d);
+  app.add_flag("-b,--bool", b);
+  app.add_option("-n,--ints", ints)->take_all();
+  app.add_option("-s,--str",  strs)->take_all();
+  app.allow_extras(true);
+  auto sub = app.add_subcommand("sub", "subcommand");
+  sub->add_option("--si", si);
+  sub->add_option("--sstr", sstrs)->take_all();
+  try { app.parse(argc, argv.data()); } catch (const CLI::ParseError&) {} catch (...) {}
+  return 0;
+}

projects/cli11/project.yaml

@@ -0,0 +1,10 @@
+homepage: https://github.com/CLIUtils/CLI11
+main_repo: https://github.com/CLIUtils/CLI11
+language: c++
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - address
+  - undefined
+architectures:
+  - x86_64