648db22b |
1 | /* |
2 | * Copyright (c) Meta Platforms, Inc. and affiliates. |
3 | * All rights reserved. |
4 | * |
5 | * This source code is licensed under both the BSD-style license (found in the |
6 | * LICENSE file in the root directory of this source tree) and the GPLv2 (found |
7 | * in the COPYING file in the root directory of this source tree). |
8 | * You may select, at your option, one of the above-listed licenses. |
9 | */ |
10 | |
11 | /** |
12 | * This fuzz target performs a zstd round-trip test (compress & decompress), |
13 | * compares the result with the original, and calls abort() on corruption. |
14 | */ |
15 | |
16 | #define ZSTD_STATIC_LINKING_ONLY |
17 | |
18 | #include <stddef.h> |
19 | #include <stdlib.h> |
20 | #include <stdio.h> |
21 | #include <string.h> |
22 | #include "fuzz_helpers.h" |
23 | #include "zstd_helpers.h" |
24 | #include "fuzz_data_producer.h" |
25 | #include "fuzz_third_party_seq_prod.h" |
26 | |
27 | ZSTD_CCtx *cctx = NULL; |
28 | static ZSTD_DCtx *dctx = NULL; |
29 | static uint8_t* cBuf = NULL; |
30 | static uint8_t* rBuf = NULL; |
31 | static size_t bufSize = 0; |
32 | |
33 | static ZSTD_outBuffer makeOutBuffer(uint8_t *dst, size_t capacity, |
34 | FUZZ_dataProducer_t *producer) |
35 | { |
36 | ZSTD_outBuffer buffer = { dst, 0, 0 }; |
37 | |
38 | FUZZ_ASSERT(capacity > 0); |
39 | buffer.size = (FUZZ_dataProducer_uint32Range(producer, 1, capacity)); |
40 | FUZZ_ASSERT(buffer.size <= capacity); |
41 | |
42 | return buffer; |
43 | } |
44 | |
45 | static ZSTD_inBuffer makeInBuffer(const uint8_t **src, size_t *size, |
46 | FUZZ_dataProducer_t *producer) |
47 | { |
48 | ZSTD_inBuffer buffer = { *src, 0, 0 }; |
49 | |
50 | FUZZ_ASSERT(*size > 0); |
51 | buffer.size = (FUZZ_dataProducer_uint32Range(producer, 1, *size)); |
52 | FUZZ_ASSERT(buffer.size <= *size); |
53 | *src += buffer.size; |
54 | *size -= buffer.size; |
55 | |
56 | return buffer; |
57 | } |
58 | |
59 | static size_t compress(uint8_t *dst, size_t capacity, |
60 | const uint8_t *src, size_t srcSize, |
61 | const uint8_t* dict, size_t dictSize, |
62 | FUZZ_dataProducer_t *producer, int refPrefix, |
63 | ZSTD_dictContentType_e dictContentType) |
64 | { |
65 | size_t dstSize = 0; |
66 | ZSTD_CCtx_reset(cctx, ZSTD_reset_session_only); |
67 | FUZZ_setRandomParameters(cctx, srcSize, producer); |
68 | |
69 | /* Disable checksum so we can use sizes smaller than compress bound. */ |
70 | FUZZ_ZASSERT(ZSTD_CCtx_setParameter(cctx, ZSTD_c_checksumFlag, 0)); |
71 | if (refPrefix) |
72 | FUZZ_ZASSERT(ZSTD_CCtx_refPrefix_advanced( |
73 | cctx, dict, dictSize, |
74 | dictContentType)); |
75 | else |
76 | FUZZ_ZASSERT(ZSTD_CCtx_loadDictionary_advanced( |
77 | cctx, dict, dictSize, |
78 | (ZSTD_dictLoadMethod_e)FUZZ_dataProducer_uint32Range(producer, 0, 1), |
79 | dictContentType)); |
80 | |
81 | while (srcSize > 0) { |
82 | ZSTD_inBuffer in = makeInBuffer(&src, &srcSize, producer); |
83 | /* Mode controls the action. If mode == -1 we pick a new mode */ |
84 | int mode = -1; |
85 | while (in.pos < in.size || mode != -1) { |
86 | ZSTD_outBuffer out = makeOutBuffer(dst, capacity, producer); |
87 | /* Previous action finished, pick a new mode. */ |
88 | if (mode == -1) mode = FUZZ_dataProducer_uint32Range(producer, 0, 9); |
89 | switch (mode) { |
90 | case 0: /* fall-through */ |
91 | case 1: /* fall-through */ |
92 | case 2: { |
93 | size_t const ret = |
94 | ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_flush); |
95 | FUZZ_ZASSERT(ret); |
96 | if (ret == 0) |
97 | mode = -1; |
98 | break; |
99 | } |
100 | case 3: { |
101 | size_t ret = |
102 | ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_end); |
103 | FUZZ_ZASSERT(ret); |
104 | /* Reset the compressor when the frame is finished */ |
105 | if (ret == 0) { |
106 | ZSTD_CCtx_reset(cctx, ZSTD_reset_session_only); |
107 | if (FUZZ_dataProducer_uint32Range(producer, 0, 7) == 0) { |
108 | size_t const remaining = in.size - in.pos; |
109 | FUZZ_setRandomParameters(cctx, remaining, producer); |
110 | } |
111 | mode = -1; |
112 | } |
113 | break; |
114 | } |
115 | case 4: { |
116 | ZSTD_inBuffer nullIn = { NULL, 0, 0 }; |
117 | ZSTD_outBuffer nullOut = { NULL, 0, 0 }; |
118 | size_t const ret = ZSTD_compressStream2(cctx, &nullOut, &nullIn, ZSTD_e_continue); |
119 | FUZZ_ZASSERT(ret); |
120 | } |
121 | /* fall-through */ |
122 | default: { |
123 | size_t const ret = |
124 | ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_continue); |
125 | FUZZ_ZASSERT(ret); |
126 | mode = -1; |
127 | } |
128 | } |
129 | dst += out.pos; |
130 | dstSize += out.pos; |
131 | capacity -= out.pos; |
132 | } |
133 | } |
134 | for (;;) { |
135 | ZSTD_inBuffer in = {NULL, 0, 0}; |
136 | ZSTD_outBuffer out = makeOutBuffer(dst, capacity, producer); |
137 | size_t const ret = ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_end); |
138 | FUZZ_ZASSERT(ret); |
139 | |
140 | dst += out.pos; |
141 | dstSize += out.pos; |
142 | capacity -= out.pos; |
143 | if (ret == 0) |
144 | break; |
145 | } |
146 | return dstSize; |
147 | } |
148 | |
149 | int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size) |
150 | { |
151 | FUZZ_SEQ_PROD_SETUP(); |
152 | size_t neededBufSize; |
153 | |
154 | /* Give a random portion of src data to the producer, to use for |
155 | parameter generation. The rest will be used for (de)compression */ |
156 | FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size); |
157 | size = FUZZ_dataProducer_reserveDataPrefix(producer); |
158 | |
159 | neededBufSize = ZSTD_compressBound(size) * 15; |
160 | |
161 | /* Allocate all buffers and contexts if not already allocated */ |
162 | if (neededBufSize > bufSize) { |
163 | free(cBuf); |
164 | free(rBuf); |
165 | cBuf = (uint8_t*)FUZZ_malloc(neededBufSize); |
166 | rBuf = (uint8_t*)FUZZ_malloc(neededBufSize); |
167 | bufSize = neededBufSize; |
168 | } |
169 | if (!cctx) { |
170 | cctx = ZSTD_createCCtx(); |
171 | FUZZ_ASSERT(cctx); |
172 | } |
173 | if (!dctx) { |
174 | dctx = ZSTD_createDCtx(); |
175 | FUZZ_ASSERT(dctx); |
176 | } |
177 | |
178 | { |
179 | ZSTD_dictContentType_e dictContentType = FUZZ_dataProducer_uint32Range(producer, 0, 2); |
180 | FUZZ_dict_t dict = FUZZ_train(src, size, producer); |
181 | int const refPrefix = FUZZ_dataProducer_uint32Range(producer, 0, 1) != 0; |
182 | |
183 | size_t const cSize = compress(cBuf, neededBufSize, src, size, dict.buff, dict.size, producer, refPrefix, dictContentType); |
184 | |
185 | if (refPrefix) |
186 | FUZZ_ZASSERT(ZSTD_DCtx_refPrefix_advanced( |
187 | dctx, dict.buff, dict.size, |
188 | dictContentType)); |
189 | else |
190 | FUZZ_ZASSERT(ZSTD_DCtx_loadDictionary_advanced( |
191 | dctx, dict.buff, dict.size, |
192 | (ZSTD_dictLoadMethod_e)FUZZ_dataProducer_uint32Range(producer, 0, 1), |
193 | dictContentType)); |
194 | size_t const rSize = |
195 | ZSTD_decompressDCtx(dctx, rBuf, neededBufSize, cBuf, cSize); |
196 | FUZZ_ZASSERT(rSize); |
197 | FUZZ_ASSERT_MSG(rSize == size, "Incorrect regenerated size"); |
198 | FUZZ_ASSERT_MSG(!FUZZ_memcmp(src, rBuf, size), "Corruption!"); |
199 | free(dict.buff); |
200 | } |
201 | |
202 | FUZZ_dataProducer_free(producer); |
203 | #ifndef STATEFUL_FUZZING |
204 | ZSTD_freeCCtx(cctx); cctx = NULL; |
205 | ZSTD_freeDCtx(dctx); dctx = NULL; |
206 | #endif |
207 | FUZZ_SEQ_PROD_TEARDOWN(); |
208 | return 0; |
209 | } |