Added oss-fuzz integration.

Makefile.am

@@ -42,6 +42,8 @@ lcov:
 	($(MAKE); cd unit_tests; $(MAKE) lcov)
 quick-check:
 	($(MAKE); cd unit_tests; $(MAKE) quick-check)
+fuzz:
+	($(MAKE); $(MAKE) -C fuzz check)
 
 dist-hook:
 	rm -rf $(distdir)/win32/clamav-for-windows $(distdir)/win32/build

Makefile.in

@@ -145,6 +145,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \
@@ -1191,6 +1192,8 @@ lcov:
 	($(MAKE); cd unit_tests; $(MAKE) lcov)
 quick-check:
 	($(MAKE); cd unit_tests; $(MAKE) quick-check)
+fuzz-check:
+	($(MAKE); $(MAKE) -C fuzz check)
 
 dist-hook:
 	rm -rf $(distdir)/win32/clamav-for-windows $(distdir)/win32/build

clamav-milter/Makefile.in

@@ -119,6 +119,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

clambc/Makefile.in

@@ -100,6 +100,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

clamconf/Makefile.in

@@ -118,6 +118,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

clamd/Makefile.in

@@ -121,6 +121,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

clamdscan/Makefile.in

@@ -118,6 +118,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

clamdtop/Makefile.in

@@ -100,6 +100,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

clamscan/Makefile.in

@@ -119,6 +119,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

clamsubmit/Makefile.in

@@ -118,6 +118,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

configure

@@ -748,6 +748,8 @@ HAVE_LIBCHECK_TRUE
 CHECK_CPPFLAGS
 CHECK_LIBS
 CHECK_CFLAGS
+ENABLE_FUZZ_FALSE
+ENABLE_FUZZ_TRUE
 BUILD_CONFIGURE_FLAGS
 VERSIONSCRIPT_FALSE
 VERSIONSCRIPT_TRUE
@@ -924,6 +926,7 @@ with_ltdl_lib
 enable_ltdl_install
 enable_gcc_vcheck
 enable_experimental
+enable_fuzz
 enable_mempool
 enable_check
 enable_rpath
@@ -1636,6 +1639,7 @@ Optional Features:
   --enable-ltdl-install   install libltdl
   --disable-gcc-vcheck    do not check for buggy gcc version
   --enable-experimental   enable experimental code
+  --enable-fuzz           enable building standalone fuzz targets [default=no]
   --disable-mempool       do not use memory pools
   --enable-check          enable check unit tests [default=auto]
   --disable-rpath         do not hardcode runtime library paths
@@ -20301,6 +20305,29 @@ build_configure_args=`echo "$ac_configure_args" | sed -e 's/\"//g'`
 BUILD_CONFIGURE_FLAGS=$build_configure_args
 
 
+# Check whether --enable-fuzz was given.
+if test "${enable_fuzz+set}" = set; then :
+  enableval=$enable_fuzz; enable_cov=$enableval
+else
+  enable_cov="no"
+fi
+
+
+# if test "x$enable_fuzz" = "xyes"; then
+#     CPPFLAGS="-O2 -fno-omit-frame-pointer -g -fsanitize=address -fsanitize-coverage=edge,trace-pc-guard,indirect-calls,trace-cmp,trace-div,trace-gep $CPPFLAGS"
+#     CFLAGS="-O2 -fno-omit-frame-pointer -g -fsanitize=address -fsanitize-coverage=edge,trace-pc-guard,indirect-calls,trace-cmp,trace-div,trace-gep $CFLAGS"
+# #	LDFLAGS="-Wl,-Bstatic -lssl -lcrypto -lz -Wl,-Bdynamic -lc -lpthread -ldl $LDFLAGS"
+# fi
+
+ if test "x$enable_fuzz" = "xyes"; then
+  ENABLE_FUZZ_TRUE=
+  ENABLE_FUZZ_FALSE='#'
+else
+  ENABLE_FUZZ_TRUE='#'
+  ENABLE_FUZZ_FALSE=
+fi
+
+
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether uname(2) is POSIX" >&5
 $as_echo_n "checking whether uname(2) is POSIX... " >&6; }
@@ -29156,7 +29183,7 @@ else
     mspack_msg="External, $LIBMSPACK_CFLAGS $LIBMSPACK_LIBS"
 fi
 
-ac_config_files="$ac_config_files clamscan/Makefile database/Makefile docs/Makefile clamd/Makefile clamd/clamav-daemon.service clamd/clamav-daemon.socket clamdscan/Makefile clamsubmit/Makefile clamav-milter/Makefile freshclam/clamav-freshclam.service freshclam/Makefile sigtool/Makefile clamconf/Makefile etc/Makefile test/Makefile unit_tests/Makefile clamdtop/Makefile clambc/Makefile libfreshclam/Makefile Makefile clamav-config libclamav.pc platform.h docs/man/clamav-milter.8 docs/man/clamav-milter.conf.5 docs/man/clambc.1 docs/man/clamconf.1 docs/man/clamd.8 docs/man/clamd.conf.5 docs/man/clamdscan.1 docs/man/clamscan.1 docs/man/freshclam.1 docs/man/freshclam.conf.5 docs/man/sigtool.1 docs/man/clamdtop.1 docs/man/clamsubmit.1"
+ac_config_files="$ac_config_files clamscan/Makefile database/Makefile docs/Makefile clamd/Makefile clamd/clamav-daemon.service clamd/clamav-daemon.socket clamdscan/Makefile clamsubmit/Makefile clamav-milter/Makefile freshclam/clamav-freshclam.service freshclam/Makefile sigtool/Makefile clamconf/Makefile etc/Makefile test/Makefile unit_tests/Makefile fuzz/Makefile clamdtop/Makefile clambc/Makefile libfreshclam/Makefile Makefile clamav-config libclamav.pc platform.h docs/man/clamav-milter.8 docs/man/clamav-milter.conf.5 docs/man/clambc.1 docs/man/clamconf.1 docs/man/clamd.8 docs/man/clamd.conf.5 docs/man/clamdscan.1 docs/man/clamscan.1 docs/man/freshclam.1 docs/man/freshclam.conf.5 docs/man/sigtool.1 docs/man/clamdtop.1 docs/man/clamsubmit.1"
 
 
 cat >confcache <<\_ACEOF
@@ -29330,6 +29357,10 @@ if test -z "${VERSIONSCRIPT_TRUE}" && test -z "${VERSIONSCRIPT_FALSE}"; then
   as_fn_error $? "conditional \"VERSIONSCRIPT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${ENABLE_FUZZ_TRUE}" && test -z "${ENABLE_FUZZ_FALSE}"; then
+  as_fn_error $? "conditional \"ENABLE_FUZZ\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${HAVE_LIBCHECK_TRUE}" && test -z "${HAVE_LIBCHECK_FALSE}"; then
   as_fn_error $? "conditional \"HAVE_LIBCHECK\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -30385,6 +30416,7 @@ do
     "etc/Makefile") CONFIG_FILES="$CONFIG_FILES etc/Makefile" ;;
     "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
     "unit_tests/Makefile") CONFIG_FILES="$CONFIG_FILES unit_tests/Makefile" ;;
+    "fuzz/Makefile") CONFIG_FILES="$CONFIG_FILES fuzz/Makefile" ;;
     "clamdtop/Makefile") CONFIG_FILES="$CONFIG_FILES clamdtop/Makefile" ;;
     "clambc/Makefile") CONFIG_FILES="$CONFIG_FILES clambc/Makefile" ;;
     "libfreshclam/Makefile") CONFIG_FILES="$CONFIG_FILES libfreshclam/Makefile" ;;
@@ -32197,6 +32229,10 @@ if test -z "${VERSIONSCRIPT_TRUE}" && test -z "${VERSIONSCRIPT_FALSE}"; then
   as_fn_error $? "conditional \"VERSIONSCRIPT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${ENABLE_FUZZ_TRUE}" && test -z "${ENABLE_FUZZ_FALSE}"; then
+  as_fn_error $? "conditional \"ENABLE_FUZZ\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${HAVE_LIBCHECK_TRUE}" && test -z "${HAVE_LIBCHECK_FALSE}"; then
   as_fn_error $? "conditional \"HAVE_LIBCHECK\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -33269,6 +33305,7 @@ do
     "etc/Makefile") CONFIG_FILES="$CONFIG_FILES etc/Makefile" ;;
     "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
     "unit_tests/Makefile") CONFIG_FILES="$CONFIG_FILES unit_tests/Makefile" ;;
+    "fuzz/Makefile") CONFIG_FILES="$CONFIG_FILES fuzz/Makefile" ;;
     "clamdtop/Makefile") CONFIG_FILES="$CONFIG_FILES clamdtop/Makefile" ;;
     "clambc/Makefile") CONFIG_FILES="$CONFIG_FILES clambc/Makefile" ;;
     "libfreshclam/Makefile") CONFIG_FILES="$CONFIG_FILES libfreshclam/Makefile" ;;

configure.ac

@@ -78,6 +78,7 @@ fi
 build_configure_args=`echo "$ac_configure_args" | sed -e 's/[\"]//g'`
 AC_SUBST([BUILD_CONFIGURE_FLAGS], [$build_configure_args])
 
+m4_include([m4/reorganization/code_checks/fuzz.m4])
 m4_include([m4/reorganization/code_checks/functions.m4])
 m4_include([m4/reorganization/code_checks/mpool.m4])
 m4_include([m4/reorganization/code_checks/unit_tests.m4])
@@ -170,6 +171,7 @@ clamconf/Makefile
 etc/Makefile
 test/Makefile
 unit_tests/Makefile
+fuzz/Makefile
 clamdtop/Makefile
 clambc/Makefile
 libfreshclam/Makefile

database/Makefile.in

@@ -116,6 +116,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

docs/Makefile.in

@@ -116,6 +116,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

etc/Makefile.in

@@ -117,6 +117,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

freshclam/Makefile.in

@@ -121,6 +121,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

fuzz/Makefile.am

@@ -0,0 +1,189 @@
+# Process this file with automake to produce Makefile.in
+
+# By default, use our own standalone_fuzz_target_runner.
+# This runner does no fuzzing, but simply executes the inputs
+# provided via parameters.
+# Run e.g. "make all LIB_FUZZING_ENGINE=/path/to/libFuzzer.a"
+# to link the fuzzer(s) against a real fuzzing engine.
+#
+# OSS-Fuzz will define its own value for LIB_FUZZING_ENGINE.
+
+if ENABLE_FUZZ
+
+LIB_FUZZING_ENGINE ?= standalone_fuzz_target_runner.o
+
+AM_CPPFLAGS = \
+    -I$(top_srcdir) -I$(top_srcdir)/shared -I$(top_srcdir)/libclamav \
+    -std=c++11 -O2 -fno-omit-frame-pointer -g \
+    -fsanitize=address \
+    -fsanitize-coverage=edge,trace-pc-guard,indirect-calls,trace-cmp,trace-div,trace-gep
+
+AM_LDFLAGS = \
+    $(top_builddir)/libclamav/libclamav.la $(top_builddir)/libclamav/libclammspack.la \
+    -Wc,-fsanitize=address -Wl,-U,_LLVMFuzzerCustomMutator -Wl,-U,_LLVMFuzzerInitialize \
+    "-no-undefined"
+
+check_PROGRAMS = \
+	clamav_scanmap_fuzzer \
+	clamav_scanfile_fuzzer \
+	clamav_scanfile_fuzzer_ARCHIVE \
+	clamav_scanfile_fuzzer_MAIL \
+	clamav_scanfile_fuzzer_OLE2 \
+	clamav_scanfile_fuzzer_PDF \
+	clamav_scanfile_fuzzer_HTML \
+	clamav_scanfile_fuzzer_PE \
+	clamav_scanfile_fuzzer_ELF \
+	clamav_scanfile_fuzzer_SWF \
+	clamav_scanfile_fuzzer_XMLDOCS \
+	clamav_scanfile_fuzzer_HWP3 \
+	clamav_dbload_fuzzer_CDB \
+	clamav_dbload_fuzzer_CFG \
+	clamav_dbload_fuzzer_CRB \
+	clamav_dbload_fuzzer_FP \
+	clamav_dbload_fuzzer_FTM \
+	clamav_dbload_fuzzer_HDB \
+	clamav_dbload_fuzzer_HSB \
+	clamav_dbload_fuzzer_IDB \
+	clamav_dbload_fuzzer_IGN \
+	clamav_dbload_fuzzer_IGN2 \
+	clamav_dbload_fuzzer_LDB \
+	clamav_dbload_fuzzer_MDB \
+	clamav_dbload_fuzzer_MSB \
+	clamav_dbload_fuzzer_NDB \
+	clamav_dbload_fuzzer_PDB \
+	clamav_dbload_fuzzer_WDB \
+	clamav_dbload_fuzzer_YARA
+
+clamav_scanmap_fuzzer_SOURCES = clamav_scanmap_fuzzer.cpp
+clamav_scanmap_fuzzer_LDADD = $(LIB_FUZZING_ENGINE)
+
+clamav_scanfile_fuzzer_SOURCES = clamav_scanfile_fuzzer.cpp
+clamav_scanfile_fuzzer_LDADD = $(LIB_FUZZING_ENGINE)
+
+clamav_scanfile_fuzzer_ARCHIVE_SOURCES = clamav_scanfile_fuzzer.cpp
+clamav_scanfile_fuzzer_ARCHIVE_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_scanfile_fuzzer_ARCHIVE_CPPFLAGS = -DCLAMAV_FUZZ_ARCHIVE $(AM_CPPFLAGS)
+
+clamav_scanfile_fuzzer_MAIL_SOURCES = clamav_scanfile_fuzzer.cpp
+clamav_scanfile_fuzzer_MAIL_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_scanfile_fuzzer_MAIL_CPPFLAGS = -DCLAMAV_FUZZ_MAIL $(AM_CPPFLAGS)
+
+clamav_scanfile_fuzzer_OLE2_SOURCES = clamav_scanfile_fuzzer.cpp
+clamav_scanfile_fuzzer_OLE2_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_scanfile_fuzzer_OLE2_CPPFLAGS = -DCLAMAV_FUZZ_OLE2 $(AM_CPPFLAGS)
+
+clamav_scanfile_fuzzer_PDF_SOURCES = clamav_scanfile_fuzzer.cpp
+clamav_scanfile_fuzzer_PDF_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_scanfile_fuzzer_PDF_CPPFLAGS = -DCLAMAV_FUZZ_PDF $(AM_CPPFLAGS)
+
+clamav_scanfile_fuzzer_HTML_SOURCES = clamav_scanfile_fuzzer.cpp
+clamav_scanfile_fuzzer_HTML_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_scanfile_fuzzer_HTML_CPPFLAGS = -DCLAMAV_FUZZ_HTML $(AM_CPPFLAGS)
+
+clamav_scanfile_fuzzer_PE_SOURCES = clamav_scanfile_fuzzer.cpp
+clamav_scanfile_fuzzer_PE_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_scanfile_fuzzer_PE_CPPFLAGS = -DCLAMAV_FUZZ_PE $(AM_CPPFLAGS)
+
+clamav_scanfile_fuzzer_ELF_SOURCES = clamav_scanfile_fuzzer.cpp
+clamav_scanfile_fuzzer_ELF_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_scanfile_fuzzer_ELF_CPPFLAGS = -DCLAMAV_FUZZ_ELF $(AM_CPPFLAGS)
+
+clamav_scanfile_fuzzer_SWF_SOURCES = clamav_scanfile_fuzzer.cpp
+clamav_scanfile_fuzzer_SWF_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_scanfile_fuzzer_SWF_CPPFLAGS = -DCLAMAV_FUZZ_SWF $(AM_CPPFLAGS)
+
+clamav_scanfile_fuzzer_XMLDOCS_SOURCES = clamav_scanfile_fuzzer.cpp
+clamav_scanfile_fuzzer_XMLDOCS_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_scanfile_fuzzer_XMLDOCS_CPPFLAGS = -DCLAMAV_FUZZ_XMLDOCS $(AM_CPPFLAGS)
+
+clamav_scanfile_fuzzer_HWP3_SOURCES = clamav_scanfile_fuzzer.cpp
+clamav_scanfile_fuzzer_HWP3_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_scanfile_fuzzer_HWP3_CPPFLAGS = -DCLAMAV_FUZZ_HWP3 $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_CDB_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_CDB_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_CDB_CPPFLAGS = -DCLAMAV_FUZZ_CDB $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_CFG_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_CFG_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_CFG_CPPFLAGS = -DCLAMAV_FUZZ_CFG $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_CRB_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_CRB_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_CRB_CPPFLAGS = -DCLAMAV_FUZZ_CRB $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_FP_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_FP_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_FP_CPPFLAGS = -DCLAMAV_FUZZ_FP $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_FTM_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_FTM_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_FTM_CPPFLAGS = -DCLAMAV_FUZZ_FTM $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_HDB_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_HDB_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_HDB_CPPFLAGS = -DCLAMAV_FUZZ_HDB $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_HSB_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_HSB_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_HSB_CPPFLAGS = -DCLAMAV_FUZZ_HSB $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_IDB_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_IDB_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_IDB_CPPFLAGS = -DCLAMAV_FUZZ_IDB $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_IGN_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_IGN_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_IGN_CPPFLAGS = -DCLAMAV_FUZZ_IGN $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_IGN2_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_IGN2_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_IGN2_CPPFLAGS = -DCLAMAV_FUZZ_IGN2 $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_LDB_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_LDB_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_LDB_CPPFLAGS = -DCLAMAV_FUZZ_LDB $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_MDB_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_MDB_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_MDB_CPPFLAGS = -DCLAMAV_FUZZ_MDB $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_MSB_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_MSB_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_MSB_CPPFLAGS = -DCLAMAV_FUZZ_MSB $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_NDB_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_NDB_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_NDB_CPPFLAGS = -DCLAMAV_FUZZ_NDB $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_PDB_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_PDB_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_PDB_CPPFLAGS = -DCLAMAV_FUZZ_PDB $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_WDB_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_WDB_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_WDB_CPPFLAGS = -DCLAMAV_FUZZ_WDB $(AM_CPPFLAGS)
+
+clamav_dbload_fuzzer_YARA_SOURCES = clamav_dbload_fuzzer.cpp
+clamav_dbload_fuzzer_YARA_LDADD = $(LIB_FUZZING_ENGINE)
+clamav_dbload_fuzzer_YARA_CPPFLAGS = -DCLAMAV_FUZZ_YARA $(AM_CPPFLAGS)
+
+check: $(LIB_FUZZING_ENGINE)
+	for type in ARCHIVE MAIL OLE2 PDF HTML PE ELF SWF XMLDOCS HWP3 ; do \
+	    builddir="$(builddir)" $(srcdir)/run_fuzzer_tests.py -f clamav_scanmap_fuzzer -c $(top_srcdir)/../clamav-fuzz-corpus/scantype/$$type ; \
+	done
+	for type in ARCHIVE MAIL OLE2 PDF HTML PE ELF SWF XMLDOCS HWP3 ; do \
+	    builddir="$(builddir)" $(srcdir)/run_fuzzer_tests.py -f clamav_scanfile_fuzzer_$$type -c $(top_srcdir)/../clamav-fuzz-corpus/scantype/$$type ; \
+	done
+	for type in CDB CFG CRB FP FTM HDB HSB IDB IGN IGN2 LDB MDB MSB NDB PDB WDB YARA ; do \
+	    builddir="$(builddir)" $(srcdir)/run_fuzzer_tests.py -f clamav_dbload_fuzzer_$$type -c $(top_srcdir)/../clamav-fuzz-corpus/database/$$type ; \
+	done
+
+else
+
+check:
+	@echo "Building fuzz targets is not enabled"
+	@echo "Use: ./configure --enable-fuzz --with-libjson=no --with-pcre=no --enable-static=yes --enable-shared=no --disable-llvm"
+	@exit 1
+
+endif

fuzz/README.md

@@ -0,0 +1,20 @@
+# OSS-Fuzz
+
+ClamAV has chosen to integrate with [oss-fuzz](https://github.com/google/oss-fuzz).
+
+What this means is that this repository includes:
+
+- Fuzz targets:
+  - A function to which we apply fuzzing.
+  - For ClamAV, clamav_scanfile_fuzzer.cc may be compiled with specific macros defined to produce multiple fuzz targets.
+  - Additional fuzz targets may be added to fuzz other ClamAV inputs.
+  
+- Seed corpora:
+  - A set of minimal test inputs that generate maximal code coverage.
+  - Each ClamAV fuzz target has a seed corpus located under: fuzz/corpus/<target>
+
+- Fuzzing dictionaries:
+  - A simple dictionary of tokens used by the input language. This can have a dramatic positive effect on fuzzing efficiency. For example, when fuzzing an XML parser, a dictionary of XML tokens will help.
+  - Some ClamAV fuzz targets have a dictionary located under: fuzz/dictionaries/<target>.dict
+
+For more information on how this is set up, see: [ideal OSS-Fuzz integration](https://github.com/google/oss-fuzz/blob/master/docs/ideal_integration.md)

fuzz/clamav_dbload_fuzzer.cpp

@@ -0,0 +1,137 @@
+/*
+ * Fuzz target for cl_load()
+ *
+ * Copyright (C) 2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ * Authors: Micah Snyder
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its contributors
+ * may be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <memory>
+
+#include "clamav.h"
+
+void clamav_message_callback(enum cl_msg severity, const char* fullmsg,
+                             const char* msg, void* context)
+{
+}
+
+class ClamAVState
+{
+  public:
+    ClamAVState()
+    {
+        // Silence all the log messages, none of them are meaningful.
+        cl_set_clcb_msg(clamav_message_callback);
+
+        cl_init(CL_INIT_DEFAULT);
+        engine = cl_engine_new();
+        cl_engine_compile(engine);
+
+        tmp_db_name = NULL;
+    }
+
+    ~ClamAVState()
+    {
+        cl_engine_free(engine);
+
+        if (NULL != tmp_db_name) {
+            unlink(tmp_db_name);
+        }
+    }
+
+    struct cl_engine* engine;
+    const char* tmp_db_name;
+};
+
+// Global with static initializer to setup an engine so we don't need to do
+// that on each execution.
+ClamAVState kClamAVState;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    unsigned int sigs = 0;
+    FILE* fuzzdb      = NULL;
+
+    unsigned int dboptions =
+        CL_DB_PHISHING | CL_DB_PHISHING_URLS |
+        CL_DB_BYTECODE | CL_DB_BYTECODE_UNSIGNED |
+        CL_DB_PUA | CL_DB_ENHANCED;
+
+#if defined(CLAMAV_FUZZ_CDB)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.cdb";
+#elif defined(CLAMAV_FUZZ_CFG)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.cfg";
+#elif defined(CLAMAV_FUZZ_CRB)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.crb";
+#elif defined(CLAMAV_FUZZ_FP)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.fp";
+#elif defined(CLAMAV_FUZZ_FTM)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.ftm";
+#elif defined(CLAMAV_FUZZ_HDB)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.hdb";
+#elif defined(CLAMAV_FUZZ_HSB)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.hsb";
+#elif defined(CLAMAV_FUZZ_IDB)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.idb";
+#elif defined(CLAMAV_FUZZ_IGN)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.ign";
+#elif defined(CLAMAV_FUZZ_IGN2)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.ign2";
+#elif defined(CLAMAV_FUZZ_LDB)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.ldb";
+#elif defined(CLAMAV_FUZZ_MDB)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.mdb";
+#elif defined(CLAMAV_FUZZ_MSB)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.msb";
+#elif defined(CLAMAV_FUZZ_NDB)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.ndb";
+#elif defined(CLAMAV_FUZZ_PDB)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.pdb";
+#elif defined(CLAMAV_FUZZ_WDB)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.wdb";
+#elif defined(CLAMAV_FUZZ_YARA)
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz.yara";
+#else
+    kClamAVState.tmp_db_name = "dbload_tmp_fuzz";
+#endif
+
+    fuzzdb = fopen(kClamAVState.tmp_db_name, "w");
+    fwrite(data, size, 1, fuzzdb);
+    fclose(fuzzdb);
+
+    cl_load(
+        kClamAVState.tmp_db_name,
+        kClamAVState.engine,
+        &sigs,
+        dboptions);
+
+    return 0;
+}

fuzz/clamav_scanfile_fuzzer.cpp

@@ -0,0 +1,135 @@
+/*
+ * Fuzz target for cl_scanfile()
+ *
+ * Copyright (C) 2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ * Authors: Micah Snyder, Alex Gaynor
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its contributors
+ * may be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <memory>
+
+#include "clamav.h"
+
+void clamav_message_callback(enum cl_msg severity, const char* fullmsg,
+                             const char* msg, void* context)
+{
+}
+
+class ClamAVState
+{
+  public:
+    ClamAVState()
+    {
+        // Silence all the log messages, none of them are meaningful.
+        cl_set_clcb_msg(clamav_message_callback);
+
+        cl_init(CL_INIT_DEFAULT);
+        engine = cl_engine_new();
+        cl_engine_compile(engine);
+
+        tmp_file_name = NULL;
+    }
+
+    ~ClamAVState()
+    {
+        cl_engine_free(engine);
+
+        if (NULL != tmp_file_name) {
+            unlink(tmp_file_name);
+        }
+    }
+
+    struct cl_engine* engine;
+    const char* tmp_file_name;
+};
+
+// Global with static initializer to setup an engine so we don't need to do
+// that on each execution.
+ClamAVState kClamAVState;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    FILE* fuzzfile                  = NULL;
+    struct cl_scan_options scanopts = {0};
+
+    memset(&scanopts, 0, sizeof(struct cl_scan_options));
+
+#if defined(CLAMAV_FUZZ_ARCHIVE)
+    kClamAVState.tmp_file_name = "tmp.scanfile.archive";
+    scanopts.parse |= CL_SCAN_PARSE_ARCHIVE;
+#elif defined(CLAMAV_FUZZ_MAIL)
+    kClamAVState.tmp_file_name = "tmp.scanfile.eml";
+    scanopts.parse |= CL_SCAN_PARSE_MAIL;
+#elif defined(CLAMAV_FUZZ_OLE2)
+    kClamAVState.tmp_file_name = "tmp.scanfile.ole2";
+    scanopts.parse |= CL_SCAN_PARSE_OLE2;
+#elif defined(CLAMAV_FUZZ_PDF)
+    kClamAVState.tmp_file_name = "tmp.scanfile.pdf";
+    scanopts.parse |= CL_SCAN_PARSE_PDF;
+#elif defined(CLAMAV_FUZZ_HTML)
+    kClamAVState.tmp_file_name = "tmp.scanfile.html";
+    scanopts.parse |= CL_SCAN_PARSE_HTML;
+#elif defined(CLAMAV_FUZZ_PE)
+    kClamAVState.tmp_file_name = "tmp.scanfile.pe";
+    scanopts.parse |= CL_SCAN_PARSE_PE;
+#elif defined(CLAMAV_FUZZ_ELF)
+    kClamAVState.tmp_file_name = "tmp.scanfile.elf";
+    scanopts.parse |= CL_SCAN_PARSE_ELF;
+#elif defined(CLAMAV_FUZZ_SWF)
+    kClamAVState.tmp_file_name = "tmp.scanfile.swf";
+    scanopts.parse |= CL_SCAN_PARSE_SWF;
+#elif defined(CLAMAV_FUZZ_XMLDOCS)
+    kClamAVState.tmp_file_name = "tmp.scanfile.docx";
+    scanopts.parse |= CL_SCAN_PARSE_XMLDOCS;
+#elif defined(CLAMAV_FUZZ_HWP3)
+    kClamAVState.tmp_file_name = "tmp.scanfile.hwp";
+    scanopts.parse |= CL_SCAN_PARSE_HWP3;
+#else
+    kClamAVState.tmp_file_name = "tmp.scanfile";
+    scanopts.parse |= ~(0);
+#endif
+    scanopts.general |= CL_SCAN_GENERAL_HEURISTICS;
+
+    fuzzfile = fopen(kClamAVState.tmp_file_name, "w");
+    fwrite(data, size, 1, fuzzfile);
+    fclose(fuzzfile);
+
+    const char* virus_name = nullptr;
+    unsigned long scanned  = 0;
+    cl_scanfile(
+        kClamAVState.tmp_file_name,
+        &virus_name,
+        &scanned,
+        kClamAVState.engine,
+        &scanopts);
+
+    return 0;
+}

fuzz/clamav_scanmap_fuzzer.cpp

@@ -0,0 +1,117 @@
+/*
+ * Fuzz target for cl_scanmap_callback()
+ *
+ * Copyright (C) 2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ * Authors: Micah Snyder, Alex Gaynor
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its contributors
+ * may be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <memory>
+
+#include "clamav.h"
+
+
+void clamav_message_callback(enum cl_msg severity, const char *fullmsg,
+                             const char *msg, void *context) {
+}
+
+class ClamAVState {
+public:
+    ClamAVState() {
+        // Silence all the log messages, none of them are meaningful.
+        cl_set_clcb_msg(clamav_message_callback);
+
+        cl_init(CL_INIT_DEFAULT);
+        engine = cl_engine_new();
+        cl_engine_compile(engine);
+    }
+
+    ~ClamAVState() {
+        cl_engine_free(engine);
+    }
+
+    struct cl_engine *engine;
+};
+
+// Global with static initializer to setup an engine so we don't need to do
+// that on each execution.
+ClamAVState kClamAVState;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    
+    struct cl_scan_options scanopts = {0};
+    
+    cl_fmap_t *clamav_data = cl_fmap_open_memory(data, size);
+
+    memset(&scanopts, 0, sizeof(struct cl_scan_options));
+
+    scanopts.parse |= 
+#if defined(CLAMAV_FUZZ_ARCHIVE)
+        CL_SCAN_PARSE_ARCHIVE;
+#elif defined(CLAMAV_FUZZ_MAIL)
+        CL_SCAN_PARSE_MAIL;
+#elif defined(CLAMAV_FUZZ_OLE2)
+        CL_SCAN_PARSE_OLE2;
+#elif defined(CLAMAV_FUZZ_PDF)
+        CL_SCAN_PARSE_PDF;
+#elif defined(CLAMAV_FUZZ_HTML)
+        CL_SCAN_PARSE_HTML;
+#elif defined(CLAMAV_FUZZ_PE)
+        CL_SCAN_PARSE_PE;
+#elif defined(CLAMAV_FUZZ_ELF)
+        CL_SCAN_PARSE_ELF;
+#elif defined(CLAMAV_FUZZ_SWF)
+        CL_SCAN_PARSE_SWF;
+#elif defined(CLAMAV_FUZZ_XMLDOCS)
+        CL_SCAN_PARSE_XMLDOCS;
+#elif defined(CLAMAV_FUZZ_HWP3)
+        CL_SCAN_PARSE_HWP3;
+#else
+        ~(0);
+#endif
+
+    scanopts.general |= CL_SCAN_GENERAL_HEURISTICS;
+
+    const char *virus_name = nullptr;
+    unsigned long scanned = 0;
+    cl_scanmap_callback(
+        clamav_data,
+        NULL,
+        &virus_name,
+        &scanned,
+        kClamAVState.engine,
+        &scanopts,
+        nullptr
+    );
+
+    cl_fmap_close(clamav_data);
+
+    return 0;
+}

fuzz/run_fuzzer_tests.py

@@ -0,0 +1,141 @@
+#!/usr/bin/env python
+# Copyright (C) 2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+
+'''
+This script is a convenience tool to run a standalone fuzz target against each
+item in its associated fuzz corpus.
+'''
+
+from __future__ import print_function, division, absolute_import
+
+import argparse
+import os
+import subprocess
+import sys
+import tempfile
+import threading
+
+def which(program):
+    '''
+    Implements bash "which" feature.
+    Find the full path to a program located in the PATH.
+
+    https://stackoverflow.com/a/377028
+    '''
+    def is_exe(fpath):
+        return os.path.isfile(fpath) and os.access(fpath, os.X_OK)
+
+    fpath, _ = os.path.split(program)
+    if fpath:
+        if is_exe(program):
+            return program
+    else:
+        for path in os.environ["PATH"].split(os.pathsep):
+            exe_file = os.path.join(path, program)
+            if is_exe(exe_file):
+                return exe_file
+
+    return None
+
+def cmd(command):
+    '''
+    Run a command in a subprocess.
+
+    https://stackoverflow.com/a/4408409
+    https://stackoverflow.com/a/10012262
+    '''
+    with tempfile.TemporaryFile() as tempf:
+        p = subprocess.Popen(command, stderr=tempf)
+        is_killed = {'value': False}
+
+        def timeout(p, is_killed):
+            is_killed['value'] = True
+            p.kill()
+
+        timer = threading.Timer(2, timeout, [p, is_killed])
+
+        try:
+            timer.start()
+            p.wait()
+            tempf.seek(0)
+            text = tempf.read().decode("utf-8").strip()
+            returncode = p.returncode
+        finally:
+            timer.cancel()
+
+        if is_killed['value']:
+            text = 'error: timeout, ' + text
+            returncode = 1
+
+        return text, returncode
+
+def run_test(fuzzer, corpus_path):
+    '''
+    Test a standalone fuzz target with each item from the fuzz corpus.
+    '''
+    builddir = os.environ.get("builddir", ".")
+    fuzz_target = os.path.join(builddir, fuzzer)
+
+    print("Fuzz Target:  {fuzzer}".format(fuzzer=fuzzer))
+    print("Corpus Path:  {corpus_path}".format(corpus_path=corpus_path))
+
+    if not os.path.exists(fuzz_target):
+        print("Failed to find fuzz target: {binary}!".format(binary=fuzz_target))
+        sys.exit(1)
+
+    failures = 0
+
+    valgrind = None
+    if os.environ.get('VG', ''):
+        valgrind = which('valgrind')
+
+    for fname in os.listdir(corpus_path):
+        seedpath = os.path.join(corpus_path, fname)
+
+        text, returncode = cmd([fuzz_target, seedpath])
+        if text.strip():
+            print(text)
+
+        failed = False
+        if returncode != 0 or 'error' in text:
+            print('failure on %s' % fname)
+            failed = True
+
+        if valgrind:
+            text, returncode = cmd(
+                [valgrind, '--error-exitcode=1', fuzz_target, seedpath])
+            if returncode:
+                print(text)
+                print('failure on %s' % fname)
+                failed = True
+
+        if failed:
+            failures = failures + 1
+
+    if failures:
+        print("%i scanfile fuzzer related tests failed." % failures)
+        sys.exit(1)
+
+def main():
+    '''
+    Get command line options to support this tool.
+    '''
+    parser = argparse.ArgumentParser(description=__doc__)
+
+    parser.add_argument(
+        '-f',
+        '--fuzzer',
+        required=True,
+        help="The fuzz target to test.")
+    parser.add_argument(
+        '-c',
+        '--corpus',
+        required=True,
+        help="Path of the fuzz corpus.")
+
+    args = parser.parse_args()
+
+    run_test(args.fuzzer, args.corpus)
+
+if __name__ == '__main__':
+    main()

fuzz/standalone_fuzz_target_runner.cpp

@@ -0,0 +1,35 @@
+// Copyright 2017 Google Inc. All Rights Reserved.
+// Licensed under the Apache License, Version 2.0 (the "License");
+
+// Example of a standalone runner for "fuzz targets".
+// It reads all files passed as parameters and feeds their contents
+// one by one into the fuzz target (LLVMFuzzerTestOneInput).
+// This runner does not do any fuzzing, but allows us to run the fuzz target
+// on the test corpus (e.g. "do_stuff_test_data") or on a single file,
+// e.g. the one that comes from a bug report.
+
+#include <cassert>
+#include <iostream>
+#include <fstream>
+#include <vector>
+
+// Forward declare the "fuzz target" interface.
+// We deliberately keep this inteface simple and header-free.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int main(int argc, char **argv) {
+  for (int i = 1; i < argc; i++) {
+    std::ifstream in(argv[i]);
+    in.seekg(0, in.end);
+    size_t length = in.tellg();
+    in.seekg (0, in.beg);
+    std::cout << "Reading " << length << " bytes from " << argv[i] << std::endl;
+    // Allocate exactly length bytes so that we reliably catch buffer overflows.
+    std::vector<char> bytes(length);
+    in.read(bytes.data(), bytes.size());
+    assert(in);
+    LLVMFuzzerTestOneInput(reinterpret_cast<const uint8_t *>(bytes.data()),
+                           bytes.size());
+    std::cout << "Execution successful" << std::endl;
+  }
+}

libclamav/Makefile.in

@@ -147,6 +147,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

libfreshclam/Makefile.in

@@ -117,6 +117,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

libltdl/Makefile.in

@@ -106,6 +106,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

m4/reorganization/code_checks/fts.m4

@@ -1,5 +1,5 @@
 AC_MSG_CHECKING([LFS safe fts implementation])
-AC_COMPILE_IFELSE( [
+AC_COMPILE_IFELSE([AC_LANG_SOURCE([
 #include <fts.h>
 
 int main(void) {
@@ -7,7 +7,7 @@ int main(void) {
 
     return 0;
 }
-],
+])],
 [have_LFS_fts=yes],
 [have_LFS_fts=no],
 [have_LFS_fts=no]

m4/reorganization/code_checks/fuzz.m4

@@ -0,0 +1,13 @@
+AC_ARG_ENABLE(fuzz,
+	      AC_HELP_STRING([--enable-fuzz],
+			     [enable building standalone fuzz targets
+			      @<:@default=no@:>@]),
+[enable_cov=$enableval],[enable_cov="no"])
+
+# if test "x$enable_fuzz" = "xyes"; then
+#     CPPFLAGS="-O2 -fno-omit-frame-pointer -g -fsanitize=address -fsanitize-coverage=edge,trace-pc-guard,indirect-calls,trace-cmp,trace-div,trace-gep $CPPFLAGS"
+#     CFLAGS="-O2 -fno-omit-frame-pointer -g -fsanitize=address -fsanitize-coverage=edge,trace-pc-guard,indirect-calls,trace-cmp,trace-div,trace-gep $CFLAGS"
+# #	LDFLAGS="-Wl,-Bstatic -lssl -lcrypto -lz -Wl,-Bdynamic -lc -lpthread -ldl $LDFLAGS"
+# fi
+
+AM_CONDITIONAL(ENABLE_FUZZ, test "x$enable_fuzz" = "xyes")

sigtool/Makefile.in

@@ -118,6 +118,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

test/Makefile.in

@@ -99,6 +99,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

unit_tests/Makefile.in

@@ -101,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \