648db22b |
1 | /* |
2 | * Copyright (c) Meta Platforms, Inc. and affiliates. |
3 | * All rights reserved. |
4 | * |
5 | * This source code is licensed under both the BSD-style license (found in the |
6 | * LICENSE file in the root directory of this source tree) and the GPLv2 (found |
7 | * in the COPYING file in the root directory of this source tree). |
8 | * You may select, at your option, one of the above-listed licenses. |
9 | */ |
10 | |
11 | /** |
12 | * This fuzz target performs a zstd round-trip test (compress & decompress), |
13 | * compares the result with the original, and calls abort() on corruption. |
14 | */ |
15 | |
16 | #define ZSTD_STATIC_LINKING_ONLY |
17 | |
18 | #include <stddef.h> |
19 | #include <stdlib.h> |
20 | #include <stdio.h> |
21 | #include <string.h> |
22 | #include "fuzz_helpers.h" |
23 | #include "zstd_helpers.h" |
24 | #include "fuzz_data_producer.h" |
25 | #include "fuzz_third_party_seq_prod.h" |
26 | |
27 | ZSTD_CCtx *cctx = NULL; |
28 | static ZSTD_DCtx *dctx = NULL; |
29 | static uint8_t* cBuf = NULL; |
30 | static uint8_t* rBuf = NULL; |
31 | static size_t bufSize = 0; |
32 | |
33 | static ZSTD_outBuffer makeOutBuffer(uint8_t *dst, size_t capacity, |
34 | FUZZ_dataProducer_t *producer) |
35 | { |
36 | ZSTD_outBuffer buffer = { dst, 0, 0 }; |
37 | |
38 | FUZZ_ASSERT(capacity > 0); |
39 | buffer.size = (FUZZ_dataProducer_uint32Range(producer, 1, capacity)); |
40 | FUZZ_ASSERT(buffer.size <= capacity); |
41 | |
42 | return buffer; |
43 | } |
44 | |
45 | static ZSTD_inBuffer makeInBuffer(const uint8_t **src, size_t *size, |
46 | FUZZ_dataProducer_t *producer) |
47 | { |
48 | ZSTD_inBuffer buffer = { *src, 0, 0 }; |
49 | |
50 | FUZZ_ASSERT(*size > 0); |
51 | buffer.size = (FUZZ_dataProducer_uint32Range(producer, 1, *size)); |
52 | FUZZ_ASSERT(buffer.size <= *size); |
53 | *src += buffer.size; |
54 | *size -= buffer.size; |
55 | |
56 | return buffer; |
57 | } |
58 | |
59 | static size_t compress(uint8_t *dst, size_t capacity, |
60 | const uint8_t *src, size_t srcSize, |
61 | FUZZ_dataProducer_t *producer) |
62 | { |
63 | size_t dstSize = 0; |
64 | ZSTD_CCtx_reset(cctx, ZSTD_reset_session_only); |
65 | FUZZ_setRandomParameters(cctx, srcSize, producer); |
f535537f |
66 | int maxBlockSize; |
67 | FUZZ_ZASSERT(ZSTD_CCtx_getParameter(cctx, ZSTD_c_maxBlockSize, &maxBlockSize)); |
648db22b |
68 | |
69 | while (srcSize > 0) { |
70 | ZSTD_inBuffer in = makeInBuffer(&src, &srcSize, producer); |
71 | /* Mode controls the action. If mode == -1 we pick a new mode */ |
72 | int mode = -1; |
73 | while (in.pos < in.size || mode != -1) { |
74 | ZSTD_outBuffer out = makeOutBuffer(dst, capacity, producer); |
75 | /* Previous action finished, pick a new mode. */ |
76 | if (mode == -1) mode = FUZZ_dataProducer_uint32Range(producer, 0, 9); |
77 | switch (mode) { |
78 | case 0: /* fall-through */ |
79 | case 1: /* fall-through */ |
80 | case 2: { |
81 | size_t const ret = |
82 | ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_flush); |
83 | FUZZ_ZASSERT(ret); |
84 | if (ret == 0) |
85 | mode = -1; |
86 | break; |
87 | } |
88 | case 3: { |
89 | size_t ret = |
90 | ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_end); |
91 | FUZZ_ZASSERT(ret); |
92 | /* Reset the compressor when the frame is finished */ |
93 | if (ret == 0) { |
94 | ZSTD_CCtx_reset(cctx, ZSTD_reset_session_only); |
95 | if (FUZZ_dataProducer_uint32Range(producer, 0, 7) == 0) { |
96 | size_t const remaining = in.size - in.pos; |
97 | FUZZ_setRandomParameters(cctx, remaining, producer); |
f535537f |
98 | /* Always use the same maxBlockSize */ |
99 | FUZZ_ZASSERT(ZSTD_CCtx_setParameter(cctx, ZSTD_c_maxBlockSize, maxBlockSize)); |
648db22b |
100 | } |
101 | mode = -1; |
102 | } |
103 | break; |
104 | } |
105 | case 4: { |
106 | ZSTD_inBuffer nullIn = { NULL, 0, 0 }; |
107 | ZSTD_outBuffer nullOut = { NULL, 0, 0 }; |
108 | size_t const ret = ZSTD_compressStream2(cctx, &nullOut, &nullIn, ZSTD_e_continue); |
109 | FUZZ_ZASSERT(ret); |
110 | } |
111 | /* fall-through */ |
112 | default: { |
113 | size_t const ret = |
114 | ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_continue); |
115 | FUZZ_ZASSERT(ret); |
116 | mode = -1; |
117 | } |
118 | } |
119 | dst += out.pos; |
120 | dstSize += out.pos; |
121 | capacity -= out.pos; |
122 | } |
123 | } |
124 | for (;;) { |
125 | ZSTD_inBuffer in = {NULL, 0, 0}; |
126 | ZSTD_outBuffer out = makeOutBuffer(dst, capacity, producer); |
127 | size_t const ret = ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_end); |
128 | FUZZ_ZASSERT(ret); |
129 | |
130 | dst += out.pos; |
131 | dstSize += out.pos; |
132 | capacity -= out.pos; |
133 | if (ret == 0) |
134 | break; |
135 | } |
136 | return dstSize; |
137 | } |
138 | |
f535537f |
139 | static size_t decompress(void* dst, size_t dstCapacity, void const* src, size_t srcSize, FUZZ_dataProducer_t* producer) |
140 | { |
141 | ZSTD_inBuffer in = {src, srcSize, 0}; |
142 | ZSTD_outBuffer out = {dst, dstCapacity, 0}; |
143 | int maxBlockSize; |
144 | FUZZ_ZASSERT(ZSTD_CCtx_getParameter(cctx, ZSTD_c_maxBlockSize, &maxBlockSize)); |
145 | if (FUZZ_dataProducer_uint32Range(producer, 0, 1)) { |
146 | FUZZ_ZASSERT(ZSTD_DCtx_setParameter(dctx, ZSTD_d_maxBlockSize, maxBlockSize)); |
147 | } |
148 | while (in.pos < in.size) { |
149 | size_t const ret = ZSTD_decompressStream(dctx, &out, &in); |
150 | FUZZ_ZASSERT(ret); |
151 | FUZZ_ASSERT(ret == 0); |
152 | } |
153 | return out.pos; |
154 | } |
155 | |
648db22b |
156 | int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size) |
157 | { |
158 | FUZZ_SEQ_PROD_SETUP(); |
159 | size_t neededBufSize; |
160 | |
161 | /* Give a random portion of src data to the producer, to use for |
162 | parameter generation. The rest will be used for (de)compression */ |
163 | FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size); |
164 | size = FUZZ_dataProducer_reserveDataPrefix(producer); |
165 | |
166 | neededBufSize = ZSTD_compressBound(size) * 15; |
167 | |
168 | /* Allocate all buffers and contexts if not already allocated */ |
169 | if (neededBufSize > bufSize) { |
170 | free(cBuf); |
171 | free(rBuf); |
172 | cBuf = (uint8_t*)FUZZ_malloc(neededBufSize); |
173 | rBuf = (uint8_t*)FUZZ_malloc(neededBufSize); |
174 | bufSize = neededBufSize; |
175 | } |
176 | if (!cctx) { |
177 | cctx = ZSTD_createCCtx(); |
178 | FUZZ_ASSERT(cctx); |
179 | } |
180 | if (!dctx) { |
181 | dctx = ZSTD_createDCtx(); |
182 | FUZZ_ASSERT(dctx); |
183 | } |
184 | |
185 | { |
186 | size_t const cSize = compress(cBuf, neededBufSize, src, size, producer); |
f535537f |
187 | size_t const rSize = decompress(rBuf, neededBufSize, cBuf, cSize, producer); |
648db22b |
188 | FUZZ_ZASSERT(rSize); |
189 | FUZZ_ASSERT_MSG(rSize == size, "Incorrect regenerated size"); |
190 | FUZZ_ASSERT_MSG(!FUZZ_memcmp(src, rBuf, size), "Corruption!"); |
191 | |
192 | /* Test in-place decompression (note the macro doesn't work in this case) */ |
193 | { |
194 | size_t const margin = ZSTD_decompressionMargin(cBuf, cSize); |
195 | size_t const outputSize = size + margin; |
196 | char* const output = (char*)FUZZ_malloc(outputSize); |
197 | char* const input = output + outputSize - cSize; |
198 | size_t dSize; |
199 | FUZZ_ASSERT(outputSize >= cSize); |
200 | memcpy(input, cBuf, cSize); |
201 | |
202 | dSize = ZSTD_decompressDCtx(dctx, output, outputSize, input, cSize); |
203 | FUZZ_ZASSERT(dSize); |
204 | FUZZ_ASSERT_MSG(dSize == size, "Incorrect regenerated size"); |
205 | FUZZ_ASSERT_MSG(!FUZZ_memcmp(src, output, size), "Corruption!"); |
206 | |
207 | free(output); |
208 | } |
209 | } |
210 | |
211 | FUZZ_dataProducer_free(producer); |
212 | #ifndef STATEFUL_FUZZING |
213 | ZSTD_freeCCtx(cctx); cctx = NULL; |
214 | ZSTD_freeDCtx(dctx); dctx = NULL; |
215 | #endif |
216 | FUZZ_SEQ_PROD_TEARDOWN(); |
217 | return 0; |
218 | } |