From 0cc26e21b516cbfe967c857bdc99cd2cd2efdce3 Mon Sep 17 00:00:00 2001
From: Sylvestre Ledru <sylvestre@debian.org>
Date: Fri, 10 Nov 2023 22:28:17 +0100
Subject: [PATCH] fuzz printf too

---
 .github/workflows/fuzzing.yml    |   1 +
 fuzz/Cargo.toml                  |   7 ++
 fuzz/fuzz_targets/fuzz_printf.rs | 131 +++++++++++++++++++++++++++++++
 3 files changed, 139 insertions(+)
 create mode 100644 fuzz/fuzz_targets/fuzz_printf.rs

diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml
index e7a9cb1e329..3ecf44f9f22 100644
--- a/.github/workflows/fuzzing.yml
+++ b/.github/workflows/fuzzing.yml
@@ -44,6 +44,7 @@ jobs:
             fuzz_parse_glob,
             fuzz_parse_size,
             fuzz_parse_time,
+            fuzz_printf,
             # adding more fuzz tests here.
             # e.g. fuzz_test_a,
           ]
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
index 549f9a6b762..630af4650b6 100644
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@@ -16,6 +16,7 @@ uucore = { path = "../src/uucore/" }
 uu_date = { path = "../src/uu/date/" }
 uu_test = { path = "../src/uu/test/" }
 uu_expr = { path = "../src/uu/expr/" }
+uu_printf = { path = "../src/uu/printf/" }
 
 
 # Prevent this from interfering with workspaces
@@ -28,6 +29,12 @@ path = "fuzz_targets/fuzz_date.rs"
 test = false
 doc = false
 
+[[bin]]
+name = "fuzz_printf"
+path = "fuzz_targets/fuzz_printf.rs"
+test = false
+doc = false
+
 [[bin]]
 name = "fuzz_expr"
 path = "fuzz_targets/fuzz_expr.rs"
diff --git a/fuzz/fuzz_targets/fuzz_printf.rs b/fuzz/fuzz_targets/fuzz_printf.rs
new file mode 100644
index 00000000000..8ce160982dc
--- /dev/null
+++ b/fuzz/fuzz_targets/fuzz_printf.rs
@@ -0,0 +1,131 @@
+// This file is part of the uutils coreutils package.
+//
+// For the full copyright and license information, please view the LICENSE
+// file that was distributed with this source code.
+// spell-checker:ignore parens
+
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+use uu_printf::uumain;
+
+use rand::seq::SliceRandom;
+use rand::Rng;
+use std::ffi::OsString;
+
+mod fuzz_common;
+use crate::fuzz_common::CommandResult;
+use crate::fuzz_common::{compare_result, generate_and_run_uumain, run_gnu_cmd};
+
+static CMD_PATH: &str = "printf";
+
+fn generate_random_string(max_length: usize) -> String {
+    let mut rng = rand::thread_rng();
+    let valid_utf8: Vec<char> = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+        .chars()
+        .collect();
+    let invalid_utf8 = [0xC3, 0x28]; // Invalid UTF-8 sequence
+    let mut result = String::new();
+
+    for _ in 0..rng.gen_range(1..=max_length) {
+        if rng.gen_bool(0.9) {
+            let ch = valid_utf8.choose(&mut rng).unwrap();
+            result.push(*ch);
+        } else {
+            let ch = invalid_utf8.choose(&mut rng).unwrap();
+            if let Some(c) = char::from_u32(*ch as u32) {
+                result.push(c);
+            }
+        }
+    }
+
+    result
+}
+
+fn generate_escape_sequence(rng: &mut impl Rng) -> String {
+    let escape_sequences = [
+        "\\\"",
+        "\\\\",
+        "\\a",
+        "\\b",
+        "\\c",
+        "\\e",
+        "\\f",
+        "\\n",
+        "\\r",
+        "\\t",
+        "\\v",
+        "\\000",
+        "\\x00",
+        "\\u0000",
+        "\\U00000000",
+        "%%",
+    ];
+    escape_sequences.choose(rng).unwrap().to_string()
+}
+
+fn generate_printf() -> String {
+    let mut rng = rand::thread_rng();
+    let format_specifiers = ["%s", "%d", "%f", "%x", "%o", "%c", "%b", "%q"];
+    let mut printf_str = String::new();
+    // Add a 20% chance of generating an invalid format specifier
+    if rng.gen_bool(0.2) {
+        printf_str.push_str("%z"); // Invalid format specifier
+    } else {
+        let specifier = *format_specifiers.choose(&mut rng).unwrap();
+        printf_str.push_str(specifier);
+
+        // Add a 20% chance of introducing complex format strings
+        if rng.gen_bool(0.2) {
+            printf_str.push_str(&format!(" %{}", rng.gen_range(1..=1000)));
+        } else {
+            // Add a random string or number after the specifier
+            if specifier == "%s" {
+                printf_str.push_str(&format!(
+                    " {}",
+                    generate_random_string(rng.gen_range(1..=10))
+                ));
+            } else {
+                printf_str.push_str(&format!(" {}", rng.gen_range(1..=1000)));
+            }
+        }
+    }
+
+    // Add a 10% chance of including an escape sequence
+    if rng.gen_bool(0.1) {
+        printf_str.push_str(&generate_escape_sequence(&mut rng));
+    }
+    printf_str
+}
+
+fuzz_target!(|_data: &[u8]| {
+    let printf_input = generate_printf();
+    let mut args = vec![OsString::from("printf")];
+    args.extend(printf_input.split_whitespace().map(OsString::from));
+    let rust_result = generate_and_run_uumain(&args, uumain);
+
+    let gnu_result = match run_gnu_cmd(CMD_PATH, &args[1..], false) {
+        Ok(result) => result,
+        Err(error_result) => {
+            eprintln!("Failed to run GNU command:");
+            eprintln!("Stderr: {}", error_result.stderr);
+            eprintln!("Exit Code: {}", error_result.exit_code);
+            CommandResult {
+                stdout: String::new(),
+                stderr: error_result.stderr,
+                exit_code: error_result.exit_code,
+            }
+        }
+    };
+
+    compare_result(
+        "expr",
+        &format!("{:?}", &args[1..]),
+        &rust_result.stdout,
+        &gnu_result.stdout,
+        &rust_result.stderr,
+        &gnu_result.stderr,
+        rust_result.exit_code,
+        gnu_result.exit_code,
+        false, // Set to true if you want to fail on stderr diff
+    );
+});