648db22b |
1 | /* |
2 | * Copyright (c) Meta Platforms, Inc. and affiliates. |
3 | * All rights reserved. |
4 | * |
5 | * This source code is licensed under both the BSD-style license (found in the |
6 | * LICENSE file in the root directory of this source tree) and the GPLv2 (found |
7 | * in the COPYING file in the root directory of this source tree). |
8 | * You may select, at your option, one of the above-listed licenses. |
9 | */ |
10 | |
11 | /** |
12 | * This fuzz target performs a zstd round-trip test (compress & decompress) with |
13 | * a dictionary, compares the result with the original, and calls abort() on |
14 | * corruption. |
15 | */ |
16 | |
17 | #include <stddef.h> |
18 | #include <stdlib.h> |
19 | #include <stdio.h> |
20 | #include <string.h> |
21 | #include "fuzz_helpers.h" |
22 | #include "zstd_helpers.h" |
23 | #include "fuzz_data_producer.h" |
24 | #include "fuzz_third_party_seq_prod.h" |
25 | |
26 | static ZSTD_CCtx *cctx = NULL; |
27 | static ZSTD_DCtx *dctx = NULL; |
28 | |
29 | static size_t roundTripTest(void *result, size_t resultCapacity, |
30 | void *compressed, size_t compressedCapacity, |
31 | const void *src, size_t srcSize, |
32 | FUZZ_dataProducer_t *producer) |
33 | { |
34 | ZSTD_dictContentType_e dictContentType = ZSTD_dct_auto; |
35 | FUZZ_dict_t dict = FUZZ_train(src, srcSize, producer); |
36 | int const refPrefix = FUZZ_dataProducer_uint32Range(producer, 0, 1) != 0; |
37 | size_t cSize; |
38 | if (FUZZ_dataProducer_uint32Range(producer, 0, 15) == 0) { |
39 | int const cLevel = FUZZ_dataProducer_int32Range(producer, kMinClevel, kMaxClevel); |
40 | |
41 | cSize = ZSTD_compress_usingDict(cctx, |
42 | compressed, compressedCapacity, |
43 | src, srcSize, |
44 | dict.buff, dict.size, |
45 | cLevel); |
46 | FUZZ_ZASSERT(cSize); |
47 | // Compress a second time and check for determinism |
48 | { |
49 | size_t const cSize0 = cSize; |
50 | XXH64_hash_t const hash0 = XXH64(compressed, cSize, 0); |
51 | cSize = ZSTD_compress_usingDict(cctx, |
52 | compressed, compressedCapacity, |
53 | src, srcSize, |
54 | dict.buff, dict.size, |
55 | cLevel); |
56 | FUZZ_ASSERT(cSize == cSize0); |
57 | FUZZ_ASSERT(XXH64(compressed, cSize, 0) == hash0); |
58 | } |
59 | } else { |
60 | size_t remainingBytes; |
61 | dictContentType = FUZZ_dataProducer_uint32Range(producer, 0, 2); |
62 | remainingBytes = FUZZ_dataProducer_remainingBytes(producer); |
63 | FUZZ_setRandomParameters(cctx, srcSize, producer); |
64 | /* Disable checksum so we can use sizes smaller than compress bound. */ |
65 | FUZZ_ZASSERT(ZSTD_CCtx_setParameter(cctx, ZSTD_c_checksumFlag, 0)); |
66 | if (refPrefix) |
67 | FUZZ_ZASSERT(ZSTD_CCtx_refPrefix_advanced( |
68 | cctx, dict.buff, dict.size, |
69 | dictContentType)); |
70 | else |
71 | FUZZ_ZASSERT(ZSTD_CCtx_loadDictionary_advanced( |
72 | cctx, dict.buff, dict.size, |
73 | (ZSTD_dictLoadMethod_e)FUZZ_dataProducer_uint32Range(producer, 0, 1), |
74 | dictContentType)); |
75 | cSize = ZSTD_compress2(cctx, compressed, compressedCapacity, src, srcSize); |
76 | FUZZ_ZASSERT(cSize); |
77 | // Compress a second time and check for determinism |
78 | { |
79 | size_t const cSize0 = cSize; |
80 | XXH64_hash_t const hash0 = XXH64(compressed, cSize, 0); |
81 | FUZZ_dataProducer_rollBack(producer, remainingBytes); |
82 | FUZZ_setRandomParameters(cctx, srcSize, producer); |
83 | FUZZ_ZASSERT(ZSTD_CCtx_setParameter(cctx, ZSTD_c_checksumFlag, 0)); |
84 | if (refPrefix) |
85 | FUZZ_ZASSERT(ZSTD_CCtx_refPrefix_advanced( |
86 | cctx, dict.buff, dict.size, |
87 | dictContentType)); |
88 | cSize = ZSTD_compress2(cctx, compressed, compressedCapacity, src, srcSize); |
89 | FUZZ_ASSERT(cSize == cSize0); |
90 | FUZZ_ASSERT(XXH64(compressed, cSize, 0) == hash0); |
91 | } |
92 | } |
93 | if (refPrefix) |
94 | FUZZ_ZASSERT(ZSTD_DCtx_refPrefix_advanced( |
95 | dctx, dict.buff, dict.size, |
96 | dictContentType)); |
97 | else |
98 | FUZZ_ZASSERT(ZSTD_DCtx_loadDictionary_advanced( |
99 | dctx, dict.buff, dict.size, |
100 | (ZSTD_dictLoadMethod_e)FUZZ_dataProducer_uint32Range(producer, 0, 1), |
101 | dictContentType)); |
102 | { |
103 | size_t const ret = ZSTD_decompressDCtx( |
104 | dctx, result, resultCapacity, compressed, cSize); |
105 | free(dict.buff); |
106 | return ret; |
107 | } |
108 | } |
109 | |
110 | int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size) |
111 | { |
112 | FUZZ_SEQ_PROD_SETUP(); |
113 | |
114 | /* Give a random portion of src data to the producer, to use for |
115 | parameter generation. The rest will be used for (de)compression */ |
116 | FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size); |
117 | size = FUZZ_dataProducer_reserveDataPrefix(producer); |
118 | |
119 | size_t const rBufSize = size; |
120 | void* rBuf = FUZZ_malloc(rBufSize); |
121 | size_t cBufSize = ZSTD_compressBound(size); |
122 | void *cBuf; |
123 | /* Half of the time fuzz with a 1 byte smaller output size. |
124 | * This will still succeed because we force the checksum to be disabled, |
125 | * giving us 4 bytes of overhead. |
126 | */ |
127 | cBufSize -= FUZZ_dataProducer_uint32Range(producer, 0, 1); |
128 | cBuf = FUZZ_malloc(cBufSize); |
129 | |
130 | if (!cctx) { |
131 | cctx = ZSTD_createCCtx(); |
132 | FUZZ_ASSERT(cctx); |
133 | } |
134 | if (!dctx) { |
135 | dctx = ZSTD_createDCtx(); |
136 | FUZZ_ASSERT(dctx); |
137 | } |
138 | |
139 | { |
140 | size_t const result = |
141 | roundTripTest(rBuf, rBufSize, cBuf, cBufSize, src, size, producer); |
142 | FUZZ_ZASSERT(result); |
143 | FUZZ_ASSERT_MSG(result == size, "Incorrect regenerated size"); |
144 | FUZZ_ASSERT_MSG(!FUZZ_memcmp(src, rBuf, size), "Corruption!"); |
145 | } |
146 | free(rBuf); |
147 | free(cBuf); |
148 | FUZZ_dataProducer_free(producer); |
149 | #ifndef STATEFUL_FUZZING |
150 | ZSTD_freeCCtx(cctx); cctx = NULL; |
151 | ZSTD_freeDCtx(dctx); dctx = NULL; |
152 | #endif |
153 | FUZZ_SEQ_PROD_TEARDOWN(); |
154 | return 0; |
155 | } |