fuzzing: dump test patterns to files for initial corpus

diff --git a/fuzz/fuzz_target.cc b/fuzz/fuzz_target.cc
index 4f90055..63fcf79 100644 (file)
--- a/fuzz/fuzz_target.cc
+++ b/fuzz/fuzz_target.cc
@@ -19,7 +19,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
         strm.flags |= AEC_DATA_MSB;
     if (Data[1] & 0x40)
         strm.flags |= AEC_DATA_SIGNED;
-    if (strm.bits_per_sample <= 24 && strm.bits_per_sample > 16)
+    if (strm.bits_per_sample <= 24 &&
+        strm.bits_per_sample > 16 &&
+        Data[1] & 0x10)
         strm.flags |= AEC_DATA_3BYTE;
     strm.next_in = (unsigned char *)(Data + 2);
     strm.avail_in = Size - 2;

diff --git a/tests/check_aec.c b/tests/check_aec.c
index 4d89fdf..c9d9413 100644 (file)
--- a/tests/check_aec.c
+++ b/tests/check_aec.c
@@ -202,6 +202,10 @@ int encode_decode_small(struct test_state *state)
 int encode_decode_large(struct test_state *state)
 {
     int status, i;
+    char fbase[1024];
+    char fname[1024];
+    FILE *fp;
+    int bflags;
     size_t to;
     struct aec_stream *strm = state->strm;
 
@@ -215,6 +219,31 @@ int encode_decode_large(struct test_state *state)
         printf("Init failed.\n");
         return 99;
     }
+    if (state->dump) {
+        snprintf(fbase, sizeof(fbase), "BPS%02iID%iBS%02iRSI%04iFLG%04i",
+                 strm->bits_per_sample,
+                 state->id,
+                 strm->block_size,
+                 strm->rsi,
+                 strm->flags);
+        snprintf(fname, sizeof(fname), "%s.dat", fbase);
+        if ((fp = fopen(fname, "wb")) == NULL) {
+            fprintf(stderr, "ERROR: cannot open dump file %s\n", fname);
+            return 99;
+        }
+        fputc(strm->bits_per_sample, fp);
+        bflags = strm->block_size >> 8;
+        if (strm->flags | AEC_DATA_MSB)
+            bflags |= 0x80;
+        if (strm->flags | AEC_DATA_SIGNED)
+            bflags |= 0x40;
+        if (strm->flags | AEC_DATA_3BYTE)
+            bflags |= 0x10;
+        bflags |= 0x20; /* encode */
+        fputc(bflags, fp);
+        fwrite(strm->next_in, strm->avail_in, 1, fp);
+        fclose(fp);
+    }
 
     status = aec_encode(strm, AEC_FLUSH);
     if (status != AEC_OK) {
@@ -224,6 +253,19 @@ int encode_decode_large(struct test_state *state)
 
     aec_encode_end(strm);
 
+    if (state->dump) {
+        snprintf(fname, sizeof(fname), "%s.rz", fbase);
+        if ((fp = fopen(fname, "wb")) == NULL) {
+            fprintf(stderr, "ERROR: cannot open dump file %s\n", fname);
+            return 99;
+        }
+        fputc(strm->bits_per_sample, fp);
+        bflags &= ~0x20;
+        fputc(bflags, fp);
+        fwrite(state->cbuf, strm->total_out, 1, fp);
+        fclose(fp);
+    }
+
     strm->avail_in = strm->total_out;
     strm->avail_out = state->buf_len;
     strm->next_in = state->cbuf;

diff --git a/tests/check_aec.h b/tests/check_aec.h
index d5fdb99..02c3e77 100644 (file)
--- a/tests/check_aec.h
+++ b/tests/check_aec.h
@@ -4,6 +4,7 @@
 
 struct test_state {
     int (* codec)(struct test_state *state);
+    int id;
     int id_len;
     int bytes_per_sample;
     unsigned char *ubuf;
@@ -15,6 +16,7 @@ struct test_state {
     long long int xmax;
     long long int xmin;
     void (*out)(unsigned char *dest, unsigned long long int val, int size);
+    int dump; /* dump buffer to file for fuzzing corpus */
     struct aec_stream *strm;
 };
 

diff --git a/tests/check_code_options.c b/tests/check_code_options.c
index f77b789..4f013b0 100644 (file)
--- a/tests/check_code_options.c
+++ b/tests/check_code_options.c
@@ -9,6 +9,7 @@ int check_block_sizes(struct test_state *state, int id, int id_len)
 {
     int bs, status, rsi, max_rsi;
 
+    state->id = id;
     for (bs = 8; bs <= 64; bs *= 2) {
         state->strm->block_size = bs;
 
@@ -282,12 +283,17 @@ int check_byte_orderings(struct test_state *state)
     return 0;
 }
 
-int main (void)
+int main(int argc, char *argv[])
 {
     int status;
     struct aec_stream strm;
     struct test_state state;
 
+    if (argc > 1 && strncmp(argv[1], "-d", 2) == 0)
+        state.dump = 1;
+    else
+        state.dump = 0;
+
     state.buf_len = state.ibuf_len = BUF_SIZE;
     state.cbuf_len = 2 * BUF_SIZE;