Tests/Fuzzing: Add cmPkgConfigParserFuzzer

Fuzz the CMake pkg-config file parser. Tests parsing of .pc files.
2026-06-24 08:47:59 +00:00 · 2026-01-15 10:33:10 +00:00
parent 67abec4180
commit bb327a93a5
3 changed files with 125 additions and 0 deletions
--- a/Tests/Fuzzing/CMakeLists.txt
+++ b/Tests/Fuzzing/CMakeLists.txt
@@ -64,3 +64,6 @@ add_fuzzer(cmGeneratorExpressionFuzzer cmGeneratorExpressionFuzzer.cxx)

 # Math expression parser fuzzer
 add_fuzzer(cmExprParserFuzzer cmExprParserFuzzer.cxx)
+
+# pkg-config parser fuzzer
+add_fuzzer(cmPkgConfigParserFuzzer cmPkgConfigParserFuzzer.cxx)
--- a/Tests/Fuzzing/cmPkgConfigParser.dict
+++ b/Tests/Fuzzing/cmPkgConfigParser.dict
@@ -0,0 +1,63 @@
+# pkg-config File Dictionary
+
+# Key-value separators
+"="
+":"
+
+# Variable reference
+"${"
+"}"
+
+# Common keywords
+"Name"
+"Description"
+"Version"
+"Requires"
+"Requires.private"
+"Conflicts"
+"Libs"
+"Libs.private"
+"Cflags"
+"URL"
+
+# Common variables
+"prefix"
+"exec_prefix"
+"libdir"
+"includedir"
+"datarootdir"
+"datadir"
+"sysconfdir"
+"sharedstatedir"
+"localstatedir"
+
+# Common values
+"/usr"
+"/usr/local"
+"/usr/lib"
+"/usr/include"
+"-I"
+"-L"
+"-l"
+"-D"
+"-pthread"
+
+# Whitespace
+" "
+"\x09"
+"\x0a"
+"\x0d\x0a"
+
+# Comments
+"#"
+
+# Version operators
+">="
+"<="
+">"
+"<"
+"!="
+
+# Escapes
+"\\"
+"\\$"
--- a/Tests/Fuzzing/cmPkgConfigParserFuzzer.cxx
+++ b/Tests/Fuzzing/cmPkgConfigParserFuzzer.cxx
@@ -0,0 +1,59 @@
+/* Distributed under the OSI-approved BSD 3-Clause License.  See accompanying
+   file LICENSE.rst or https://cmake.org/licensing for details.  */
+
+/*
+ * Fuzzer for CMake's pkg-config file parser
+ *
+ * CMake parses .pc files (pkg-config) when using PkgConfig find module.
+ * Malformed .pc files from untrusted sources could trigger vulnerabilities.
+ *
+ * Coverage targets:
+ * - Variable definitions (key=value)
+ * - Keyword definitions (key: value)
+ * - Variable references (${var})
+ * - Multi-line handling
+ * - Comment handling
+ */
+
+#include <cstddef>
+#include <cstdint>
+#include <string>
+#include <vector>
+
+#include "cmPkgConfigParser.h"
+
+// Limit input size
+static constexpr size_t kMaxInputSize = 64 * 1024; // 64KB
+
+extern "C" int LLVMFuzzerTestOneInput(uint8_t const* data, size_t size)
+{
+  if (size == 0 || size > kMaxInputSize) {
+    return 0;
+  }
+
+  // cmPkgConfigParser::Parse takes non-const buffer (may modify in place)
+  std::vector<char> buffer(data, data + size);
+
+  cmPkgConfigParser parser;
+
+  // Parse the input
+  auto result = parser.Parse(buffer.data(), buffer.size());
+  (void)result;
+
+  // Finish parsing
+  result = parser.Finish();
+  (void)result;
+
+  // Access parsed data to exercise accessors
+  auto& entries = parser.Data();
+  for (auto const& entry : entries) {
+    (void)entry.IsVariable;
+    (void)entry.Key;
+    for (auto const& elem : entry.Val) {
+      (void)elem.IsVariable;
+      (void)elem.Data;
+    }
+  }
+
+  return 0;
+}