From d6135207701a2b5e26953e3c21d9ceb0401d9d98 Mon Sep 17 00:00:00 2001
From: Segwaz <chloe.cano@axeinos.co>
Date: Sat, 14 Dec 2024 16:16:44 +0000
Subject: [PATCH 1/3] libwebsockets - html and http headers parsing fuzz
 targets

---
 projects/libwebsockets/Dockerfile             |  11 ++
 projects/libwebsockets/build.sh               |  39 ++++-
 projects/libwebsockets/lws_lhs_fuzzer.cpp     |  87 ++++++++++
 projects/libwebsockets/lws_lhs_fuzzer.dict    | 160 ++++++++++++++++++
 .../lws_lhs_fuzzer_seed_corpus.zip            | Bin 0 -> 1721 bytes
 projects/libwebsockets/lws_parse_fuzzer.cpp   | 109 ++++++++++++
 projects/libwebsockets/lws_parse_fuzzer.dict  | 119 +++++++++++++
 .../lws_parse_fuzzer_seed_corpus.zip          | Bin 0 -> 248 bytes
 .../libwebsockets/lws_parse_uri_fuzzer.cpp    |  37 ++++
 9 files changed, 557 insertions(+), 5 deletions(-)
 create mode 100644 projects/libwebsockets/lws_lhs_fuzzer.cpp
 create mode 100644 projects/libwebsockets/lws_lhs_fuzzer.dict
 create mode 100644 projects/libwebsockets/lws_lhs_fuzzer_seed_corpus.zip
 create mode 100644 projects/libwebsockets/lws_parse_fuzzer.cpp
 create mode 100644 projects/libwebsockets/lws_parse_fuzzer.dict
 create mode 100644 projects/libwebsockets/lws_parse_fuzzer_seed_corpus.zip
 create mode 100644 projects/libwebsockets/lws_parse_uri_fuzzer.cpp

diff --git a/projects/libwebsockets/Dockerfile b/projects/libwebsockets/Dockerfile
index f69b308c1c37..848bf9058522 100644
--- a/projects/libwebsockets/Dockerfile
+++ b/projects/libwebsockets/Dockerfile
@@ -19,5 +19,16 @@ RUN apt-get update && apt-get install -y libssl-dev
 
 RUN git clone --depth 1 https://github.com/warmcat/libwebsockets.git
 COPY build.sh $SRC
+
 COPY lws_upng_inflate_fuzzer.cpp $SRC/libwebsockets/
+COPY lws_lhs_fuzzer.cpp $SRC/libwebsockets/
+COPY lws_parse_uri_fuzzer.cpp $SRC/libwebsockets/
+COPY lws_parse_fuzzer.cpp $SRC/libwebsockets/
+
+COPY lws_lhs_fuzzer.dict $OUT
+COPY lws_parse_fuzzer.dict $OUT
+
+COPY lws_lhs_fuzzer_seed_corpus.zip $OUT
+COPY lws_parse_fuzzer_seed_corpus.zip $OUT
+
 WORKDIR $SRC/libwebsockets
diff --git a/projects/libwebsockets/build.sh b/projects/libwebsockets/build.sh
index 4dd34520c5cd..b66e3083ce3c 100755
--- a/projects/libwebsockets/build.sh
+++ b/projects/libwebsockets/build.sh
@@ -21,11 +21,40 @@ cd $DIR
 sed -i 's/-Werror//g' ./CMakeLists.txt
 mkdir build && cd build
 cmake -DCMAKE_C_FLAGS="$CFLAGS" -DCMAKE_CXX_FLAGS="$CXXFLAGS" \
-      -DCMAKE_EXE_LINKER_FLAGS="$CFLAGS" -DCMAKE_SHARED_LINKER_FLAGS="$CFLAGS" ..
+      -DCMAKE_EXE_LINKER_FLAGS="$CFLAGS" -DCMAKE_SHARED_LINKER_FLAGS="$CFLAGS" \
+      -DLWS_WITH_CUSTOM_HEADERS=ON \
+      -DLWS_ROLE_WS=ON \
+      ..
 make -j8
 
 cd $DIR
-$CXX $CFLAGS $LIB_FUZZING_ENGINE -I$DIR/build/include \
-	-o $OUT/lws_upng_inflate_fuzzer lws_upng_inflate_fuzzer.cpp \
-	-L$DIR/build/lib -l:libwebsockets.a \
-	-L/usr/lib/x86_64-linux-gnu/ -l:libssl.so -l:libcrypto.so
+
+INCLUDE_DIRS="-I$DIR/build/include \
+	-I$DIR/build \
+	-I$DIR/lib/core/ \
+	-I$DIR/lib/plat/unix -I$DIR/lib/tls/ \
+	-I$DIR/lib/secure-streams/ \
+	-I$DIR/lib/event-libs/ \
+	-I$DIR/lib/system/smd \
+	-I$DIR/lib/system/metrics/ \
+	-I$DIR/lib/core-net \
+	-I$DIR/lib/roles \
+	-I$DIR/lib/roles/http \
+	-I$DIR/lib/roles/h1 \
+	-I$DIR/lib/roles/h2 \
+	-I$DIR/lib/roles/ws"
+
+FUZZER_SRCS=(
+    "lws_lhs_fuzzer.cpp"
+    "lws_upng_inflate_fuzzer.cpp"
+    "lws_parse_uri_fuzzer.cpp"
+    "lws_parse_fuzzer.cpp"
+)
+
+for FUZZER in "${FUZZER_SRCS[@]}"; do
+    FUZZER_NAME=$(basename "$FUZZER" .cpp)
+    $CXX $CFLAGS $LIB_FUZZING_ENGINE $INCLUDE_DIRS \
+        -o "$OUT/$FUZZER_NAME" $FUZZER \
+        -L"$DIR/build/lib" -l:libwebsockets.a \
+        -L/usr/lib/x86_64-linux-gnu/ -l:libssl.so -l:libcrypto.so
+done
diff --git a/projects/libwebsockets/lws_lhs_fuzzer.cpp b/projects/libwebsockets/lws_lhs_fuzzer.cpp
new file mode 100644
index 000000000000..6d157eec98bc
--- /dev/null
+++ b/projects/libwebsockets/lws_lhs_fuzzer.cpp
@@ -0,0 +1,87 @@
+/* Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+##############################################################################*/
+
+#include <stdlib.h>
+#include "libwebsockets.h"
+
+static unsigned int m, step;
+
+static int
+dump_atr(lws_dll2_t *d, void *user)
+{
+	lws_container_of(d, lhp_atr_t, list);
+	//lhp_atr_t *atr = lws_container_of(d, lhp_atr_t, list);
+	//const char *p = (const char *)&atr[1];
+
+	//printf("{ \"%.*s\", \"%.*s\" }, ",
+	//	    (int)atr->name_len, p, (int)atr->value_len, p + atr->name_len + 1);
+
+	return 0;
+}
+
+static lws_stateful_ret_t
+test_cb(lhp_ctx_t *ctx, char reason)
+{
+	lhp_pstack_t *ps = lws_container_of(ctx->stack.tail, lhp_pstack_t, list);
+	if (reason == LHPCB_ELEMENT_START || reason == LHPCB_ELEMENT_END) {
+		lws_dll2_foreach_safe(&ps->atr, NULL, dump_atr);
+		lws_css_cascade_get_prop_atr(ctx, LCSP_PROP_DISPLAY);
+		lws_css_cascade_get_prop_atr(ctx, LCSP_PROP_COLOR);
+		lws_css_cascade_get_prop_atr(ctx, LCSP_PROP_FONT_SIZE);
+		lws_css_cascade_get_prop_atr(ctx, LCSP_PROP_FONT_FAMILY);
+	}
+	return (lws_stateful_ret_t)0;
+}
+
+static const lws_surface_info_t ic = {
+	.wh_px = { { 600,0 },       { 448,0 } },
+	.wh_mm = { { 114,5000000 }, {  82,5000000 } },
+};
+
+static lws_displaylist_t displaylist;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, uint32_t size) {
+	struct lws_context_creation_info info = {0};
+	struct lws_context *cx = NULL;
+	lhp_ctx_t ctx;
+	lws_dl_rend_t drt;
+	size_t ssize;
+	const uint8_t *sdata;
+
+	if (!size)
+	  return (0);
+	memset(&ctx, 0, sizeof(ctx));
+	drt.dl = &displaylist;
+	drt.w = ic.wh_px[0].whole;
+	drt.h = ic.wh_px[1].whole;
+	if (lws_lhp_construct(&ctx, test_cb, &drt, &ic))
+		return (-1);
+
+	lws_context_info_defaults(&info, NULL);
+	if (!(cx = lws_create_context(&info)))
+	  return (0);
+	ctx.user1 = (uint8_t *)cx;
+
+	ctx.flags = LHP_FLAG_DOCUMENT_END;
+	if (!(ctx.base_url = strdup("")))
+		return (-1);
+	ssize = (size_t)size;
+	sdata = data;
+	lws_lhp_parse(&ctx, &sdata, &ssize);
+	lws_lhp_destruct(&ctx);
+	lws_context_destroy(cx);
+	return (0);
+}
diff --git a/projects/libwebsockets/lws_lhs_fuzzer.dict b/projects/libwebsockets/lws_lhs_fuzzer.dict
new file mode 100644
index 000000000000..2805de90f990
--- /dev/null
+++ b/projects/libwebsockets/lws_lhs_fuzzer.dict
@@ -0,0 +1,160 @@
+#
+# AFL dictionary for HTML parsers (tags only)
+# -------------------------------------------
+#
+# A basic collection of HTML tags likely to matter to HTML parsers. Does *not*
+# include any attributes or attribute values.
+#
+# Created by Michal Zalewski
+#
+
+tag_a="<a>"
+tag_abbr="<abbr>"
+tag_acronym="<acronym>"
+tag_address="<address>"
+tag_annotation_xml="<annotation-xml>"
+tag_applet="<applet>"
+tag_area="<area>"
+tag_article="<article>"
+tag_aside="<aside>"
+tag_audio="<audio>"
+tag_b="<b>"
+tag_base="<base>"
+tag_basefont="<basefont>"
+tag_bdi="<bdi>"
+tag_bdo="<bdo>"
+tag_bgsound="<bgsound>"
+tag_big="<big>"
+tag_blink="<blink>"
+tag_blockquote="<blockquote>"
+tag_body="<body>"
+tag_br="<br>"
+tag_button="<button>"
+tag_canvas="<canvas>"
+tag_caption="<caption>"
+tag_center="<center>"
+tag_cite="<cite>"
+tag_code="<code>"
+tag_col="<col>"
+tag_colgroup="<colgroup>"
+tag_data="<data>"
+tag_datalist="<datalist>"
+tag_dd="<dd>"
+tag_del="<del>"
+tag_desc="<desc>"
+tag_details="<details>"
+tag_dfn="<dfn>"
+tag_dir="<dir>"
+tag_div="<div>"
+tag_dl="<dl>"
+tag_dt="<dt>"
+tag_em="<em>"
+tag_embed="<embed>"
+tag_fieldset="<fieldset>"
+tag_figcaption="<figcaption>"
+tag_figure="<figure>"
+tag_font="<font>"
+tag_footer="<footer>"
+tag_foreignobject="<foreignobject>"
+tag_form="<form>"
+tag_frame="<frame>"
+tag_frameset="<frameset>"
+tag_h1="<h1>"
+tag_h2="<h2>"
+tag_h3="<h3>"
+tag_h4="<h4>"
+tag_h5="<h5>"
+tag_h6="<h6>"
+tag_head="<head>"
+tag_header="<header>"
+tag_hgroup="<hgroup>"
+tag_hr="<hr>"
+tag_html="<html>"
+tag_i="<i>"
+tag_iframe="<iframe>"
+tag_image="<image>"
+tag_img="<img>"
+tag_input="<input>"
+tag_ins="<ins>"
+tag_isindex="<isindex>"
+tag_kbd="<kbd>"
+tag_keygen="<keygen>"
+tag_label="<label>"
+tag_legend="<legend>"
+tag_li="<li>"
+tag_link="<link>"
+tag_listing="<listing>"
+tag_main="<main>"
+tag_malignmark="<malignmark>"
+tag_map="<map>"
+tag_mark="<mark>"
+tag_marquee="<marquee>"
+tag_math="<math>"
+tag_menu="<menu>"
+tag_menuitem="<menuitem>"
+tag_meta="<meta>"
+tag_meter="<meter>"
+tag_mglyph="<mglyph>"
+tag_mi="<mi>"
+tag_mn="<mn>"
+tag_mo="<mo>"
+tag_ms="<ms>"
+tag_mtext="<mtext>"
+tag_multicol="<multicol>"
+tag_nav="<nav>"
+tag_nextid="<nextid>"
+tag_nobr="<nobr>"
+tag_noembed="<noembed>"
+tag_noframes="<noframes>"
+tag_noscript="<noscript>"
+tag_object="<object>"
+tag_ol="<ol>"
+tag_optgroup="<optgroup>"
+tag_option="<option>"
+tag_output="<output>"
+tag_p="<p>"
+tag_param="<param>"
+tag_plaintext="<plaintext>"
+tag_pre="<pre>"
+tag_progress="<progress>"
+tag_q="<q>"
+tag_rb="<rb>"
+tag_rp="<rp>"
+tag_rt="<rt>"
+tag_rtc="<rtc>"
+tag_ruby="<ruby>"
+tag_s="<s>"
+tag_samp="<samp>"
+tag_script="<script>"
+tag_section="<section>"
+tag_select="<select>"
+tag_small="<small>"
+tag_source="<source>"
+tag_spacer="<spacer>"
+tag_span="<span>"
+tag_strike="<strike>"
+tag_strong="<strong>"
+tag_style="<style>"
+tag_sub="<sub>"
+tag_summary="<summary>"
+tag_sup="<sup>"
+tag_svg="<svg>"
+tag_table="<table>"
+tag_tbody="<tbody>"
+tag_td="<td>"
+tag_template="<template>"
+tag_textarea="<textarea>"
+tag_tfoot="<tfoot>"
+tag_th="<th>"
+tag_thead="<thead>"
+tag_time="<time>"
+tag_title="<title>"
+tag_tr="<tr>"
+tag_track="<track>"
+tag_tt="<tt>"
+tag_u="<u>"
+tag_ul="<ul>"
+tag_var="<var>"
+tag_video="<video>"
+tag_wbr="<wbr>"
+tag_xmp="<xmp>"
diff --git a/projects/libwebsockets/lws_lhs_fuzzer_seed_corpus.zip b/projects/libwebsockets/lws_lhs_fuzzer_seed_corpus.zip
new file mode 100644
index 0000000000000000000000000000000000000000..b44d3c76e6f1c3f5a829f1875c6bb63155557dd6
GIT binary patch
literal 1721
zcmWIWW@h1H00EB;AH%>5C?U-t!;n*69G{a>9G_NNRh3#4U!0nn5}%x3R8U&19~#2R
zz?`vbYl{B9ttq7y+zgB?FPIq^z(fGhP!XUp9AHBgmd>bZWMp9IVPasA$8TsxNp23@
z;CVp9(G1QFx}A61fT#9*_y)ZV?M&+)uZiG_Hr%ki)+Iirv#;f4lE;}zIXCwAZ@ZP~
z{5$DlyUiZiE^ArQyJ9TP_j;$^kV_1B6*xh)U0Jf_tWYjvi~FPnJwB2zBj#u3&3hfV
zrPai>R@!x$w0jtX!n;{)A?Fq>`Yy2|(`-jAgQU`PzyDSb7sk%b=KH}~{NzJUeG>oO
z=})ah5~khT70oY|URlPnKfG<5y`56VY;kqV8*J&!W|O;LRVU7PSAXdF-`!mLriq{Q
zOBH?cKZ<WrceX8m`Q^ae-7~6o%rD<9^u3}pGrPX?=A_<*?3PbooNHl@S)+FO@W0CK
zVZ|23^YS(adq&mW<NXx&RDu7p<6g0#NjuKmmz;a{N`#aBhWIV(g*Yzv-j9%!_R|SG
z-tblZgs1FlnMlvWeaBVjWPMu`9pd+_X3c4Vn8uIm4dyl*38ZrvR=#xbQ9iwVyJ$z5
z6zBRQ)@(bu0&92ee^(yF`={*l<;ik8q>ueH6PnLiuho3c)ogoo=INKA^$duZ^#UfB
zm1X^pp8;c)!GM851%J%yfudHgxV!)yy*a?B#S*=5XPwW!;vjN-`8}?+U3*Wz78Bvh
zEZe?RclS#t|5uJL99=gAsGUqPE}Il-wE110_iNt^&EX$k_<neFwENzks@I+$@&#D_
zGsaK4`%fe~K&SQl%^G9l{Cl%2C(rc0@#89c`MX1(V&*D_OLp7WaoF#TlD_@9aiv~*
zdg507lvQU}*6p@fAYHnBo6EDT<T-m@l^OkwV7a!#>zD0AY1y2vJy(sTwalcK{&rii
z+3)&}jlNfA1}SkoGKiJ7JUuyQU)<_vXJ?)=@rm7Ce=kyy#Zdr+KFV*LYxqs%wD;j}
zS2oC4hY3N&fl`Hq4;7PzC-+2#{QLj^#ozzOMUUNE5Vt@mMA)?NSJljo-&aJhn7!il
z3ePM4J^$OP+N*l2`d;xJH`VB?>WFgIU9`{NU|ajIre8f(-Bq1cZMR%Gr}S5~>@qK$
z=ii~g(F8(zLe|zfb9xWok8AJzJl|pm*X<Qz&r6qXDG%VuUbp_R<7w@Ek8%yq^FCei
zxT5mV$CHv(eSW{C&tH?@Wn=HmeeXu^%(}g&n$@Ol%}7+t*%bO=ccwsdpTgD1L!xu$
zo&C6mZ|A1^X>HH9H!N5D5!EVjb<?7J$7Kf;&mTD~&C(^kIq2m}9T|rMxvc4vJf(fa
z)`ax<we+Umn)iCi+db;*w&romEn>aA>Zzxsb-<#d3<-RT6Q$kFWRJ4*23(48kD6$b
zxcr6w^BZk_W|zF?nl=1(TfI)y_r=Kz$9Pxhhg<(u(-6GLcBQLI?e@ny<x49|d+rEj
zM4aJm4718Ua7HNp)AXhyCHdzXGS!QE&Q7m?AQifLX?%>d<uv7U*S|0Cs8AAJm$)~{
zb=sQnQw@JAbLXE)tUqcLY9!jXzGQ=?kE^)0onTSQqyU#at8*kDo_o}nDc#M(lx*-)
zMQ~+nr1|?V%VeK#xLNqg_GEv%_~UI`Y_xUXvAH=1e!g?*!9%kmj-+{#iQ!sDm+zbU
zCq>lpsiAb<5_8#C2l%X*P9=Zm4)A7Vl4HhI=t@9~Ujc@<jvyx9BA69Y1f!Lb5DRb>
zzz_?7<uSvO#!&ngK#F6+mSC0zFkgTy(Fc|gczl6WG5~D?l?)i(VPyk_1TzpC0Nq{8
H3gQ6({?xvP

literal 0
HcmV?d00001

diff --git a/projects/libwebsockets/lws_parse_fuzzer.cpp b/projects/libwebsockets/lws_parse_fuzzer.cpp
new file mode 100644
index 000000000000..b395fd841261
--- /dev/null
+++ b/projects/libwebsockets/lws_parse_fuzzer.cpp
@@ -0,0 +1,109 @@
+/* Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+##############################################################################*/
+
+
+extern "C" {
+#include "private-lib-core.h"
+#include <libwebsockets.h>
+}
+#include <fuzzer/FuzzedDataProvider.h>
+#include <cstring>
+#include <cstdlib>
+#include <vector>
+
+static int dummy_callback(struct lws *wsi, enum lws_callback_reasons reason,
+        void *user, void *in, size_t len) {
+    for (size_t i = 0; i < len; i++) {
+        ((char *)in)[i] = ((char *)in)[i] ^ 0xFF;
+    }
+
+    return (0);
+}
+
+static struct lws_protocols protocols[] = {
+    { "http", &lws_callback_http_dummy, 0, 0 },
+    { NULL, NULL, 0, 0 }
+};
+
+static struct lws_vhost mock_vhost = {
+    .timeout_secs_ah_idle = 10,
+};
+
+static int initialize_context(struct lws *wsi) {
+    struct lws_context_creation_info info = {};
+    struct lws_context *cx = NULL;
+
+    lws_context_info_defaults(&info, NULL);
+    if (!(cx = lws_create_context(&info))) {
+        return (-1);
+    }
+    lws_role_transition(wsi, (enum lwsi_role)LWSIFR_SERVER, LRS_HEADERS, &role_ops_h1);
+
+    wsi->a.context = cx;
+    wsi->a.protocol = protocols;
+    wsi->a.vhost = &mock_vhost;
+    if (lws_header_table_attach(wsi, 0) < 0) {
+        lws_context_destroy(cx);
+        return (-1);
+    }
+
+    return (0);
+}
+
+static int parse_http_header(struct lws *wsi, const uint8_t *data, size_t size) {
+    FuzzedDataProvider provider(data, size);
+    size_t recved_size = 0;
+    std::vector<uint8_t> recved;
+    std::vector<uint8_t> fragment;
+    int mutable_len = 0;
+    unsigned char *mutable_fragment;
+
+    wsi->http.ah->parser_state = WSI_TOKEN_NAME_PART;
+    while (provider.remaining_bytes() > 0) {
+        recved_size = provider.ConsumeIntegralInRange<size_t>(1, provider.remaining_bytes());
+        recved = provider.ConsumeBytes<uint8_t>(recved_size);
+        fragment.insert(fragment.end(), recved.begin(), recved.end());
+        mutable_fragment = fragment.data();
+        mutable_len = fragment.size();
+        lws_parse(wsi, mutable_fragment, &mutable_len);
+        // if (lws_parse(&wsi, mutable_fragment, &len))
+        //  lws_header_table_reset(&wsi, 0);
+        assert(mutable_len <= fragment.size() && mutable_len >= 0);
+        fragment.erase(fragment.begin(), fragment.end() - mutable_len);
+        //if (wsi.http.ah->parser_state == WSI_PARSING_COMPLETE)
+        //  lws_header_table_reset(&wsi, 0);
+    }
+
+    return (0);
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    struct lws_context mock_context = {};
+    struct lws wsi = {};
+
+    if (size == 0) {
+        return 0;
+    }
+
+    if (initialize_context(&wsi) < 0)
+        return (0);
+    parse_http_header(&wsi, data, size);
+
+    lws_header_table_detach(&wsi, 0);
+    lws_context_destroy(wsi.a.context);
+
+    return 0;
+}
diff --git a/projects/libwebsockets/lws_parse_fuzzer.dict b/projects/libwebsockets/lws_parse_fuzzer.dict
new file mode 100644
index 000000000000..092697d9e318
--- /dev/null
+++ b/projects/libwebsockets/lws_parse_fuzzer.dict
@@ -0,0 +1,119 @@
+# Sources: https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
+
+# misc
+"HTTP/1.1"
+
+# verbs
+"CONNECT"
+"DELETE"
+"GET"
+"HEAD"
+"OPTIONS"
+"PATCH"
+"POST"
+"PUT"
+"TRACE"
+
+
+# Fields
+"A-IM"
+"Accept"
+"Accept-Charset"
+"Accept-Datetime"
+"Accept-Encoding"
+"Accept-Language"
+"Accept-Patch"
+"Accept-Ranges"
+"Access-Control-Allow-Credentials"
+"Access-Control-Allow-Headers"
+"Access-Control-Allow-Methods"
+"Access-Control-Allow-Origin"
+"Access-Control-Expose-Headers"
+"Access-Control-Max-Age"
+"Access-Control-Request-Headers"
+"Access-Control-Request-Method"
+"Age"
+"Allow"
+"Alt-Svc"
+"Authorization"
+"Cache-Control"
+"Connection"
+"Connection:"
+"Content-Disposition"
+"Content-Encoding"
+"Content-Language"
+"Content-Length"
+"Content-Location"
+"Content-MD5"
+"Content-Range"
+"Content-Security-Policy"
+"Content-Type"
+"Cookie"
+"DNT"
+"Date"
+"Delta-Base"
+"ETag"
+"Expect"
+"Expires"
+"Forwarded"
+"From"
+"Front-End-Https"
+"HTTP2-Settings"
+"Host"
+"IM"
+"If-Match"
+"If-Modified-Since"
+"If-None-Match"
+"If-Range"
+"If-Unmodified-Since"
+"Last-Modified"
+"Link"
+"Location"
+"Max-Forwards"
+"Origin"
+"P3P"
+"Pragma"
+"Proxy-Authenticate"
+"Proxy-Authorization"
+"Proxy-Connection"
+"Public-Key-Pins"
+"Range"
+"Referer"
+"Refresh"
+"Retry-After"
+"Save-Data"
+"Server"
+"Set-Cookie"
+"Status"
+"Strict-Transport-Security"
+"TE"
+"Timing-Allow-Origin"
+"Tk"
+"Trailer"
+"Transfer-Encoding"
+"Upgrade"
+"Upgrade-Insecure-Requests"
+"User-Agent"
+"Vary"
+"Via"
+"WWW-Authenticate"
+"Warning"
+"X-ATT-DeviceId"
+"X-Content-Duration"
+"X-Content-Security-Policy"
+"X-Content-Type-Options"
+"X-Correlation-ID"
+"X-Csrf-Token"
+"X-Forwarded-For"
+"X-Forwarded-Host"
+"X-Forwarded-Proto"
+"X-Frame-Options"
+"X-Http-Method-Override"
+"X-Powered-By"
+"X-Request-ID"
+"X-Requested-With"
+"X-UA-Compatible"
+"X-UIDH"
+"X-Wap-Profile"
+"X-WebKit-CSP"
+"X-XSS-Protection"
diff --git a/projects/libwebsockets/lws_parse_fuzzer_seed_corpus.zip b/projects/libwebsockets/lws_parse_fuzzer_seed_corpus.zip
new file mode 100644
index 0000000000000000000000000000000000000000..32804ef1e349a42f55919908f140d13408529386
GIT binary patch
literal 248
zcmWIWW@h1H0D<KbdLu9BJLp*e*&r;+Aj6PTUL0SLSX7)EpH^B`m0A>EoSK>v8p6rI
z9915Zo&v<B72FJrEH9WD7{G+PYlworf=5V5fWD!gAupFlesPJFLTW`~Zb43}UUGge
zFPC$EUS4W)NoIbYl|ph(esL-<7cW<UHzSiAGcJcnfZWHx2*gVoK`b23Vud&h%}D{?
RtZX1nj6fI-q}xFp1^|=3I(Gm7

literal 0
HcmV?d00001

diff --git a/projects/libwebsockets/lws_parse_uri_fuzzer.cpp b/projects/libwebsockets/lws_parse_uri_fuzzer.cpp
new file mode 100644
index 000000000000..4873a79efc8e
--- /dev/null
+++ b/projects/libwebsockets/lws_parse_uri_fuzzer.cpp
@@ -0,0 +1,37 @@
+/* Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+###############################################################################*/
+
+#include "libwebsockets.h"
+#include <fuzzer/FuzzedDataProvider.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, uint32_t size) {
+	const char *prot = NULL;
+	const char *ads = NULL;
+	const char *path = NULL;
+	char *input = NULL;
+	int  port;
+
+	if (size > 0) {
+		if (!(input = (char *)malloc(size + 1)))
+			return (0);
+		memcpy(input, data, size);
+		input[size] = '\0';
+		lws_parse_uri(input, &prot, &ads, &port, &path);
+		free(input);
+	}
+
+	return 0;
+}

From 946989feae18c42ea6ff199371e4e9d065704de4 Mon Sep 17 00:00:00 2001
From: Segwaz <chloe.cano@axeinos.co>
Date: Sat, 14 Dec 2024 17:17:24 +0000
Subject: [PATCH 2/3] libwebsockets: fix copyright year on license headers

---
 projects/libwebsockets/lws_lhs_fuzzer.cpp       | 2 +-
 projects/libwebsockets/lws_parse_fuzzer.cpp     | 2 +-
 projects/libwebsockets/lws_parse_uri_fuzzer.cpp | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/projects/libwebsockets/lws_lhs_fuzzer.cpp b/projects/libwebsockets/lws_lhs_fuzzer.cpp
index 6d157eec98bc..56c0d9bda7be 100644
--- a/projects/libwebsockets/lws_lhs_fuzzer.cpp
+++ b/projects/libwebsockets/lws_lhs_fuzzer.cpp
@@ -1,4 +1,4 @@
-/* Copyright 2022 Google LLC
+/* Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
diff --git a/projects/libwebsockets/lws_parse_fuzzer.cpp b/projects/libwebsockets/lws_parse_fuzzer.cpp
index b395fd841261..6823c6c29d29 100644
--- a/projects/libwebsockets/lws_parse_fuzzer.cpp
+++ b/projects/libwebsockets/lws_parse_fuzzer.cpp
@@ -1,4 +1,4 @@
-/* Copyright 2022 Google LLC
+/* Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
diff --git a/projects/libwebsockets/lws_parse_uri_fuzzer.cpp b/projects/libwebsockets/lws_parse_uri_fuzzer.cpp
index 4873a79efc8e..b19b02e02fc1 100644
--- a/projects/libwebsockets/lws_parse_uri_fuzzer.cpp
+++ b/projects/libwebsockets/lws_parse_uri_fuzzer.cpp
@@ -1,4 +1,4 @@
-/* Copyright 2022 Google LLC
+/* Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

From 2f51841c79c4cb9cf3d2b7751d1f6acca1c46979 Mon Sep 17 00:00:00 2001
From: Segwaz <chloe.cano@axeinos.co>
Date: Mon, 23 Dec 2024 16:07:04 +0000
Subject: [PATCH 3/3] fix a timeout in lws_parse harness

---
 projects/libwebsockets/lws_parse_fuzzer.cpp | 18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

diff --git a/projects/libwebsockets/lws_parse_fuzzer.cpp b/projects/libwebsockets/lws_parse_fuzzer.cpp
index 6823c6c29d29..d0e991e450f5 100644
--- a/projects/libwebsockets/lws_parse_fuzzer.cpp
+++ b/projects/libwebsockets/lws_parse_fuzzer.cpp
@@ -24,15 +24,6 @@ extern "C" {
 #include <cstdlib>
 #include <vector>
 
-static int dummy_callback(struct lws *wsi, enum lws_callback_reasons reason,
-        void *user, void *in, size_t len) {
-    for (size_t i = 0; i < len; i++) {
-        ((char *)in)[i] = ((char *)in)[i] ^ 0xFF;
-    }
-
-    return (0);
-}
-
 static struct lws_protocols protocols[] = {
     { "http", &lws_callback_http_dummy, 0, 0 },
     { NULL, NULL, 0, 0 }
@@ -78,13 +69,12 @@ static int parse_http_header(struct lws *wsi, const uint8_t *data, size_t size)
         fragment.insert(fragment.end(), recved.begin(), recved.end());
         mutable_fragment = fragment.data();
         mutable_len = fragment.size();
-        lws_parse(wsi, mutable_fragment, &mutable_len);
-        // if (lws_parse(&wsi, mutable_fragment, &len))
-        //  lws_header_table_reset(&wsi, 0);
+        if (lws_parse(wsi, mutable_fragment, &mutable_len) < 0)
+		return (-1);
         assert(mutable_len <= fragment.size() && mutable_len >= 0);
         fragment.erase(fragment.begin(), fragment.end() - mutable_len);
-        //if (wsi.http.ah->parser_state == WSI_PARSING_COMPLETE)
-        //  lws_header_table_reset(&wsi, 0);
+        if (wsi->http.ah->parser_state == WSI_PARSING_COMPLETE)
+		break ;
     }
 
     return (0);