Add fuzzing github actions

.clusterfuzzlite/Dockerfile

@@ -0,0 +1,7 @@
+FROM ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:latest AS LITE_BUILDER
+
+FROM gcr.io/oss-fuzz-base/base-builder:v1
+COPY . $SRC/app-kaspa
+COPY ./.clusterfuzzlite/build.sh $SRC/
+COPY --from=LITE_BUILDER /opt/ledger-secure-sdk $SRC/app-kaspa/BOLOS_SDK
+WORKDIR $SRC/app-kaspa

.clusterfuzzlite/build.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -eu
+
+# build fuzzers
+
+pushd fuzzing
+cmake -DBOLOS_SDK=../BOLOS_SDK -Bbuild -H.
+make -C build
+mv ./build/fuzz_tx_parser $OUT
+mv ./build/fuzz_txin_parser $OUT
+mv ./build/fuzz_txout_parser $OUT
+popd

.clusterfuzzlite/project.yaml

@@ -0,0 +1 @@
+language: c

.github/workflows/cflite_cron.yaml

@@ -0,0 +1,40 @@
+name: ClusterFuzzLite cron tasks
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main  # Use your actual default branch here.
+  schedule:
+    - cron: '0 13 * * 6'  # At 01:00 PM, only on Saturday
+permissions: read-all
+jobs:
+  Fuzzing:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - mode: batch
+            sanitizer: address
+          - mode: batch
+            sanitizer: memory
+          - mode: prune
+            sanitizer: address
+          - mode: coverage
+            sanitizer: coverage
+    steps:
+    - name: Build Fuzzers (${{ matrix.mode }} - ${{ matrix.sanitizer }})
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        language: c # Change this to the language you are fuzzing.
+        sanitizer: ${{ matrix.sanitizer }}
+    - name: Run Fuzzers (${{ matrix.mode }} - ${{ matrix.sanitizer }})
+      id: run
+      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 300 # 5 minutes
+        mode: ${{ matrix.mode }}
+        sanitizer: ${{ matrix.sanitizer }}

.github/workflows/cflite_pr.yaml

@@ -0,0 +1,43 @@
+name: ClusterFuzzLite PR fuzzing
+on:
+  pull_request:
+    paths:
+      - '**'
+permissions: read-all
+jobs:
+  PR:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+      cancel-in-progress: true
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer: [address, undefined, memory] # Override this with the sanitizers you want.
+    steps:
+    - name: Build Fuzzers (${{ matrix.sanitizer }})
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+      with:
+        language: c # Change this to the language you are fuzzing.
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        sanitizer: ${{ matrix.sanitizer }}
+        # Optional but recommended: used to only run fuzzers that are affected
+        # by the PR.
+        # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+        # storage-repo-branch: main   # Optional. Defaults to "main"
+        # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+    - name: Run Fuzzers (${{ matrix.sanitizer }})
+      id: run
+      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 300 # 5 minutes
+        mode: 'code-change'
+        sanitizer: ${{ matrix.sanitizer }}
+        output-sarif: true
+        # Optional but recommended: used to download the corpus produced by
+        # batch fuzzing.
+        # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+        # storage-repo-branch: main   # Optional. Defaults to "main"
+        # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".

fuzzing/README.md

@@ -5,14 +5,7 @@
 Change `~/ledger/app-kaspa` to wherever you actual `app-kaspa` folder is.
 
 ```
-docker run --rm -it -v ~/ledger/app-kaspa:/app ghcr.io/ledgerhq/ledger-app-builder/ledger-app-dev-tools:latest bash
-apk add build-base libc-dev linux-headers libexecinfo-dev compiler-rt
-apk del llvm15
-
-mkdir -p /usr/lib/clang/12.0.1/lib/linux/
-
-cp /app/fuzzing/llvm-headers/libclang_rt.asan-x86_64.a /usr/lib/clang/12.0.1/lib/linux/libclang_rt.asan-x86_64.a
-cp /app/fuzzing/llvm-headers/libclang_rt.fuzzer-x86_64.a /usr/lib/clang/12.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a
+docker run --rm -it -v ~/ledger/app-kaspa:/app ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-legacy:latest bash
 ```
 
 ## Compilation
@@ -40,13 +33,15 @@ make -C build
 
 ## LLVM Compile
 
-Use this if you want to build the LLVM from scratch.
+Use this if you want to build the LLVM from scratch and use it
 
 A pre-compiled version of the ones this fuzzing needs is in `llvm-headers`.
 
 Update your docker run to:
 ```
 docker run -it -v ~/ledger/app-kaspa:/app -v ~/llvm-project:/tmp/llvm-project ghcr.io/ledgerhq/ledger-app-builder/ledger-app-dev-tools:latest bash
+apk add build-base libc-dev linux-headers libexecinfo-dev compiler-rt
+apk del llvm15
 ```
 
 Clone the LLVM project from: https://github.com/llvm/llvm-project

src/transaction/deserialize.c

@@ -33,13 +33,21 @@ parser_status_e transaction_output_deserialize(buffer_t *buf, transaction_output
         return OUTPUT_VALUE_PARSING_ERROR;
     }
 
-    size_t script_len = (size_t) * (buf->ptr + buf->offset);
+    if (!buffer_can_read(buf, 1)) {
+        return OUTPUT_SCRIPT_PUBKEY_PARSING_ERROR;
+    }
+
+    uint8_t script_len = (uint8_t) * (buf->ptr + buf->offset);
 
     if (script_len == OP_BLAKE2B) {
         // P2SH = 0xaa + 0x20 + (script hash) + 0x87
         // Total length = 35
         // script len is actually the second byte if the first one is 0xaa
-        script_len = (size_t) * (buf->ptr + buf->offset + 1);
+        if (!buffer_can_read(buf, 2)) {
+            return OUTPUT_SCRIPT_PUBKEY_PARSING_ERROR;
+        }
+
+        script_len = (uint8_t) * (buf->ptr + buf->offset + 1);
 
         // For P2SH, we expect len to always be 0x20
         if (script_len != 0x20) {

unit-tests/test_tx_parser.c

@@ -303,6 +303,11 @@ static void test_tx_output_deserialization_fail(void **state) {
         0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x86
     };
 
+    uint8_t invalid_script_missing[] = {
+        // Value only, no script
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x86, 0x00
+    };
+
     uint8_t invalid_script_start[] = {
         // Start is not 0x20 or 0x21
         0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x86, 0xa0,
@@ -368,6 +373,7 @@ static void test_tx_output_deserialization_fail(void **state) {
     };
 
     assert_int_equal(run_test_tx_output_serialize(invalid_value, sizeof(invalid_value)), OUTPUT_VALUE_PARSING_ERROR);
+    assert_int_equal(run_test_tx_output_serialize(invalid_script_missing, sizeof(invalid_script_missing)), OUTPUT_SCRIPT_PUBKEY_PARSING_ERROR);
     assert_int_equal(run_test_tx_output_serialize(invalid_script_start, sizeof(invalid_script_start)), OUTPUT_SCRIPT_PUBKEY_PARSING_ERROR);
     assert_int_equal(run_test_tx_output_serialize(invalid_script_end_schnorr, sizeof(invalid_script_end_ecdsa)), OUTPUT_SCRIPT_PUBKEY_PARSING_ERROR);
     assert_int_equal(run_test_tx_output_serialize(invalid_script_end_ecdsa, sizeof(invalid_script_end_ecdsa)), OUTPUT_SCRIPT_PUBKEY_PARSING_ERROR);