Adding fuzz data producer for uint32 and using in decompress_fuzzer

Summary: Consuming bytes from the end of data instead of from the front to prevent "all-in-one" decisions.

Test Plan:

Reviewers:

Subscribers:

Tasks:

Tags:

diff --git a/ossfuzz/decompress_fuzzer.c b/ossfuzz/decompress_fuzzer.c
index 0267c93..b17783c 100644 (file)
--- a/ossfuzz/decompress_fuzzer.c
+++ b/ossfuzz/decompress_fuzzer.c
@@ -9,13 +9,12 @@
 #include <string.h>
 
 #include "fuzz_helpers.h"
+#include "fuzz_data_producer.h"
 #include "lz4.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
-
-    uint32_t seed = FUZZ_seed(&data, &size);
-    size_t const dstCapacity = FUZZ_rand32(&seed, 0, 4 * size);
+    size_t const dstCapacity = FUZZ_produceUint32Range(data, size, 0, 4 * size);
     size_t const smallDictSize = size + 1;
     size_t const largeDictSize = 64 * 1024 - 1;
     size_t const dictSize = MAX(smallDictSize, largeDictSize);

diff --git a/ossfuzz/fuzz_data_producer.h b/ossfuzz/fuzz_data_producer.h
new file mode 100644 (file)
index 0000000..c41aaec
--- /dev/null
+++ b/ossfuzz/fuzz_data_producer.h
@@ -0,0 +1,27 @@
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+FUZZ_STATIC uint32_t FUZZ_produceUint32Range(uint8_t *data, size_t size,
+                                             uint32_t min, uint32_t max) {
+  if (min > max) {
+    return 0;
+  }
+
+  uint32_t range = max - min;
+  uint32_t rolling = range;
+  uint32_t result = 0;
+
+  while (rolling > 0 && size > 0) {
+    uint8_t next = *(data + size - 1);
+    size -= 1;
+    result = (result << 8) | next;
+  }
+
+  if (range == 0xffffffff) {
+    return result;
+  }
+
+  return min + result % (range + 1);
+}