Add a fuzzer for parseNumber()

bblanchon · bblanchon · commit a9bb1a1df567 · 2026-03-03T17:53:08.000+01:00
See #2220
diff --git a/extras/fuzzing/CMakeLists.txt b/extras/fuzzing/CMakeLists.txt
@@ -64,4 +64,5 @@ if(CMAKE_CXX_COMPILER_ID STREQUAL "Clang" AND CMAKE_CXX_COMPILER_VERSION VERSION
 
 	add_fuzzer(json)
 	add_fuzzer(msgpack)
+	add_fuzzer(number)
 endif()
diff --git a/extras/fuzzing/Makefile b/extras/fuzzing/Makefile
@@ -8,7 +8,10 @@ all: \
 	$(OUT)/json_fuzzer.options \
 	$(OUT)/msgpack_fuzzer \
 	$(OUT)/msgpack_fuzzer_seed_corpus.zip \
-	$(OUT)/msgpack_fuzzer.options
+	$(OUT)/msgpack_fuzzer.options \
+	$(OUT)/number_fuzzer \
+	$(OUT)/number_fuzzer_seed_corpus.zip \
+	$(OUT)/number_fuzzer.options
 
 $(OUT)/%_fuzzer: %_fuzzer.cpp $(shell find ../../src -type f)
 	$(CXX) $(CXXFLAGS) $< -o$@ $(LIB_FUZZING_ENGINE)
@@ -18,5 +21,5 @@ $(OUT)/%_fuzzer_seed_corpus.zip: %_seed_corpus/*
 
 $(OUT)/%_fuzzer.options:
 	@echo "[libfuzzer]" > $@
-	@echo "max_len = 256" >> $@
+	@echo "max_len = 4096" >> $@
 	@echo "timeout = 10" >> $@
diff --git a/extras/fuzzing/number_corpus/.gitignore b/extras/fuzzing/number_corpus/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/extras/fuzzing/number_fuzzer.cpp b/extras/fuzzing/number_fuzzer.cpp
@@ -0,0 +1,10 @@
+#include <ArduinoJson.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // Make a copy to ensure the input is null-terminated
+  std::string str(reinterpret_cast<const char*>(data), size);
+
+  ArduinoJson::detail::parseNumber(str.c_str());
+
+  return 0;
+}
diff --git a/extras/fuzzing/number_seed_corpus/decimal_half b/extras/fuzzing/number_seed_corpus/decimal_half
@@ -0,0 +1 @@
+0.5
diff --git a/extras/fuzzing/number_seed_corpus/decimal_one_and_half b/extras/fuzzing/number_seed_corpus/decimal_one_and_half
@@ -0,0 +1 @@
+1.5
diff --git a/extras/fuzzing/number_seed_corpus/infinity b/extras/fuzzing/number_seed_corpus/infinity
@@ -0,0 +1 @@
+infinity
diff --git a/extras/fuzzing/number_seed_corpus/issue2220-1 b/extras/fuzzing/number_seed_corpus/issue2220-1
@@ -0,0 +1 @@
+1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
diff --git a/extras/fuzzing/number_seed_corpus/issue2220-2 b/extras/fuzzing/number_seed_corpus/issue2220-2
@@ -0,0 +1 @@
+0.00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
diff --git a/extras/fuzzing/number_seed_corpus/large_decimal b/extras/fuzzing/number_seed_corpus/large_decimal
@@ -0,0 +1 @@
+999999.999999
diff --git a/extras/fuzzing/number_seed_corpus/large_integer b/extras/fuzzing/number_seed_corpus/large_integer
@@ -0,0 +1 @@
+9876543210
diff --git a/extras/fuzzing/number_seed_corpus/leading_zeros b/extras/fuzzing/number_seed_corpus/leading_zeros
@@ -0,0 +1 @@
+0.00001
diff --git a/extras/fuzzing/number_seed_corpus/nan b/extras/fuzzing/number_seed_corpus/nan
@@ -0,0 +1 @@
+nan
diff --git a/extras/fuzzing/number_seed_corpus/negative_decimal b/extras/fuzzing/number_seed_corpus/negative_decimal
@@ -0,0 +1 @@
+-123.456
diff --git a/extras/fuzzing/number_seed_corpus/negative_one b/extras/fuzzing/number_seed_corpus/negative_one
@@ -0,0 +1 @@
+-1
diff --git a/extras/fuzzing/number_seed_corpus/negative_scientific b/extras/fuzzing/number_seed_corpus/negative_scientific
@@ -0,0 +1 @@
+-2.5e-3
diff --git a/extras/fuzzing/number_seed_corpus/negative_scientific_large_exp b/extras/fuzzing/number_seed_corpus/negative_scientific_large_exp
@@ -0,0 +1 @@
+-1.23456e+20
diff --git a/extras/fuzzing/number_seed_corpus/negative_zero b/extras/fuzzing/number_seed_corpus/negative_zero
@@ -0,0 +1 @@
+-0
diff --git a/extras/fuzzing/number_seed_corpus/one b/extras/fuzzing/number_seed_corpus/one
@@ -0,0 +1 @@
+1
diff --git a/extras/fuzzing/number_seed_corpus/pi_approximation b/extras/fuzzing/number_seed_corpus/pi_approximation
@@ -0,0 +1 @@
+3.14159265359
diff --git a/extras/fuzzing/number_seed_corpus/scientific_e10 b/extras/fuzzing/number_seed_corpus/scientific_e10
@@ -0,0 +1 @@
+1e10
diff --git a/extras/fuzzing/number_seed_corpus/scientific_e_minus b/extras/fuzzing/number_seed_corpus/scientific_e_minus
@@ -0,0 +1 @@
+1.5e-10
diff --git a/extras/fuzzing/number_seed_corpus/scientific_e_plus b/extras/fuzzing/number_seed_corpus/scientific_e_plus
@@ -0,0 +1 @@
+1.23e+5
diff --git a/extras/fuzzing/number_seed_corpus/small_decimal b/extras/fuzzing/number_seed_corpus/small_decimal
@@ -0,0 +1 @@
+0.001
diff --git a/extras/fuzzing/number_seed_corpus/small_integer b/extras/fuzzing/number_seed_corpus/small_integer
@@ -0,0 +1 @@
+42
diff --git a/extras/fuzzing/number_seed_corpus/trailing_zeros b/extras/fuzzing/number_seed_corpus/trailing_zeros
@@ -0,0 +1 @@
+1000000
diff --git a/extras/fuzzing/number_seed_corpus/very_small_positive b/extras/fuzzing/number_seed_corpus/very_small_positive
@@ -0,0 +1 @@
+0.0000001
diff --git a/extras/fuzzing/number_seed_corpus/zero b/extras/fuzzing/number_seed_corpus/zero
@@ -0,0 +1 @@
+0

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+0.00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001