Fuzz testing

[FSMaxB]

I'd really like to do fuzztesting on this library using american fuzzy lop. This would provide me with more confidence that this library is actually safe to use with user controlled input.

I've been trying to do this but it probably requires being able to compile the software without libsodium, I'm not quite sure. #6.

[netsurf916]

You don't need to remove the libsodium dependency. I've started a fuzz run on mcJSON now. 2 crashes so far in less than a minute :)

[netsurf916]

After 3.5 hours, I now have 62 unique crashes in mcJSON.

[FSMaxB]

Wow, thanks for doing this. I really didn't expect that someone would do this. When I saw that you uploaded a zip to cJSON, I just thought that I could check that list against mcJSON.

[netsurf916]

I stopped the fuzzing for now. I was up to 85 crashes and 57 hangs after ~12 hours. I'd prefer to report the crashes less publicly, so let me know how you want to proceed. Keep in mind the crashes can be due to memory use (afl defaults to 50MB max) and hangs are typically false positives due to the 20ms default timeout. At least the first few are legitimate crashes due to a double free though.

[FSMaxB]

You can send me the files via Email. max at maxbruckner dot de I want to mention again that I'm really thankful that you did this.

[FSMaxB]

I've fixed some of those but new ones keep popping up. This is harder than it looks.

[netsurf916]

At least you're giving it a go. The cJSON guys basically ignored them. On Jun 21, 2016 16:56, "Max Bruckner" notifications@github.com wrote:

I've fixed some of those but new ones keep popping up. This is harder than it looks.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/FSMaxB/mcJSON/issues/7#issuecomment-227584717, or mute the thread https://github.com/notifications/unsubscribe/AQr6Gpk59_LG3VxIkF2nkqKNej0vfjEuks5qOF4IgaJpZM4Gq0rt .