Test fuzzers against seed corpus under CI ASan build

.cirrus.yml

@@ -4,7 +4,7 @@ btest_retries: &BTEST_RETRIES 2
 memory: &MEMORY 6GB
 
 config: &CONFIG --build-type=release --enable-cpp-tests
-memcheck_config: &MEMCHECK_CONFIG --build-type=debug --enable-cpp-tests --sanitizers=address
+memcheck_config: &MEMCHECK_CONFIG --build-type=debug --enable-cpp-tests --sanitizers=address --enable-fuzzers
 
 resources_template: &RESOURCES_TEMPLATE
   cpu: *CPUS
@@ -133,5 +133,6 @@ memcheck_task:
     # AddressSanitizer uses a lot more memory than a typical config.
     memory: 16GB
   << : *CI_TEMPLATE
+  test_fuzzers_script: ./ci/test-fuzzers.sh
   env:
     ZEEK_CI_CONFIGURE_FLAGS: *MEMCHECK_CONFIG

ci/test-fuzzers.sh

@@ -0,0 +1,40 @@
+#! /usr/bin/env bash
+
+result=0
+
+echo "Testing fuzzers against their seed corpus"
+echo "-----------------------------------------"
+
+cd build || result=1
+. ./zeek-path-dev.sh
+
+fuzzers=$(find ./src/fuzzers -name 'zeek-*-fuzzer')
+
+for fuzzer_path in ${fuzzers}; do
+    fuzzer_exe=$(basename ${fuzzer_path})
+    fuzzer_name=$(echo ${fuzzer_exe} | sed 's/zeek-\(.*\)-fuzzer/\1/g')
+    corpus="../src/fuzzers/${fuzzer_name}-corpus.zip"
+
+    if [[ -e ${corpus} ]]; then
+        echo "Fuzzer: ${fuzzer_exe} ${corpus}"
+        ( rm -rf corpus && mkdir corpus ) || result=1
+        ( cd corpus && unzip ../${corpus} >/dev/null ) || result=1
+        ${fuzzer_path} corpus/* >${fuzzer_exe}.out 2>${fuzzer_exe}.err
+
+        if [[ $? -eq 0 ]]; then
+            tail -n 1 ${fuzzer_exe}.out
+        else
+            result=1
+            cat ${fuzzer_exe}.out
+            echo "    FAILED"
+            cat ${fuzzer_exe}.err
+        fi
+    else
+        echo "Skipping Fuzzer (no corpus): ${fuzzer_exe}"
+    fi
+
+    echo "-----------------------------------------"
+done
+
+
+exit ${result}

ci/ubuntu-18.04/Dockerfile

@@ -20,6 +20,7 @@ RUN apt-get update && apt-get -y install \
     sqlite3 \
     curl \
     wget \
+    unzip \
   && rm -rf /var/lib/apt/lists/*
 
 # Many distros adhere to PEP 394's recommendation for `python` = `python2` so

src/analyzer/protocol/pop3/POP3.cc

@@ -864,7 +864,7 @@ int POP3_Analyzer::ParseCmd(std::string cmd)
 	if ( cmd.size() == 0 )
 		return -1;
 
-	for ( int code = POP3_CMD_OK; code <= POP3_CMD_END; ++code )
+	for ( int code = POP3_CMD_OK; code < POP3_CMD_END; ++code )
 		{
 		char c = cmd.c_str()[0];
 		if ( c == '+' || c == '-' )

src/fuzzers/FuzzBuffer.cc

@@ -59,7 +59,7 @@ std::optional<zeek::FuzzBuffer::Chunk> zeek::FuzzBuffer::Next()
 		// for each chunk.
 		rval.data = std::make_unique<unsigned char[]>(rval.size);
 		memcpy(rval.data.get(), chunk_begin, rval.size);
-		return rval;
+		return {std::move(rval)};
 		}
 
 	return {};

src/fuzzers/standalone-driver.cc

@@ -20,6 +20,10 @@ int main(int argc, char** argv)
 		{
 		auto input_file_name = argv[i + 1];
 		printf("  %s:", input_file_name);
+		// If ASan ends up aborting, the previous stdout output may not
+		// be flushed, so make sure to that and make it easier to see
+		// what input caused the crash.
+		fflush(stdout);
 
 		auto f = fopen(input_file_name, "r");
 		assert(f);
@@ -44,4 +48,4 @@ int main(int argc, char** argv)
 	auto agg_stop = high_resolution_clock::now();
 	auto agg_dt = duration<double>(agg_stop - agg_start).count();
 	printf("Processed %d inputs in %fs\n", num_inputs, agg_dt);
-}
+	}