Font · C

How to fuzz fontconfig

Font discovery and configuration library on every Linux desktop

fontconfig parses XML configuration files at startup for every X11/Wayland app. A malicious config dropped into user state can crash desktop sessions or pivot — the parser is the highest-value attack surface.

Common bug classes

•XML parser overruns on malformed expression elements
•Cache-format integer overflows on 32-bit hosts
•Use-after-free in matrix / charset destructors

Recommended setup

Fuzzers

→ libFuzzer
→ AFL++

Sanitizers

→ ASan
→ UBSan

Harness scaffold

#include <fontconfig/fontconfig.h>
#include <stdio.h>
#include <stddef.h>
#include <stdint.h>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  FILE *fp = fopen("/tmp/fc_fuzz.conf", "wb");
  if (!fp) return 0;
  fwrite(data, 1, size, fp);
  fclose(fp);
  FcConfig *cfg = FcConfigCreate();
  FcConfigParseAndLoad(cfg, (const FcChar8 *)"/tmp/fc_fuzz.conf", FcFalse);
  FcConfigDestroy(cfg);
  return 0;
}

Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.

Start fuzzing fontconfig on Fuzze.rs →

Push the harness above + a Dockerfile. First month 50% off.