[Libreoffice] RFC: Idea for fuzz-testing filters

Hi everyone,

Before I start writing code, I wanted to get the input of more
experienced developers.

Why bother about this? Why not use what's available out there? Well...
 - Fuzzgrind isn't well documented and won't work out of the box,
 - zzuf has too many bells and whistles, and won't guarantee that every
byte has been messed up with. I used it to generate a lot of cases, and
it fills a disk quickly enough
 - Peachfuzz and others that rely on a specification: well, we have file
formats with hundreds of pages specified.

Here is the idea:
One process if the fuzzer process, it does the following (pseudocode):

  spawn "valgrind test-program"
  for (i = 0; i < file.length; i++)
    fuzzed = memcpy(file)
    fuzzed[i] = 0xFF (or whatever)
    write(temp-dir/random-name, fuzzed)
    read output from the spawned process until the marker is read
    if valgrind output is more than the expected valgrind start/end markers
      then copy valgrind output to results directory
      then copy fuzzed to results directory
    if spawned program crashed then restart it

The other process would do as follows:
  while(forever)
    check if a new file is in temp-dir
    if the file name is "terminate-yourself", then exit
    try to load the file with the filter
    output a marker like "-------- Done trying to load ---------"

With this design, we avoid a lot of process creation overhead.
We can probably generalize it enough that we can put pretty much any
filter in there.

What do you think of this idea? What improvements we can add?

Regards,

-- 
Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India