fuzz: fix cl_load fuzz target

I found two issues with the cl_load fuzz targets, one of which impacts the scanfile and scanmap fuzz targets: 1. We were defining the preprocessor definitions incorrectly using "SCAN_TARGETS" instead of "TARGET" in unit_tests/CMakeLists.txt. For the scan fuzz targets this meant it wasn't properly defining unique settings for each compiled target. For the cl_load fuzz target it's worse, it wasn't setting the database file name correctly which means it rejected the filenames entirely for not having a legitimate suffix. 2. We were pre-compiling the engine before loading signatures. You can't load sigs for an engine that's already compiled, so this would also fail right away without trying to load any sigs.
2025-10-19 18:33:16 +00:00 · 2021-12-15 19:22:14 -08:00 · 2021-12-15 19:22:14 -08:00 · 0037f5825b
commit 0037f5825b
parent 4691b78000
2 changed files with 32 additions and 15 deletions
--- a/fuzz/clamav_dbload_fuzzer.cpp
+++ b/fuzz/clamav_dbload_fuzzer.cpp
@ -51,8 +51,6 @@ class ClamAVState
        cl_set_clcb_msg(clamav_message_callback);

        cl_init(CL_INIT_DEFAULT);
-        engine = cl_engine_new();
-        cl_engine_compile(engine);

        dboptions =
            CL_DB_PHISHING | CL_DB_PHISHING_URLS |
@ -99,14 +97,11 @@ class ClamAVState

    ~ClamAVState()
    {
-        cl_engine_free(engine);
-
        if (NULL != tmp_db_name) {
            unlink(tmp_db_name);
        }
    }

-    struct cl_engine* engine;
    const char* tmp_db_name;
    unsigned int dboptions;
 };
@ -117,18 +112,40 @@ ClamAVState kClamAVState;

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
 {
-    unsigned int sigs = 0;
-    FILE* fuzzdb      = NULL;
+    cl_error_t ret;
+    unsigned int sigs        = 0;
+    FILE* fuzzdb             = NULL;
+    struct cl_engine* engine = NULL;

    fuzzdb = fopen(kClamAVState.tmp_db_name, "w");
    fwrite(data, size, 1, fuzzdb);
    fclose(fuzzdb);

-    cl_load(
-        kClamAVState.tmp_db_name,
-        kClamAVState.engine,
-        &sigs,
-        kClamAVState.dboptions);
+    /* need new engine each time. can't add sigs to compiled engine */
+    engine = cl_engine_new();
+
+    /* load the fuzzer-generated sig db */
+    if (CL_SUCCESS != (ret = cl_load(
+                           kClamAVState.tmp_db_name,
+                           engine,
+                           &sigs,
+                           kClamAVState.dboptions))) {
+        printf("cl_load: %s\n", cl_strerror(ret));
+        goto done;
+    }
+
+    /* build engine */
+    if (CL_SUCCESS != (ret = cl_engine_compile(engine))) {
+        printf("cl_engine_compile: %s\n", cl_strerror(ret));
+        goto done;
+    }
+
+done:
+
+    /* Clean up for the next round */
+    if (NULL != engine) {
+        cl_engine_free(engine);
+    }

    return 0;
 }