| 1 | /* |
| 2 | * Copyright (c) Meta Platforms, Inc. and affiliates. |
| 3 | * All rights reserved. |
| 4 | * |
| 5 | * This source code is licensed under both the BSD-style license (found in the |
| 6 | * LICENSE file in the root directory of this source tree) and the GPLv2 (found |
| 7 | * in the COPYING file in the root directory of this source tree). |
| 8 | * You may select, at your option, one of the above-listed licenses. |
| 9 | */ |
| 10 | |
| 11 | /** |
| 12 | * This fuzz target performs a zstd round-trip test (compress & decompress), |
| 13 | * compares the result with the original, and calls abort() on corruption. |
| 14 | */ |
| 15 | |
| 16 | #define ZSTD_STATIC_LINKING_ONLY |
| 17 | |
| 18 | #include <stddef.h> |
| 19 | #include <stdlib.h> |
| 20 | #include <stdio.h> |
| 21 | #include <string.h> |
| 22 | #include "fuzz_helpers.h" |
| 23 | #include "zstd_helpers.h" |
| 24 | #include "fuzz_data_producer.h" |
| 25 | #include "fuzz_third_party_seq_prod.h" |
| 26 | |
| 27 | ZSTD_CCtx *cctx = NULL; |
| 28 | static ZSTD_DCtx *dctx = NULL; |
| 29 | static uint8_t* cBuf = NULL; |
| 30 | static uint8_t* rBuf = NULL; |
| 31 | static size_t bufSize = 0; |
| 32 | |
| 33 | static ZSTD_outBuffer makeOutBuffer(uint8_t *dst, size_t capacity, |
| 34 | FUZZ_dataProducer_t *producer) |
| 35 | { |
| 36 | ZSTD_outBuffer buffer = { dst, 0, 0 }; |
| 37 | |
| 38 | FUZZ_ASSERT(capacity > 0); |
| 39 | buffer.size = (FUZZ_dataProducer_uint32Range(producer, 1, capacity)); |
| 40 | FUZZ_ASSERT(buffer.size <= capacity); |
| 41 | |
| 42 | return buffer; |
| 43 | } |
| 44 | |
| 45 | static ZSTD_inBuffer makeInBuffer(const uint8_t **src, size_t *size, |
| 46 | FUZZ_dataProducer_t *producer) |
| 47 | { |
| 48 | ZSTD_inBuffer buffer = { *src, 0, 0 }; |
| 49 | |
| 50 | FUZZ_ASSERT(*size > 0); |
| 51 | buffer.size = (FUZZ_dataProducer_uint32Range(producer, 1, *size)); |
| 52 | FUZZ_ASSERT(buffer.size <= *size); |
| 53 | *src += buffer.size; |
| 54 | *size -= buffer.size; |
| 55 | |
| 56 | return buffer; |
| 57 | } |
| 58 | |
| 59 | static size_t compress(uint8_t *dst, size_t capacity, |
| 60 | const uint8_t *src, size_t srcSize, |
| 61 | const uint8_t* dict, size_t dictSize, |
| 62 | FUZZ_dataProducer_t *producer, int refPrefix, |
| 63 | ZSTD_dictContentType_e dictContentType) |
| 64 | { |
| 65 | size_t dstSize = 0; |
| 66 | ZSTD_CCtx_reset(cctx, ZSTD_reset_session_only); |
| 67 | FUZZ_setRandomParameters(cctx, srcSize, producer); |
| 68 | |
| 69 | /* Disable checksum so we can use sizes smaller than compress bound. */ |
| 70 | FUZZ_ZASSERT(ZSTD_CCtx_setParameter(cctx, ZSTD_c_checksumFlag, 0)); |
| 71 | if (refPrefix) |
| 72 | FUZZ_ZASSERT(ZSTD_CCtx_refPrefix_advanced( |
| 73 | cctx, dict, dictSize, |
| 74 | dictContentType)); |
| 75 | else |
| 76 | FUZZ_ZASSERT(ZSTD_CCtx_loadDictionary_advanced( |
| 77 | cctx, dict, dictSize, |
| 78 | (ZSTD_dictLoadMethod_e)FUZZ_dataProducer_uint32Range(producer, 0, 1), |
| 79 | dictContentType)); |
| 80 | |
| 81 | while (srcSize > 0) { |
| 82 | ZSTD_inBuffer in = makeInBuffer(&src, &srcSize, producer); |
| 83 | /* Mode controls the action. If mode == -1 we pick a new mode */ |
| 84 | int mode = -1; |
| 85 | while (in.pos < in.size || mode != -1) { |
| 86 | ZSTD_outBuffer out = makeOutBuffer(dst, capacity, producer); |
| 87 | /* Previous action finished, pick a new mode. */ |
| 88 | if (mode == -1) mode = FUZZ_dataProducer_uint32Range(producer, 0, 9); |
| 89 | switch (mode) { |
| 90 | case 0: /* fall-through */ |
| 91 | case 1: /* fall-through */ |
| 92 | case 2: { |
| 93 | size_t const ret = |
| 94 | ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_flush); |
| 95 | FUZZ_ZASSERT(ret); |
| 96 | if (ret == 0) |
| 97 | mode = -1; |
| 98 | break; |
| 99 | } |
| 100 | case 3: { |
| 101 | size_t ret = |
| 102 | ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_end); |
| 103 | FUZZ_ZASSERT(ret); |
| 104 | /* Reset the compressor when the frame is finished */ |
| 105 | if (ret == 0) { |
| 106 | ZSTD_CCtx_reset(cctx, ZSTD_reset_session_only); |
| 107 | if (FUZZ_dataProducer_uint32Range(producer, 0, 7) == 0) { |
| 108 | size_t const remaining = in.size - in.pos; |
| 109 | FUZZ_setRandomParameters(cctx, remaining, producer); |
| 110 | } |
| 111 | mode = -1; |
| 112 | } |
| 113 | break; |
| 114 | } |
| 115 | case 4: { |
| 116 | ZSTD_inBuffer nullIn = { NULL, 0, 0 }; |
| 117 | ZSTD_outBuffer nullOut = { NULL, 0, 0 }; |
| 118 | size_t const ret = ZSTD_compressStream2(cctx, &nullOut, &nullIn, ZSTD_e_continue); |
| 119 | FUZZ_ZASSERT(ret); |
| 120 | } |
| 121 | /* fall-through */ |
| 122 | default: { |
| 123 | size_t const ret = |
| 124 | ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_continue); |
| 125 | FUZZ_ZASSERT(ret); |
| 126 | mode = -1; |
| 127 | } |
| 128 | } |
| 129 | dst += out.pos; |
| 130 | dstSize += out.pos; |
| 131 | capacity -= out.pos; |
| 132 | } |
| 133 | } |
| 134 | for (;;) { |
| 135 | ZSTD_inBuffer in = {NULL, 0, 0}; |
| 136 | ZSTD_outBuffer out = makeOutBuffer(dst, capacity, producer); |
| 137 | size_t const ret = ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_end); |
| 138 | FUZZ_ZASSERT(ret); |
| 139 | |
| 140 | dst += out.pos; |
| 141 | dstSize += out.pos; |
| 142 | capacity -= out.pos; |
| 143 | if (ret == 0) |
| 144 | break; |
| 145 | } |
| 146 | return dstSize; |
| 147 | } |
| 148 | |
| 149 | int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size) |
| 150 | { |
| 151 | FUZZ_SEQ_PROD_SETUP(); |
| 152 | size_t neededBufSize; |
| 153 | |
| 154 | /* Give a random portion of src data to the producer, to use for |
| 155 | parameter generation. The rest will be used for (de)compression */ |
| 156 | FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size); |
| 157 | size = FUZZ_dataProducer_reserveDataPrefix(producer); |
| 158 | |
| 159 | neededBufSize = ZSTD_compressBound(size) * 15; |
| 160 | |
| 161 | /* Allocate all buffers and contexts if not already allocated */ |
| 162 | if (neededBufSize > bufSize) { |
| 163 | free(cBuf); |
| 164 | free(rBuf); |
| 165 | cBuf = (uint8_t*)FUZZ_malloc(neededBufSize); |
| 166 | rBuf = (uint8_t*)FUZZ_malloc(neededBufSize); |
| 167 | bufSize = neededBufSize; |
| 168 | } |
| 169 | if (!cctx) { |
| 170 | cctx = ZSTD_createCCtx(); |
| 171 | FUZZ_ASSERT(cctx); |
| 172 | } |
| 173 | if (!dctx) { |
| 174 | dctx = ZSTD_createDCtx(); |
| 175 | FUZZ_ASSERT(dctx); |
| 176 | } |
| 177 | |
| 178 | { |
| 179 | ZSTD_dictContentType_e dictContentType = FUZZ_dataProducer_uint32Range(producer, 0, 2); |
| 180 | FUZZ_dict_t dict = FUZZ_train(src, size, producer); |
| 181 | int const refPrefix = FUZZ_dataProducer_uint32Range(producer, 0, 1) != 0; |
| 182 | |
| 183 | size_t const cSize = compress(cBuf, neededBufSize, src, size, dict.buff, dict.size, producer, refPrefix, dictContentType); |
| 184 | |
| 185 | if (refPrefix) |
| 186 | FUZZ_ZASSERT(ZSTD_DCtx_refPrefix_advanced( |
| 187 | dctx, dict.buff, dict.size, |
| 188 | dictContentType)); |
| 189 | else |
| 190 | FUZZ_ZASSERT(ZSTD_DCtx_loadDictionary_advanced( |
| 191 | dctx, dict.buff, dict.size, |
| 192 | (ZSTD_dictLoadMethod_e)FUZZ_dataProducer_uint32Range(producer, 0, 1), |
| 193 | dictContentType)); |
| 194 | size_t const rSize = |
| 195 | ZSTD_decompressDCtx(dctx, rBuf, neededBufSize, cBuf, cSize); |
| 196 | FUZZ_ZASSERT(rSize); |
| 197 | FUZZ_ASSERT_MSG(rSize == size, "Incorrect regenerated size"); |
| 198 | FUZZ_ASSERT_MSG(!FUZZ_memcmp(src, rBuf, size), "Corruption!"); |
| 199 | free(dict.buff); |
| 200 | } |
| 201 | |
| 202 | FUZZ_dataProducer_free(producer); |
| 203 | #ifndef STATEFUL_FUZZING |
| 204 | ZSTD_freeCCtx(cctx); cctx = NULL; |
| 205 | ZSTD_freeDCtx(dctx); dctx = NULL; |
| 206 | #endif |
| 207 | FUZZ_SEQ_PROD_TEARDOWN(); |
| 208 | return 0; |
| 209 | } |