← All libraries
Binary · C
How to fuzz Capstone
Multi-architecture disassembly engine used by every reverse-engineering tool on Linux
Capstone is loaded into every IDA Pro, Ghidra, radare2, and Cutter session — often parsing untrusted binary samples from malware corpora. A disassembler crash on a crafted binary is a denial-of-service for the analyst's workflow at minimum.
Common bug classes
- •Out-of-bounds reads on truncated instruction encodings
- •Integer overflow in operand offset arithmetic
- •Stack overflow on recursive operand parsing
Recommended setup
Fuzzers
- → libFuzzer
- → AFL++
Sanitizers
- → ASan
- → UBSan
Harness scaffold
#include <capstone/capstone.h>
#include <stddef.h>
#include <stdint.h>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
csh handle;
if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK) return 0;
cs_insn *insn;
size_t count = cs_disasm(handle, data, size, 0x1000, 0, &insn);
if (count) cs_free(insn, count);
cs_close(&handle);
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Push the harness above + a Dockerfile. First month 50% off.