Platform Overview
Fuzzing Terminology
Install the Fuzzbuzz CLI
Find your first C/C++ bug
Find your first Python bug
Find your first Rust bug
Find your first Go bug
Protocol Fuzzing
Seeding your fuzzer
Integrating with libFuzzer
Heartbleed in 5 Minutes
GitHub Integration
GitLab Integration
CLI Integration
fuzzbuzz.yaml reference
Fuzzer Reference
Bug Types
Self-Hosted Fuzzbuzz
Overview
Getting Started
Guides
Tutorials
Integrations
Reference
Fuzzer Reference
This page contains a reference for Fuzzbuzz's C and C++ fuzzer. If you'd like an introduction to using this fuzzer, we recommend reading the Getting Started guide before using this reference. The aim of this reference is to provide a more in-depth look at the generation capabilities and configuration options of the fuzzer.
Import this library into your fuzz test with: #include "fuzzbuzz.hxx". If you would like to set up completions and type hinting in your IDE, you can add /opt/fuzzbuzz/include to your editor's search path.
Global Namespace
FZBZ_TARGET_CLASS
Used to tell Fuzzbuzz that it should run a fuzz test.
Usage example:
FZBZ_TARGET_CLASS(FuzzTest0);
struct FuzzTest0 {
FuzzTest0(fzbz::Fuzzer &f)
{
// Fuzz test definition goes here.
}
}
namespace fzbz
Fuzzer
The type used in a fuzz test to communicate configuration to the Fuzzer.
Instance Methods:
addFuzzTarget(T target): communicates to the fuzzer that it should fuzz test a particular target.
Usage example:
struct FuzzTest0 {
FuzzTest0(fzbz::Fuzzer &f)
{
// Define a generator
auto stringGen = fzbz::generator::string<std::string>();
// Create a fuzz target
auto target = fzbz::fuzzTarget([&](auto myStr) {
// Do something with the fuzzed data
CallMyCode(myStr);
}, stringGen);
// Seed the target
target.addSeed("Hello, ");
target.addSeed("World!");
// Fuzz the target
f.addFuzzTarget(target);
}
}
fuzzTarget
fuzzTarget(U fuzz_test, Args ...args)
Combines a fuzz test and a set of fields into a single fuzz target. First argument should be a function that takes n values. Following arguments should be generators, and should correspond to the arguments of the function.
Instance methods:
addSeed(Args::type ...args): Pass in a list of arguments in the same order the fuzz test receives them. This set of inputs will be used as a seed for the fuzzer to generate new values from.
Usage Example:
// Define a set of generators
auto intGen = fzbz::generator::integer<int32_t>();
auto stringGen = fzbz::generator::string<std::string>();
auto floatGen = fzbz::generator::floatingPoint<float>();
auto byteGen = fzbz::generator::byteArray<std::vector<uint8_t>>();
auto target = fzbz::fuzzTarget([&](auto myInt, auto myStr, auto myFloat, auto myBytes) {
// Do something with the fuzzed data
CallMyCode(myInt, myStr, myFloat, myBytes);
}, intGen, stringGen, floatGen, byteGen);
target.addSeed(123, "hello", 1.2, std::vector<uint8_t>{41, 42, 43});
target.addSeed(456, "world", 2.6, std::vector<uint8_t>{45, 46, 47});
namespace fzbz::generator
template <T> class byteArray
Creates a new Byte Array generator, and places the generated byte array in a T. Currently a std::vector<uint8_t> is the only supported value for T.
Instance methods:
setMaxLength(int)
Usage example:
// Creates a Byte Array generator that returns the bytes in a uint8_t vector
auto gen = fzbz::generator::byteArray<std::vector<uint8_t>>();
gen.setMaxLength(2048);
template <T> class string
Creates a new string generator, and places the generated string value in a T. Currently std::string and const char * are the supported values for T.
Instance methods:
setMaxLength(int)
Usage example:
// Creates a String generator that returns the string in a std::string
auto gen = fzbz::generator::string<std::string>();
gen.setMaxLength(2048);
template <T> class integer
Creates a new integer generator, and places the generated integer value in a T. All int{8,16,32,64}_t, uint{8,16,32,64}_t types, as well as int are supported values for T.
Instance methods:
setRange(T min, T max)
Usage example:
// Creates an integer generator that returns the integer in an int32_t
auto gen = fzbz::generator::integer<int32_t>();
// Sets the minimum and maximum values for the generated integer
gen.setRange(0, 1024);
template <T> class floatingPoint
Creates a new floating point number generator, and places the generated floating point value in a T. Currently, float is the supported value for T.
Usage example:
// Creates an floating point generator that returns the number in a float
auto gen = fzbz::generator::floatingPoint<float>();