Libfuzzer target for on-disk parsing

Question

I'm currently integrating libFuzzer in a project which parses files on the hard drive. I have some prior experience with AFL, where a command line like this one was used:

afl-fuzz -m500 -i input/ -o output/ -t100 -- program_to_fuzz @@

...where @@ was a path to the generated input. Looking at libFuzzer however, I see that the fuzz targets look like this:

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  DoSomethingInterestingWithMyAPI(Data, Size);
  return 0;  // Non-zero return values are reserved for future use.
}

I understand that the input isn't provided in the form of a file, but as a buffer in-memory instead. The problem is that the program I'm trying to fuzz works with files and obtains its data through fread() calls. At no point in time is the whole input supposed to be loaded in memory (where, in the general case, it might not even fit); so there's not much I can do with a const uint8_t*.

Writing the buffer back to the hard drive to get back a file seems extremely inefficient. Is there a way around this?

Answer 1

You could use LD_PRELOAD and override fread.

Answer 2

You can do as in this example from google security team. The buf_to_file defined here takes your buffer and returns a char* pathname you can then pass to you target:
(from https://github.com/google/security-research-pocs/blob/master/autofuzz/fuzz_utils.h#L27 )

// Write the data provided in buf to a new temporary file. This function is  
// meant to be called by LLVMFuzzerTestOneInput() for fuzz targets that only  
// take file names (and not data) as input.  
//  
// Return the path of the newly created file or NULL on error. The caller should  
// eventually free the returned buffer (see delete_file).   
extern "C" char *buf_to_file(const uint8_t *buf, size_t size);

Be sure to free the ressource with the delete_file function.