From 0dc5907d0f0490036c50cb7aee19e31075bbf402 Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Wed, 2 Oct 2019 08:01:27 +0000
Subject: [PATCH 1/5] tests: Add corpora suppression (FUZZERS_MISSING_CORPORA)
 for fuzzers missing in
 https://github.com/bitcoin-core/qa-assets/tree/master/fuzz_seed_corpus

---
 test/fuzz/test_runner.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/test/fuzz/test_runner.py b/test/fuzz/test_runner.py
index f6d84a1dcdf..2d255c0bb44 100755
--- a/test/fuzz/test_runner.py
+++ b/test/fuzz/test_runner.py
@@ -24,6 +24,10 @@ FUZZERS_MISSING_CORPORA = [
     "key_origin_info_deserialize",
     "merkle_block_deserialize",
     "out_point_deserialize",
+    "parse_hd_keypath",
+    "parse_numbers",
+    "parse_script",
+    "parse_univalue",
     "partial_merkle_tree_deserialize",
     "partially_signed_transaction_deserialize",
     "prefilled_transaction_deserialize",
@@ -32,8 +36,8 @@ FUZZERS_MISSING_CORPORA = [
     "pub_key_deserialize",
     "script_deserialize",
     "sub_net_deserialize",
-    "tx_in_deserialize",
     "tx_in",
+    "tx_in_deserialize",
     "tx_out",
 ]
 

From 074cb6451b16158589d743488930963bcf4b024c Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Wed, 2 Oct 2019 11:20:17 +0000
Subject: [PATCH 2/5] tests: Add ParseHDKeypath(...) (bip32) fuzzing harness

---
 src/Makefile.test.include          |  7 +++++++
 src/test/fuzz/parse_hd_keypath.cpp | 13 +++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 src/test/fuzz/parse_hd_keypath.cpp

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index 6edbe777761..d84daeaf095 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -33,6 +33,7 @@ FUZZ_TARGETS = \
   test/fuzz/messageheader_deserialize \
   test/fuzz/netaddr_deserialize \
   test/fuzz/out_point_deserialize \
+  test/fuzz/parse_hd_keypath \
   test/fuzz/parse_iso8601 \
   test/fuzz/partial_merkle_tree_deserialize \
   test/fuzz/partially_signed_transaction_deserialize \
@@ -518,6 +519,12 @@ test_fuzz_tx_out_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_tx_out_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_tx_out_LDADD = $(FUZZ_SUITE_LD_COMMON)
 
+test_fuzz_parse_hd_keypath_SOURCES = $(FUZZ_SUITE) test/fuzz/parse_hd_keypath.cpp
+test_fuzz_parse_hd_keypath_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_parse_hd_keypath_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_parse_hd_keypath_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_parse_hd_keypath_LDADD = $(FUZZ_SUITE_LD_COMMON)
+
 endif # ENABLE_FUZZ
 
 nodist_test_test_bitcoin_SOURCES = $(GENERATED_TEST_FILES)
diff --git a/src/test/fuzz/parse_hd_keypath.cpp b/src/test/fuzz/parse_hd_keypath.cpp
new file mode 100644
index 00000000000..9a23f4b2d43
--- /dev/null
+++ b/src/test/fuzz/parse_hd_keypath.cpp
@@ -0,0 +1,13 @@
+// Copyright (c) 2009-2019 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <test/fuzz/fuzz.h>
+#include <util/bip32.h>
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    const std::string keypath_str(buffer.begin(), buffer.end());
+    std::vector<uint32_t> keypath;
+    (void)ParseHDKeypath(keypath_str, keypath);
+}

From fb8c12093aa37f5536a1a4ba341ee8bab4dabe60 Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Wed, 2 Oct 2019 11:36:08 +0000
Subject: [PATCH 3/5] tests: Add ParseScript(...) (core_io) fuzzing harness

---
 src/Makefile.test.include      |  7 +++++++
 src/test/fuzz/parse_script.cpp | 16 ++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 src/test/fuzz/parse_script.cpp

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index d84daeaf095..a54ee21910b 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -38,6 +38,7 @@ FUZZ_TARGETS = \
   test/fuzz/partial_merkle_tree_deserialize \
   test/fuzz/partially_signed_transaction_deserialize \
   test/fuzz/prefilled_transaction_deserialize \
+  test/fuzz/parse_script \
   test/fuzz/psbt \
   test/fuzz/psbt_input_deserialize \
   test/fuzz/psbt_output_deserialize \
@@ -525,6 +526,12 @@ test_fuzz_parse_hd_keypath_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_parse_hd_keypath_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_parse_hd_keypath_LDADD = $(FUZZ_SUITE_LD_COMMON)
 
+test_fuzz_parse_script_SOURCES = $(FUZZ_SUITE) test/fuzz/parse_script.cpp
+test_fuzz_parse_script_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_parse_script_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_parse_script_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_parse_script_LDADD = $(FUZZ_SUITE_LD_COMMON)
+
 endif # ENABLE_FUZZ
 
 nodist_test_test_bitcoin_SOURCES = $(GENERATED_TEST_FILES)
diff --git a/src/test/fuzz/parse_script.cpp b/src/test/fuzz/parse_script.cpp
new file mode 100644
index 00000000000..21ac1aecf3a
--- /dev/null
+++ b/src/test/fuzz/parse_script.cpp
@@ -0,0 +1,16 @@
+// Copyright (c) 2009-2019 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <core_io.h>
+#include <script/script.h>
+#include <test/fuzz/fuzz.h>
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    const std::string script_string(buffer.begin(), buffer.end());
+    try {
+        (void)ParseScript(script_string);
+    } catch (const std::runtime_error&) {
+    }
+}

From e3d2bcf5cf7a53e5ca671cfed1fe7b6cf0c191ba Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Wed, 2 Oct 2019 12:01:52 +0000
Subject: [PATCH 4/5] tests: Add fuzzing harnesses for various number parsing
 functions

---
 src/Makefile.test.include           |  7 ++++++
 src/test/fuzz/parse_numbers.cpp     | 35 +++++++++++++++++++++++++++++
 test/lint/lint-locale-dependence.sh |  1 +
 3 files changed, 43 insertions(+)
 create mode 100644 src/test/fuzz/parse_numbers.cpp

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index a54ee21910b..a5f740c5030 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -38,6 +38,7 @@ FUZZ_TARGETS = \
   test/fuzz/partial_merkle_tree_deserialize \
   test/fuzz/partially_signed_transaction_deserialize \
   test/fuzz/prefilled_transaction_deserialize \
+  test/fuzz/parse_numbers \
   test/fuzz/parse_script \
   test/fuzz/psbt \
   test/fuzz/psbt_input_deserialize \
@@ -532,6 +533,12 @@ test_fuzz_parse_script_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_parse_script_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_parse_script_LDADD = $(FUZZ_SUITE_LD_COMMON)
 
+test_fuzz_parse_numbers_SOURCES = $(FUZZ_SUITE) test/fuzz/parse_numbers.cpp
+test_fuzz_parse_numbers_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_parse_numbers_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_parse_numbers_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_parse_numbers_LDADD = $(FUZZ_SUITE_LD_COMMON)
+
 endif # ENABLE_FUZZ
 
 nodist_test_test_bitcoin_SOURCES = $(GENERATED_TEST_FILES)
diff --git a/src/test/fuzz/parse_numbers.cpp b/src/test/fuzz/parse_numbers.cpp
new file mode 100644
index 00000000000..59f89dc9fbb
--- /dev/null
+++ b/src/test/fuzz/parse_numbers.cpp
@@ -0,0 +1,35 @@
+// Copyright (c) 2009-2019 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <test/fuzz/fuzz.h>
+#include <util/moneystr.h>
+#include <util/strencodings.h>
+
+#include <string>
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    const std::string random_string(buffer.begin(), buffer.end());
+
+    CAmount amount;
+    (void)ParseMoney(random_string, amount);
+
+    double d;
+    (void)ParseDouble(random_string, &d);
+
+    int32_t i32;
+    (void)ParseInt32(random_string, &i32);
+    (void)atoi(random_string);
+
+    uint32_t u32;
+    (void)ParseUInt32(random_string, &u32);
+
+    int64_t i64;
+    (void)atoi64(random_string);
+    (void)ParseFixedPoint(random_string, 3, &i64);
+    (void)ParseInt64(random_string, &i64);
+
+    uint64_t u64;
+    (void)ParseUInt64(random_string, &u64);
+}
diff --git a/test/lint/lint-locale-dependence.sh b/test/lint/lint-locale-dependence.sh
index 9a1aa766f79..ea9ea7a58df 100755
--- a/test/lint/lint-locale-dependence.sh
+++ b/test/lint/lint-locale-dependence.sh
@@ -11,6 +11,7 @@ KNOWN_VIOLATIONS=(
     "src/qt/rpcconsole.cpp:.*atoi"
     "src/rest.cpp:.*strtol"
     "src/test/dbwrapper_tests.cpp:.*snprintf"
+    "src/test/fuzz/parse_numbers.cpp:.*atoi"
     "src/torcontrol.cpp:.*atoi"
     "src/torcontrol.cpp:.*strtol"
     "src/util/strencodings.cpp:.*atoi"

From a1308b7e12e6af7482954e439f594b771eb62b73 Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Thu, 3 Oct 2019 09:11:40 +0000
Subject: [PATCH 5/5] tests: Add fuzzing harnesses for various JSON/univalue
 parsing functions

---
 src/Makefile.test.include        |  8 +++
 src/test/fuzz/parse_univalue.cpp | 91 ++++++++++++++++++++++++++++++++
 2 files changed, 99 insertions(+)
 create mode 100644 src/test/fuzz/parse_univalue.cpp

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index a5f740c5030..0225edf29e5 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -40,6 +40,7 @@ FUZZ_TARGETS = \
   test/fuzz/prefilled_transaction_deserialize \
   test/fuzz/parse_numbers \
   test/fuzz/parse_script \
+  test/fuzz/parse_univalue \
   test/fuzz/psbt \
   test/fuzz/psbt_input_deserialize \
   test/fuzz/psbt_output_deserialize \
@@ -97,6 +98,7 @@ FUZZ_SUITE_LD_COMMON = \
  $(LIBTEST_UTIL) \
  $(LIBBITCOIN_CONSENSUS) \
  $(LIBBITCOIN_CRYPTO) \
+ $(LIBBITCOIN_CLI) \
  $(LIBUNIVALUE) \
  $(LIBLEVELDB) \
  $(LIBLEVELDB_SSE42) \
@@ -539,6 +541,12 @@ test_fuzz_parse_numbers_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_parse_numbers_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_parse_numbers_LDADD = $(FUZZ_SUITE_LD_COMMON)
 
+test_fuzz_parse_univalue_SOURCES = $(FUZZ_SUITE) test/fuzz/parse_univalue.cpp
+test_fuzz_parse_univalue_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_parse_univalue_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_parse_univalue_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_parse_univalue_LDADD = $(FUZZ_SUITE_LD_COMMON)
+
 endif # ENABLE_FUZZ
 
 nodist_test_test_bitcoin_SOURCES = $(GENERATED_TEST_FILES)
diff --git a/src/test/fuzz/parse_univalue.cpp b/src/test/fuzz/parse_univalue.cpp
new file mode 100644
index 00000000000..3ad112dbad5
--- /dev/null
+++ b/src/test/fuzz/parse_univalue.cpp
@@ -0,0 +1,91 @@
+// Copyright (c) 2009-2019 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <chainparams.h>
+#include <core_io.h>
+#include <rpc/client.h>
+#include <rpc/util.h>
+#include <test/fuzz/fuzz.h>
+#include <util/memory.h>
+
+#include <limits>
+#include <string>
+
+void initialize()
+{
+    static const auto verify_handle = MakeUnique<ECCVerifyHandle>();
+    SelectParams(CBaseChainParams::REGTEST);
+}
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    const std::string random_string(buffer.begin(), buffer.end());
+    bool valid = true;
+    const UniValue univalue = [&] {
+        try {
+            return ParseNonRFCJSONValue(random_string);
+        } catch (const std::runtime_error&) {
+            valid = false;
+            return NullUniValue;
+        }
+    }();
+    if (!valid) {
+        return;
+    }
+    try {
+        (void)ParseHashO(univalue, "A");
+        (void)ParseHashO(univalue, random_string);
+    } catch (const UniValue&) {
+    } catch (const std::runtime_error&) {
+    }
+    try {
+        (void)ParseHashV(univalue, "A");
+        (void)ParseHashV(univalue, random_string);
+    } catch (const UniValue&) {
+    } catch (const std::runtime_error&) {
+    }
+    try {
+        (void)ParseHexO(univalue, "A");
+        (void)ParseHexO(univalue, random_string);
+    } catch (const UniValue&) {
+    } catch (const std::runtime_error&) {
+    }
+    try {
+        (void)ParseHexUV(univalue, "A");
+        (void)ParseHexUV(univalue, random_string);
+    } catch (const UniValue&) {
+    } catch (const std::runtime_error&) {
+    }
+    try {
+        (void)ParseHexV(univalue, "A");
+        (void)ParseHexV(univalue, random_string);
+    } catch (const UniValue&) {
+    } catch (const std::runtime_error&) {
+    }
+    try {
+        (void)ParseSighashString(univalue);
+    } catch (const std::runtime_error&) {
+    }
+    try {
+        (void)AmountFromValue(univalue);
+    } catch (const UniValue&) {
+    } catch (const std::runtime_error&) {
+    }
+    try {
+        FlatSigningProvider provider;
+        (void)EvalDescriptorStringOrObject(univalue, provider);
+    } catch (const UniValue&) {
+    } catch (const std::runtime_error&) {
+    }
+    try {
+        (void)ParseConfirmTarget(univalue, std::numeric_limits<unsigned int>::max());
+    } catch (const UniValue&) {
+    } catch (const std::runtime_error&) {
+    }
+    try {
+        (void)ParseDescriptorRange(univalue);
+    } catch (const UniValue&) {
+    } catch (const std::runtime_error&) {
+    }
+}