1*08b48e0bSAndroid Build Coastguard Worker# AFL++ dictionaries 2*08b48e0bSAndroid Build Coastguard Worker 3*08b48e0bSAndroid Build Coastguard WorkerFor the general instruction manual, see [docs/README.md](../docs/README.md). 4*08b48e0bSAndroid Build Coastguard Worker 5*08b48e0bSAndroid Build Coastguard WorkerThis subdirectory contains a set of dictionaries that can be used in conjunction 6*08b48e0bSAndroid Build Coastguard Workerwith the -x option to allow the fuzzer to effortlessly explore the grammar of 7*08b48e0bSAndroid Build Coastguard Workersome of the more verbose data formats or languages. 8*08b48e0bSAndroid Build Coastguard Worker 9*08b48e0bSAndroid Build Coastguard WorkerThese sets were done by Michal Zalewski, various contributors, and imported from 10*08b48e0bSAndroid Build Coastguard Workeross-fuzz, go-fuzz and libfuzzer. 11*08b48e0bSAndroid Build Coastguard Worker 12*08b48e0bSAndroid Build Coastguard WorkerCustom dictionaries can be added at will. They should consist of a 13*08b48e0bSAndroid Build Coastguard Workerreasonably-sized set of rudimentary syntax units that the fuzzer will then try 14*08b48e0bSAndroid Build Coastguard Workerto clobber together in various ways. Snippets between 2 and 16 bytes are usually 15*08b48e0bSAndroid Build Coastguard Workerthe sweet spot. 16*08b48e0bSAndroid Build Coastguard Worker 17*08b48e0bSAndroid Build Coastguard WorkerCustom dictionaries can be created in two ways: 18*08b48e0bSAndroid Build Coastguard Worker 19*08b48e0bSAndroid Build Coastguard Worker - By creating a new directory and placing each token in a separate file, in 20*08b48e0bSAndroid Build Coastguard Worker which case, there is no need to escape or otherwise format the data. 21*08b48e0bSAndroid Build Coastguard Worker 22*08b48e0bSAndroid Build Coastguard Worker - By creating a flat text file where tokens are listed one per line in the 23*08b48e0bSAndroid Build Coastguard Worker format of name="value". The alphanumeric name is ignored and can be omitted, 24*08b48e0bSAndroid Build Coastguard Worker although it is a convenient way to document the meaning of a particular 25*08b48e0bSAndroid Build Coastguard Worker token. The value must appear in quotes, with hex escaping (\xNN) applied to 26*08b48e0bSAndroid Build Coastguard Worker all non-printable, high-bit, or otherwise problematic characters (\\ and \" 27*08b48e0bSAndroid Build Coastguard Worker shorthands are recognized, too). 28*08b48e0bSAndroid Build Coastguard Worker 29*08b48e0bSAndroid Build Coastguard WorkerThe fuzzer auto-selects the appropriate mode depending on whether the -x 30*08b48e0bSAndroid Build Coastguard Workerparameter is a file or a directory. 31*08b48e0bSAndroid Build Coastguard Worker 32*08b48e0bSAndroid Build Coastguard WorkerIn the file mode, every name field can be optionally followed by @<num>, e.g.: 33*08b48e0bSAndroid Build Coastguard Worker 34*08b48e0bSAndroid Build Coastguard Worker `keyword_foo@1 = "foo"` 35*08b48e0bSAndroid Build Coastguard Worker 36*08b48e0bSAndroid Build Coastguard WorkerSuch entries will be loaded only if the requested dictionary level is equal or 37*08b48e0bSAndroid Build Coastguard Workerhigher than this number. The default level is zero; a higher value can be set by 38*08b48e0bSAndroid Build Coastguard Workerappending @<num> to the dictionary file name, like so: 39*08b48e0bSAndroid Build Coastguard Worker 40*08b48e0bSAndroid Build Coastguard Worker `-x path/to/dictionary.dct@2` 41*08b48e0bSAndroid Build Coastguard Worker 42*08b48e0bSAndroid Build Coastguard WorkerGood examples of dictionaries can be found in xml.dict and png.dict.