From 6d1372e2fbce11024087059b8b4a689c34e179c8 Mon Sep 17 00:00:00 2001
From: Arthur Chan <arthur.chan@adalogics.com>
Date: Thu, 25 Jun 2026 19:47:02 +0100
Subject: [PATCH] OSS-Fuzz: Add new fuzzers for libcups targeting http
 processing

Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
---
 projects/libcups/fuzzer/fuzzhttp.c            | 66 +++++++++++++++++++
 .../libcups/seeds/fuzzhttp_seed_corpus/base64 |  1 +
 .../seeds/fuzzhttp_seed_corpus/httpdate       |  1 +
 .../seeds/fuzzhttp_seed_corpus/uri_file       |  1 +
 .../seeds/fuzzhttp_seed_corpus/uri_http       |  1 +
 .../seeds/fuzzhttp_seed_corpus/uri_ipps       |  1 +
 .../seeds/fuzzhttp_seed_corpus/uri_mailto     |  1 +
 .../seeds/fuzzhttp_seed_corpus/uri_socket     |  1 +
 8 files changed, 73 insertions(+)
 create mode 100644 projects/libcups/fuzzer/fuzzhttp.c
 create mode 100644 projects/libcups/seeds/fuzzhttp_seed_corpus/base64
 create mode 100644 projects/libcups/seeds/fuzzhttp_seed_corpus/httpdate
 create mode 100644 projects/libcups/seeds/fuzzhttp_seed_corpus/uri_file
 create mode 100644 projects/libcups/seeds/fuzzhttp_seed_corpus/uri_http
 create mode 100644 projects/libcups/seeds/fuzzhttp_seed_corpus/uri_ipps
 create mode 100644 projects/libcups/seeds/fuzzhttp_seed_corpus/uri_mailto
 create mode 100644 projects/libcups/seeds/fuzzhttp_seed_corpus/uri_socket

diff --git a/projects/libcups/fuzzer/fuzzhttp.c b/projects/libcups/fuzzer/fuzzhttp.c
new file mode 100644
index 0000000..2558d4c
--- /dev/null
+++ b/projects/libcups/fuzzer/fuzzhttp.c
@@ -0,0 +1,66 @@
+/*
+   Copyright The libcups Developers.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+       http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include "cups.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+  if (size == 0 || size > 65536)
+    return 0;
+
+  // NUL-terminate the input so it can be used as a C string.
+  char *str = (char *)malloc(size + 1);
+  if (!str)
+    return 0;
+  memcpy(str, data, size);
+  str[size] = '\0';
+
+  // 1. URI parser: scheme://user@host:port/resource splitter.
+  char scheme[256], username[256], host[256], resource[1024];
+  int port = 0;
+  http_uri_status_t st = httpSeparateURI(HTTP_URI_CODING_ALL, str,
+                                         scheme, sizeof(scheme),
+                                         username, sizeof(username),
+                                         host, sizeof(host),
+                                         &port,
+                                         resource, sizeof(resource));
+
+  // Round-trip the separated components back into a URI.
+  if (st == HTTP_URI_STATUS_OK)
+  {
+    char rebuilt[2048];
+    httpAssembleURI(HTTP_URI_CODING_ALL, rebuilt, sizeof(rebuilt),
+                    scheme, username, host, port, resource);
+  }
+
+  // 2. base64 decoder (output is at most ~3/4 of the input).
+  {
+    size_t outlen = size;
+    char *out = (char *)malloc(outlen + 1);
+    if (out)
+    {
+      const char *end = NULL;
+      httpDecode64(out, &outlen, str, &end);
+      free(out);
+    }
+  }
+
+  // 3. HTTP date-string parser.
+  httpGetDateTime(str);
+
+  free(str);
+  return 0;
+}
diff --git a/projects/libcups/seeds/fuzzhttp_seed_corpus/base64 b/projects/libcups/seeds/fuzzhttp_seed_corpus/base64
new file mode 100644
index 0000000..8bb00cc
--- /dev/null
+++ b/projects/libcups/seeds/fuzzhttp_seed_corpus/base64
@@ -0,0 +1 @@
+SGVsbG8sIFdvcmxkIQ==
\ No newline at end of file
diff --git a/projects/libcups/seeds/fuzzhttp_seed_corpus/httpdate b/projects/libcups/seeds/fuzzhttp_seed_corpus/httpdate
new file mode 100644
index 0000000..275c4e8
--- /dev/null
+++ b/projects/libcups/seeds/fuzzhttp_seed_corpus/httpdate
@@ -0,0 +1 @@
+Sun, 06 Nov 1994 08:49:37 GMT
\ No newline at end of file
diff --git a/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_file b/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_file
new file mode 100644
index 0000000..af0908b
--- /dev/null
+++ b/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_file
@@ -0,0 +1 @@
+file:///var/spool/cups/data
\ No newline at end of file
diff --git a/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_http b/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_http
new file mode 100644
index 0000000..d7061a5
--- /dev/null
+++ b/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_http
@@ -0,0 +1 @@
+http://example.com:80/path/to/res?q=1&x=2#frag
\ No newline at end of file
diff --git a/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_ipps b/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_ipps
new file mode 100644
index 0000000..001a505
--- /dev/null
+++ b/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_ipps
@@ -0,0 +1 @@
+ipps://user:pass@printer.example.com:631/ipp/print
\ No newline at end of file
diff --git a/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_mailto b/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_mailto
new file mode 100644
index 0000000..9426701
--- /dev/null
+++ b/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_mailto
@@ -0,0 +1 @@
+mailto:admin@example.com
\ No newline at end of file
diff --git a/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_socket b/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_socket
new file mode 100644
index 0000000..3d64464
--- /dev/null
+++ b/projects/libcups/seeds/fuzzhttp_seed_corpus/uri_socket
@@ -0,0 +1 @@
+socket://192.168.0.10:9100
\ No newline at end of file