diff --git a/fuzzers/libfuzzer_stb_image/Cargo.toml b/fuzzers/libfuzzer_stb_image/Cargo.toml index 1ec1ab28ba..3b3cd143ce 100644 --- a/fuzzers/libfuzzer_stb_image/Cargo.toml +++ b/fuzzers/libfuzzer_stb_image/Cargo.toml @@ -17,7 +17,7 @@ debug = true [dependencies] libafl = { path = "../../libafl/" } -libafl_targets = { path = "../../libafl_targets/", features = ["pcguard_edges", "value_profile", "libfuzzer"] } +libafl_targets = { path = "../../libafl_targets/", features = ["pcguard_edges", "libfuzzer"] } [build-dependencies] cc = { version = "1.0", features = ["parallel"] } diff --git a/fuzzers/libfuzzer_stb_image/README.md b/fuzzers/libfuzzer_stb_image/README.md index acb7426f8a..1daf0a4c47 100644 --- a/fuzzers/libfuzzer_stb_image/README.md +++ b/fuzzers/libfuzzer_stb_image/README.md @@ -1,38 +1,18 @@ -# Libfuzzer for libpng +# Libfuzzer for stb_image -This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection. -To show off crash detection, we added a ud2 instruction to the harness, edit harness.cc if you want a non-crashing example. -It has been tested on Linux. +This folder contains an example fuzzer for stb_image, using LLMP for fast multi-process fuzzing and crash detection. +It has been tested on Linux and Windows. ## Build To build this example, run `cargo build --release`. -This will build the library with the fuzzer (src/lib.rs) with the libfuzzer compatibility layer and the SanitizerCoverage runtime functions for coverage feedback. -In addition, it will build also two C and C++ compiler wrappers (bin/c(c/xx).rs) that you must use to compile the target. +This will build the the fuzzer (src/main.rs) with the libfuzzer compatibility layer and the SanitizerCoverage runtime functions for coverage feedback as a standalone binary. -Then download libpng from https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz and unpack the archive. - -Now compile it with: - -``` -cd libpng-1.6.37 -./configure -make CC=/path/to/libfuzzer_libpng/target/release/cc -j `nproc` -``` - -You can find the static lib at `libpng-1.6.37/.libs/libpng16.a`. - -Now, we have to build the libfuzzer harness and link all togheter to create our fuzzer binary. - -``` -/path/to/libfuzzer_libpng/target/debug/cxx /path/to/libfuzzer_libpng/harness.cc libpng-1.6.37/.libs/libpng16.a -I libpng-1.6.37/ -o fuzzer -lz -lm -``` - -Afterwards, the fuzzer will be ready to run simply executing `./fuzzer`. +Unlike the libpng example, in this example the harness (that entirely includes the program under test) is compiled in the `build.rs` file while building the crate, and linked with the fuzzer by cargo when producing the final binary, `target/release/libfuzzer_stb_image`. ## Run -The first time you run the binary, the broker will open a tcp port (currently on port `1337`), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel. +The first time you run the binary (`target/release/libfuzzer_stb_image`), the broker will open a tcp port (currently on port `1337`), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel. Each following execution will run a fuzzer client. As this example uses in-process fuzzing, we added a Restarting Event Manager (`setup_restarting_mgr`).