curl
diff --git a/‎README.md‎
Lines changed: 32 additions & 0 deletions b/‎README.md‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎corpora/.gitignore‎
Lines changed: 19 additions & 0 deletions b/‎corpora/.gitignore‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎curl_fuzzer.cc‎
Lines changed: 10 additions & 3 deletions b/‎curl_fuzzer.cc‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎curl_fuzzer.h‎
Lines changed: 1 addition & 0 deletions b/‎curl_fuzzer.h‎
Lines changed: 1 addition & 0 deletions
@@ -16,6 +16,22 @@ temporary directory instead.
 
 `./mainline.sh` is run regressibly by Github Actions.
 
+## Structure-aware fuzzing with libprotobuf-mutator
+
+Every `curl_fuzzer*` binary now links
+[libprotobuf-mutator](https://github.com/google/libprotobuf-mutator) directly.
+Build the usual targets and you automatically get structured `Scenario`
+generation:
+
+```shell
+cmake -S . -B build
+cmake --build build --target curl_fuzzer
+```
+
+The shared engine still understands legacy TLV corpora, but the libFuzzer
+entry-point feeds decoded `Scenario` protos into the same execution path, so
+crash reports remain comparable to the classic workflow.
+
 ## I want more information when running a testcase or multiple testcases
 
 Setting the `FUZZ_VERBOSE` environment variable turns on curl verbose logging.
@@ -80,6 +96,22 @@ read_corpus <path/to/file>
 ```
 This will print out a list of contents inside the file.
 
+## I want to convert TLV corpora into structured scenarios
+
+Install the tooling (see above), then run the converter to mirror TLV corpus
+entries into Scenario `.textproto` files:
+
+```shell
+corpora_to_textproto --output scenarios/
+```
+
+By default the tool walks the `corpora/` tree and writes `*.textproto` files to
+`scenarios/`, preserving the directory structure. You can point `--output` to a
+different directory or pass one or more explicit corpus paths when you only
+want to convert selected inputs. The converter automatically skips corpora for
+the `curl_fuzzer_fnmatch`, `curl_fuzzer_bufq`, and `fuzz_url` harnesses because
+they do not use the structured Scenario pipeline.
+
 ## I want an HTML decoder for corpus files
 
 Generate a standalone HTML page that can inspect TLV corpora directly in your browser:
 
@@ -1 +1,20 @@
 # Ignore all the scenario corpora
+curl_fuzzer/
+curl_fuzzer_dict/
+curl_fuzzer_file/
+curl_fuzzer_ftp/
+curl_fuzzer_gopher/
+curl_fuzzer_http/
+curl_fuzzer_https/
+curl_fuzzer_imap/
+curl_fuzzer_ldap/
+curl_fuzzer_mqtt/
+curl_fuzzer_pop3/
+curl_fuzzer_rtmp/
+curl_fuzzer_rtsp/
+curl_fuzzer_scp/
+curl_fuzzer_sftp/
+curl_fuzzer_smb/
+curl_fuzzer_smtp/
+curl_fuzzer_tftp/
+curl_fuzzer_ws/
@@ -30,7 +30,7 @@
 
 #include <libprotobuf-mutator/src/libfuzzer/libfuzzer_macro.h>
 
-DEFINE_PROTO_FUZZER(const curl::fuzzer::proto::Scenario &scenario)
+DEFINE_BINARY_PROTO_FUZZER(const curl::fuzzer::proto::Scenario &scenario)
 {
   CurlFuzzerRunScenario(scenario);
 }
@@ -51,11 +51,18 @@ int CurlFuzzerRunScenario(const curl::fuzzer::proto::Scenario &scenario)
 
   rc = curl_fuzzer::ApplyScenario(scenario, &fuzz);
   if(rc != 0) {
+    FV_PRINTF(&fuzz, "SCENARIO: ApplyScenario failed with rc=%d\n", rc);
     goto EXIT_LABEL;
   }
+  FV_PRINTF(&fuzz,
+            "SCENARIO: successfully applied scenario, starting transfer\n");
 
   /* Set up the standard easy options. */
-  FTRY(fuzz_set_easy_options(&fuzz));
+  rc = fuzz_set_easy_options(&fuzz);
+  if(rc != 0) {
+    FV_PRINTF(&fuzz, "SCENARIO: fuzz_set_easy_options failed with rc=%d\n", rc);
+    goto EXIT_LABEL;
+  }
 
   /**
    * Add in more curl options that have been accumulated over the scenario
@@ -567,7 +574,7 @@ int fuzz_set_allowed_protocols(FUZZ_DATA *fuzz)
   allowed_protocols = "http,ws,wss";
   FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_CONNECT_ONLY, 2L));
 #endif
-
+  FV_PRINTF(fuzz, "allowed_protocols=%s\n", allowed_protocols);
   FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_PROTOCOLS_STR, allowed_protocols));
 
 EXIT_LABEL:
 
@@ -495,6 +495,7 @@ int CurlFuzzerRunScenario(const curl::fuzzer::proto::Scenario &scenario);
           int _func_rc = (FUNC);                                              \
           if (_func_rc)                                                       \
           {                                                                   \
+            fprintf(stderr, "FTRY failed: %s returned %d\n", #FUNC, _func_rc); \
             rc = _func_rc;                                                    \
             goto EXIT_LABEL;                                                  \
           }                                                                   \