648db22b |
1 | /* |
2 | * Copyright (c) Meta Platforms, Inc. and affiliates. |
3 | * All rights reserved. |
4 | * |
5 | * This source code is licensed under both the BSD-style license (found in the |
6 | * LICENSE file in the root directory of this source tree) and the GPLv2 (found |
7 | * in the COPYING file in the root directory of this source tree). |
8 | * You may select, at your option, one of the above-listed licenses. |
9 | */ |
10 | |
11 | /** |
12 | * This fuzz target performs a zstd round-trip test (compress & decompress), |
13 | * compares the result with the original, and calls abort() on corruption. |
14 | */ |
15 | |
16 | #define ZSTD_STATIC_LINKING_ONLY |
17 | |
18 | #include <stddef.h> |
19 | #include <stdlib.h> |
20 | #include <stdio.h> |
21 | #include <string.h> |
22 | #include "fuzz_helpers.h" |
23 | #include "zstd_helpers.h" |
24 | #include "fuzz_data_producer.h" |
25 | #include "fuzz_third_party_seq_prod.h" |
26 | |
27 | ZSTD_CCtx *cctx = NULL; |
28 | static ZSTD_DCtx *dctx = NULL; |
29 | static uint8_t* cBuf = NULL; |
30 | static uint8_t* rBuf = NULL; |
31 | static size_t bufSize = 0; |
32 | |
33 | static ZSTD_outBuffer makeOutBuffer(uint8_t *dst, size_t capacity, |
34 | FUZZ_dataProducer_t *producer) |
35 | { |
36 | ZSTD_outBuffer buffer = { dst, 0, 0 }; |
37 | |
38 | FUZZ_ASSERT(capacity > 0); |
39 | buffer.size = (FUZZ_dataProducer_uint32Range(producer, 1, capacity)); |
40 | FUZZ_ASSERT(buffer.size <= capacity); |
41 | |
42 | return buffer; |
43 | } |
44 | |
45 | static ZSTD_inBuffer makeInBuffer(const uint8_t **src, size_t *size, |
46 | FUZZ_dataProducer_t *producer) |
47 | { |
48 | ZSTD_inBuffer buffer = { *src, 0, 0 }; |
49 | |
50 | FUZZ_ASSERT(*size > 0); |
51 | buffer.size = (FUZZ_dataProducer_uint32Range(producer, 1, *size)); |
52 | FUZZ_ASSERT(buffer.size <= *size); |
53 | *src += buffer.size; |
54 | *size -= buffer.size; |
55 | |
56 | return buffer; |
57 | } |
58 | |
59 | static size_t compress(uint8_t *dst, size_t capacity, |
60 | const uint8_t *src, size_t srcSize, |
61 | FUZZ_dataProducer_t *producer) |
62 | { |
63 | size_t dstSize = 0; |
64 | ZSTD_CCtx_reset(cctx, ZSTD_reset_session_only); |
65 | FUZZ_setRandomParameters(cctx, srcSize, producer); |
66 | |
67 | while (srcSize > 0) { |
68 | ZSTD_inBuffer in = makeInBuffer(&src, &srcSize, producer); |
69 | /* Mode controls the action. If mode == -1 we pick a new mode */ |
70 | int mode = -1; |
71 | while (in.pos < in.size || mode != -1) { |
72 | ZSTD_outBuffer out = makeOutBuffer(dst, capacity, producer); |
73 | /* Previous action finished, pick a new mode. */ |
74 | if (mode == -1) mode = FUZZ_dataProducer_uint32Range(producer, 0, 9); |
75 | switch (mode) { |
76 | case 0: /* fall-through */ |
77 | case 1: /* fall-through */ |
78 | case 2: { |
79 | size_t const ret = |
80 | ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_flush); |
81 | FUZZ_ZASSERT(ret); |
82 | if (ret == 0) |
83 | mode = -1; |
84 | break; |
85 | } |
86 | case 3: { |
87 | size_t ret = |
88 | ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_end); |
89 | FUZZ_ZASSERT(ret); |
90 | /* Reset the compressor when the frame is finished */ |
91 | if (ret == 0) { |
92 | ZSTD_CCtx_reset(cctx, ZSTD_reset_session_only); |
93 | if (FUZZ_dataProducer_uint32Range(producer, 0, 7) == 0) { |
94 | size_t const remaining = in.size - in.pos; |
95 | FUZZ_setRandomParameters(cctx, remaining, producer); |
96 | } |
97 | mode = -1; |
98 | } |
99 | break; |
100 | } |
101 | case 4: { |
102 | ZSTD_inBuffer nullIn = { NULL, 0, 0 }; |
103 | ZSTD_outBuffer nullOut = { NULL, 0, 0 }; |
104 | size_t const ret = ZSTD_compressStream2(cctx, &nullOut, &nullIn, ZSTD_e_continue); |
105 | FUZZ_ZASSERT(ret); |
106 | } |
107 | /* fall-through */ |
108 | default: { |
109 | size_t const ret = |
110 | ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_continue); |
111 | FUZZ_ZASSERT(ret); |
112 | mode = -1; |
113 | } |
114 | } |
115 | dst += out.pos; |
116 | dstSize += out.pos; |
117 | capacity -= out.pos; |
118 | } |
119 | } |
120 | for (;;) { |
121 | ZSTD_inBuffer in = {NULL, 0, 0}; |
122 | ZSTD_outBuffer out = makeOutBuffer(dst, capacity, producer); |
123 | size_t const ret = ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_end); |
124 | FUZZ_ZASSERT(ret); |
125 | |
126 | dst += out.pos; |
127 | dstSize += out.pos; |
128 | capacity -= out.pos; |
129 | if (ret == 0) |
130 | break; |
131 | } |
132 | return dstSize; |
133 | } |
134 | |
135 | int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size) |
136 | { |
137 | FUZZ_SEQ_PROD_SETUP(); |
138 | size_t neededBufSize; |
139 | |
140 | /* Give a random portion of src data to the producer, to use for |
141 | parameter generation. The rest will be used for (de)compression */ |
142 | FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size); |
143 | size = FUZZ_dataProducer_reserveDataPrefix(producer); |
144 | |
145 | neededBufSize = ZSTD_compressBound(size) * 15; |
146 | |
147 | /* Allocate all buffers and contexts if not already allocated */ |
148 | if (neededBufSize > bufSize) { |
149 | free(cBuf); |
150 | free(rBuf); |
151 | cBuf = (uint8_t*)FUZZ_malloc(neededBufSize); |
152 | rBuf = (uint8_t*)FUZZ_malloc(neededBufSize); |
153 | bufSize = neededBufSize; |
154 | } |
155 | if (!cctx) { |
156 | cctx = ZSTD_createCCtx(); |
157 | FUZZ_ASSERT(cctx); |
158 | } |
159 | if (!dctx) { |
160 | dctx = ZSTD_createDCtx(); |
161 | FUZZ_ASSERT(dctx); |
162 | } |
163 | |
164 | { |
165 | size_t const cSize = compress(cBuf, neededBufSize, src, size, producer); |
166 | size_t const rSize = |
167 | ZSTD_decompressDCtx(dctx, rBuf, neededBufSize, cBuf, cSize); |
168 | FUZZ_ZASSERT(rSize); |
169 | FUZZ_ASSERT_MSG(rSize == size, "Incorrect regenerated size"); |
170 | FUZZ_ASSERT_MSG(!FUZZ_memcmp(src, rBuf, size), "Corruption!"); |
171 | |
172 | /* Test in-place decompression (note the macro doesn't work in this case) */ |
173 | { |
174 | size_t const margin = ZSTD_decompressionMargin(cBuf, cSize); |
175 | size_t const outputSize = size + margin; |
176 | char* const output = (char*)FUZZ_malloc(outputSize); |
177 | char* const input = output + outputSize - cSize; |
178 | size_t dSize; |
179 | FUZZ_ASSERT(outputSize >= cSize); |
180 | memcpy(input, cBuf, cSize); |
181 | |
182 | dSize = ZSTD_decompressDCtx(dctx, output, outputSize, input, cSize); |
183 | FUZZ_ZASSERT(dSize); |
184 | FUZZ_ASSERT_MSG(dSize == size, "Incorrect regenerated size"); |
185 | FUZZ_ASSERT_MSG(!FUZZ_memcmp(src, output, size), "Corruption!"); |
186 | |
187 | free(output); |
188 | } |
189 | } |
190 | |
191 | FUZZ_dataProducer_free(producer); |
192 | #ifndef STATEFUL_FUZZING |
193 | ZSTD_freeCCtx(cctx); cctx = NULL; |
194 | ZSTD_freeDCtx(dctx); dctx = NULL; |
195 | #endif |
196 | FUZZ_SEQ_PROD_TEARDOWN(); |
197 | return 0; |
198 | } |