LZ4_CFLAGS = $(CFLAGS) $(DEBUGFLAGS) $(MOREFLAGS)
LZ4_CXXFLAGS = $(CXXFLAGS) $(DEBUGFLAGS) $(MOREFLAGS)
-LZ4_CPPFLAGS = $(CPPFLAGS) -I$(LZ4DIR) -DXXH_NAMESPACE=LZ4_
+LZ4_CPPFLAGS = $(CPPFLAGS) -I$(LZ4DIR) -DXXH_NAMESPACE=LZ4_ \
+ -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
FUZZERS := \
compress_fuzzer \
round_trip_fuzzer \
round_trip_stream_fuzzer \
compress_hc_fuzzer \
- round_trip_hc_fuzzer
+ round_trip_hc_fuzzer \
+ compress_frame_fuzzer \
+ round_trip_frame_fuzzer \
+ decompress_frame_fuzzer
all: $(FUZZERS)
$(CC) -c $(LZ4_CFLAGS) $(LZ4_CPPFLAGS) $< -o $@
# Generic rule for generating fuzzers
-%_fuzzer: %_fuzzer.o $(LZ4DIR)/liblz4.a
+%_fuzzer: %_fuzzer.o lz4_helpers.o $(LZ4DIR)/liblz4.a
# Compile the standalone code just in case. The OSS-Fuzz code might
# override the LIB_FUZZING_ENGINE value to "-fsanitize=fuzzer"
$(CC) -c $(LZ4_CFLAGS) $(LZ4_CPPFLAGS) standaloneengine.c -o standaloneengine.o
--- /dev/null
+/**
+ * This fuzz target attempts to compress the fuzzed data with the simple
+ * compression function with an output buffer that may be too small to
+ * ensure that the compressor never crashes.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "fuzz_helpers.h"
+#include "lz4.h"
+#include "lz4frame.h"
+#include "lz4_helpers.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+ uint32_t seed = FUZZ_seed(&data, &size);
+ LZ4F_preferences_t const prefs = FUZZ_randomPreferences(&seed);
+ size_t const compressBound = LZ4F_compressFrameBound(size, &prefs);
+ size_t const dstCapacity = FUZZ_rand32(&seed, 0, compressBound);
+ char* const dst = (char*)malloc(dstCapacity);
+ char* const rt = (char*)malloc(size);
+
+ FUZZ_ASSERT(dst);
+ FUZZ_ASSERT(rt);
+
+ /* If compression succeeds it must round trip correctly. */
+ size_t const dstSize =
+ LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs);
+ if (!LZ4F_isError(dstSize)) {
+ size_t const rtSize = FUZZ_decompressFrame(rt, size, dst, dstSize);
+ FUZZ_ASSERT_MSG(rtSize == size, "Incorrect regenerated size");
+ FUZZ_ASSERT_MSG(!memcmp(data, rt, size), "Corruption!");
+ }
+
+ free(dst);
+ free(rt);
+
+ return 0;
+}
--- /dev/null
+/**
+ * This fuzz target attempts to decompress the fuzzed data with the simple
+ * decompression function to ensure the decompressor never crashes.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "fuzz_helpers.h"
+#include "lz4.h"
+#define LZ4F_STATIC_LINKING_ONLY
+#include "lz4frame.h"
+#include "lz4_helpers.h"
+
+static void decompress(LZ4F_dctx* dctx, void* dst, size_t dstCapacity,
+ const void* src, size_t srcSize,
+ const void* dict, size_t dictSize,
+ const LZ4F_decompressOptions_t* opts)
+{
+ LZ4F_resetDecompressionContext(dctx);
+ if (dictSize == 0)
+ LZ4F_decompress(dctx, dst, &dstCapacity, src, &srcSize, opts);
+ else
+ LZ4F_decompress_usingDict(dctx, dst, &dstCapacity, src, &srcSize,
+ dict, dictSize, opts);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+
+ uint32_t seed = FUZZ_seed(&data, &size);
+ size_t const dstCapacity = FUZZ_rand32(&seed, 0, 4 * size);
+ size_t const largeDictSize = 64 * 1024;
+ size_t const dictSize = FUZZ_rand32(&seed, 0, largeDictSize);
+ char* const dst = (char*)malloc(dstCapacity);
+ char* const dict = (char*)malloc(dictSize);
+ LZ4F_decompressOptions_t opts;
+ LZ4F_dctx* dctx;
+ LZ4F_createDecompressionContext(&dctx, LZ4F_VERSION);
+
+ FUZZ_ASSERT(dctx);
+ FUZZ_ASSERT(dst);
+ FUZZ_ASSERT(dict);
+
+ /* Prepare the dictionary. The data doesn't matter for decompression. */
+ memset(dict, 0, dictSize);
+
+
+ /* Decompress using multiple configurations. */
+ memset(&opts, 0, sizeof(opts));
+ opts.stableDst = 0;
+ decompress(dctx, dst, dstCapacity, data, size, NULL, 0, &opts);
+ opts.stableDst = 1;
+ decompress(dctx, dst, dstCapacity, data, size, NULL, 0, &opts);
+ opts.stableDst = 0;
+ decompress(dctx, dst, dstCapacity, data, size, dict, dictSize, &opts);
+ opts.stableDst = 1;
+ decompress(dctx, dst, dstCapacity, data, size, dict, dictSize, &opts);
+
+ LZ4F_freeDecompressionContext(dctx);
+ free(dst);
+ free(dict);
+
+ return 0;
+}
--- /dev/null
+#include "fuzz_helpers.h"
+#include "lz4_helpers.h"
+#include "lz4hc.h"
+
+LZ4F_frameInfo_t FUZZ_randomFrameInfo(uint32_t* seed)
+{
+ LZ4F_frameInfo_t info = LZ4F_INIT_FRAMEINFO;
+ info.blockSizeID = FUZZ_rand32(seed, LZ4F_max64KB - 1, LZ4F_max4MB);
+ if (info.blockSizeID < LZ4F_max64KB) {
+ info.blockSizeID = LZ4F_default;
+ }
+ info.blockMode = FUZZ_rand32(seed, LZ4F_blockLinked, LZ4F_blockIndependent);
+ info.contentChecksumFlag = FUZZ_rand32(seed, LZ4F_noContentChecksum,
+ LZ4F_contentChecksumEnabled);
+ info.blockChecksumFlag = FUZZ_rand32(seed, LZ4F_noBlockChecksum,
+ LZ4F_blockChecksumEnabled);
+ return info;
+}
+
+LZ4F_preferences_t FUZZ_randomPreferences(uint32_t* seed)
+{
+ LZ4F_preferences_t prefs = LZ4F_INIT_PREFERENCES;
+ prefs.frameInfo = FUZZ_randomFrameInfo(seed);
+ prefs.compressionLevel = FUZZ_rand32(seed, 0, LZ4HC_CLEVEL_MAX + 3) - 3;
+ prefs.autoFlush = FUZZ_rand32(seed, 0, 1);
+ prefs.favorDecSpeed = FUZZ_rand32(seed, 0, 1);
+ return prefs;
+}
+
+size_t FUZZ_decompressFrame(void* dst, const size_t dstCapacity,
+ const void* src, const size_t srcSize)
+{
+ LZ4F_decompressOptions_t opts;
+ memset(&opts, 0, sizeof(opts));
+ opts.stableDst = 1;
+ LZ4F_dctx* dctx;
+ LZ4F_createDecompressionContext(&dctx, LZ4F_VERSION);
+ FUZZ_ASSERT(dctx);
+
+ size_t dstSize = dstCapacity;
+ size_t srcConsumed = srcSize;
+ size_t const rc =
+ LZ4F_decompress(dctx, dst, &dstSize, src, &srcConsumed, &opts);
+ FUZZ_ASSERT(!LZ4F_isError(rc));
+ FUZZ_ASSERT(rc == 0);
+ FUZZ_ASSERT(srcConsumed == srcSize);
+
+ LZ4F_freeDecompressionContext(dctx);
+
+ return dstSize;
+}
--- /dev/null
+#ifndef LZ4_HELPERS
+#define LZ4_HELPERS
+
+#include "lz4frame.h"
+
+LZ4F_frameInfo_t FUZZ_randomFrameInfo(uint32_t* seed);
+
+LZ4F_preferences_t FUZZ_randomPreferences(uint32_t* seed);
+
+size_t FUZZ_decompressFrame(void* dst, const size_t dstCapacity,
+ const void* src, const size_t srcSize);
+
+#endif /* LZ4_HELPERS */
--- /dev/null
+/**
+ * This fuzz target performs a lz4 round-trip test (compress & decompress),
+ * compares the result with the original, and calls abort() on corruption.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "fuzz_helpers.h"
+#include "lz4.h"
+#include "lz4frame.h"
+#include "lz4_helpers.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+ uint32_t seed = FUZZ_seed(&data, &size);
+ LZ4F_preferences_t const prefs = FUZZ_randomPreferences(&seed);
+ size_t const dstCapacity = LZ4F_compressFrameBound(size, &prefs);
+ char* const dst = (char*)malloc(dstCapacity);
+ char* const rt = (char*)malloc(size);
+
+ FUZZ_ASSERT(dst);
+ FUZZ_ASSERT(rt);
+
+ /* Compression must succeed and round trip correctly. */
+ size_t const dstSize =
+ LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs);
+ FUZZ_ASSERT(!LZ4F_isError(dstSize));
+ size_t const rtSize = FUZZ_decompressFrame(rt, size, dst, dstSize);
+ FUZZ_ASSERT_MSG(rtSize == size, "Incorrect regenerated size");
+ FUZZ_ASSERT_MSG(!memcmp(data, rt, size), "Corruption!");
+
+ free(dst);
+ free(rt);
+
+ return 0;
+}
projects / platform / upstream / lz4.git / commitdiff