2 * Copyright (c) Meta Platforms, Inc. and affiliates.
5 * This source code is licensed under both the BSD-style license (found in the
6 * LICENSE file in the root directory of this source tree) and the GPLv2 (found
7 * in the COPYING file in the root directory of this source tree).
8 * You may select, at your option, one of the above-listed licenses.
12 * This fuzz target performs a zstd round-trip test (compress & decompress),
13 * compares the result with the original, and calls abort() on corruption.
16 #define ZSTD_STATIC_LINKING_ONLY
22 #include "fuzz_helpers.h"
23 #include "zstd_helpers.h"
24 #include "fuzz_data_producer.h"
25 #include "fuzz_third_party_seq_prod.h"
27 ZSTD_CCtx *cctx = NULL;
28 static ZSTD_DCtx *dctx = NULL;
29 static uint8_t* cBuf = NULL;
30 static uint8_t* rBuf = NULL;
31 static size_t bufSize = 0;
33 static ZSTD_outBuffer makeOutBuffer(uint8_t *dst, size_t capacity,
34 FUZZ_dataProducer_t *producer)
36 ZSTD_outBuffer buffer = { dst, 0, 0 };
38 FUZZ_ASSERT(capacity > 0);
39 buffer.size = (FUZZ_dataProducer_uint32Range(producer, 1, capacity));
40 FUZZ_ASSERT(buffer.size <= capacity);
45 static ZSTD_inBuffer makeInBuffer(const uint8_t **src, size_t *size,
46 FUZZ_dataProducer_t *producer)
48 ZSTD_inBuffer buffer = { *src, 0, 0 };
50 FUZZ_ASSERT(*size > 0);
51 buffer.size = (FUZZ_dataProducer_uint32Range(producer, 1, *size));
52 FUZZ_ASSERT(buffer.size <= *size);
59 static size_t compress(uint8_t *dst, size_t capacity,
60 const uint8_t *src, size_t srcSize,
61 FUZZ_dataProducer_t *producer)
64 ZSTD_CCtx_reset(cctx, ZSTD_reset_session_only);
65 FUZZ_setRandomParameters(cctx, srcSize, producer);
68 ZSTD_inBuffer in = makeInBuffer(&src, &srcSize, producer);
69 /* Mode controls the action. If mode == -1 we pick a new mode */
71 while (in.pos < in.size || mode != -1) {
72 ZSTD_outBuffer out = makeOutBuffer(dst, capacity, producer);
73 /* Previous action finished, pick a new mode. */
74 if (mode == -1) mode = FUZZ_dataProducer_uint32Range(producer, 0, 9);
76 case 0: /* fall-through */
77 case 1: /* fall-through */
80 ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_flush);
88 ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_end);
90 /* Reset the compressor when the frame is finished */
92 ZSTD_CCtx_reset(cctx, ZSTD_reset_session_only);
93 if (FUZZ_dataProducer_uint32Range(producer, 0, 7) == 0) {
94 size_t const remaining = in.size - in.pos;
95 FUZZ_setRandomParameters(cctx, remaining, producer);
102 ZSTD_inBuffer nullIn = { NULL, 0, 0 };
103 ZSTD_outBuffer nullOut = { NULL, 0, 0 };
104 size_t const ret = ZSTD_compressStream2(cctx, &nullOut, &nullIn, ZSTD_e_continue);
110 ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_continue);
121 ZSTD_inBuffer in = {NULL, 0, 0};
122 ZSTD_outBuffer out = makeOutBuffer(dst, capacity, producer);
123 size_t const ret = ZSTD_compressStream2(cctx, &out, &in, ZSTD_e_end);
135 int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
137 FUZZ_SEQ_PROD_SETUP();
138 size_t neededBufSize;
140 /* Give a random portion of src data to the producer, to use for
141 parameter generation. The rest will be used for (de)compression */
142 FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
143 size = FUZZ_dataProducer_reserveDataPrefix(producer);
145 neededBufSize = ZSTD_compressBound(size) * 15;
147 /* Allocate all buffers and contexts if not already allocated */
148 if (neededBufSize > bufSize) {
151 cBuf = (uint8_t*)FUZZ_malloc(neededBufSize);
152 rBuf = (uint8_t*)FUZZ_malloc(neededBufSize);
153 bufSize = neededBufSize;
156 cctx = ZSTD_createCCtx();
160 dctx = ZSTD_createDCtx();
165 size_t const cSize = compress(cBuf, neededBufSize, src, size, producer);
167 ZSTD_decompressDCtx(dctx, rBuf, neededBufSize, cBuf, cSize);
169 FUZZ_ASSERT_MSG(rSize == size, "Incorrect regenerated size");
170 FUZZ_ASSERT_MSG(!FUZZ_memcmp(src, rBuf, size), "Corruption!");
172 /* Test in-place decompression (note the macro doesn't work in this case) */
174 size_t const margin = ZSTD_decompressionMargin(cBuf, cSize);
175 size_t const outputSize = size + margin;
176 char* const output = (char*)FUZZ_malloc(outputSize);
177 char* const input = output + outputSize - cSize;
179 FUZZ_ASSERT(outputSize >= cSize);
180 memcpy(input, cBuf, cSize);
182 dSize = ZSTD_decompressDCtx(dctx, output, outputSize, input, cSize);
184 FUZZ_ASSERT_MSG(dSize == size, "Incorrect regenerated size");
185 FUZZ_ASSERT_MSG(!FUZZ_memcmp(src, output, size), "Corruption!");
191 FUZZ_dataProducer_free(producer);
192 #ifndef STATEFUL_FUZZING
193 ZSTD_freeCCtx(cctx); cctx = NULL;
194 ZSTD_freeDCtx(dctx); dctx = NULL;
196 FUZZ_SEQ_PROD_TEARDOWN();