this article about American Fuzzy Lop. All I had to do to have it work with Terminology is to have Terminology take its input
stdin (or a file but I chose to read from
stdin) instead of a
epollis not behaving as I’d like
I did those changes but
afl was not happy because Terminology was crashing right-away. I ran my first test-case like that:
cat afl/in/colors_font | src/bin/terminology
and it worked like a charm. A window appeared and disappeared with no error message in the logs. The return code was 0. Nothing misbehaving here, but only when ran with
epoll to know when there is some new data to read from
stdin. Due to the way
stdin is a file descriptor to a regular file (set to
dup2()). When adding
epoll_ctl(), it replied
EBADF saying that
stdin is not a valid file descriptor (to
epoll can not be used to poll regular files.
I did patch
afl to make
stdin behave like a
pipe for the test application and then it worked (almost) great.
afldid find bugs
afl did find a bug in Terminology that resulted in this commit.
It also did find an other bug, but outside Terminology: in Enlightenment!
afl kept on spawning Terminology and thus kept on creating and closing windows. At some point Enlightenment would crash. This led to T2803 that is now fixed thanks to
Because Terminology had to create windows all the time and initialize a bunch of stuff, it was slow to actually do the fuzzing. I wrote a small piece of code called
tyfuzz to only test the relevant parts: the parsing of the escape codes. I has been running in
afl for 2 days but it did not yield any crash so far.
Everything is currently on git. One need to compile Terminology with the afl compiler companion tool and activate fuzzing.
CC=afl-gcc ./autogen.sh --enable-fuzzing && make
Terminology produced that way won’t be usable outside
afl-fuzz -m none -i afl/in -o afl/out -- src/bin/terminology -s
afl-fuzz -m none -i afl/in -o afl/out -- src/bin/tyfuzz -s