← All libraries
Parser · C
How to fuzz tomlc99
TOML config files are user-supplied — any parser that trusts them needs fuzzing.
tomlc99 is a widely embedded C99 TOML parser used in firmware and low-level tooling where TOML is the configuration format of choice. Its line-oriented tokeniser and recursive key-value descent handle arbitrary UTF-8 strings with manual bounds arithmetic that benefits from coverage-guided fuzzing.
Common bug classes
- •Heap buffer overflow in string literal unescape buffer sizing
- •Integer overflow in multi-line string line accumulation
- •Out-of-bounds read on truncated inline table value
- •Null dereference on empty array-of-tables header
- •Stack overflow via deeply nested inline table definitions
Recommended setup
Fuzzers
- → AFL++
- → libFuzzer
Sanitizers
- → ASan
- → UBSan
Harness scaffold
#include <stdint.h>
#include <stddef.h>
#include <stdlib.h>
#include <string.h>
#include "toml.h"
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
char errbuf[256];
/* toml_parse expects a NUL-terminated string */
char *buf = (char *)malloc(size + 1);
if (!buf) return 0;
memcpy(buf, data, size);
buf[size] = '�';
toml_table_t *tbl = toml_parse(buf, errbuf, sizeof(errbuf));
if (tbl) toml_free(tbl);
free(buf);
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Push the harness above + a Dockerfile. First month 50% off.