diff options
| author | Yann Collet <Cyan4973@users.noreply.github.com> | 2019-08-20 23:48:44 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-08-20 23:48:44 (GMT) |
| commit | 09d9f27b0a86f2c3dfd3e1a81e97069c378ea4d7 (patch) | |
| tree | d282c937e3a6e4511e24518f7bcaf47c248c63dd | |
| parent | fdf2ef5809ca875c454510610764d9125ef2ebbd (diff) | |
| parent | dc17d39c2fb962b591c73cf1467d89cf53b89156 (diff) | |
| download | lz4-09d9f27b0a86f2c3dfd3e1a81e97069c378ea4d7.zip lz4-09d9f27b0a86f2c3dfd3e1a81e97069c378ea4d7.tar.gz lz4-09d9f27b0a86f2c3dfd3e1a81e97069c378ea4d7.tar.bz2 | |
Merge pull request #779 from bimbashrestha/dev
Adding fuzz data producer for uint32 and using in decompress_fuzzer
| -rw-r--r-- | ossfuzz/Makefile | 2 | ||||
| -rw-r--r-- | ossfuzz/compress_fuzzer.c | 10 | ||||
| -rw-r--r-- | ossfuzz/compress_hc_fuzzer.c | 13 | ||||
| -rw-r--r-- | ossfuzz/decompress_frame_fuzzer.c | 14 | ||||
| -rw-r--r-- | ossfuzz/decompress_fuzzer.c | 11 | ||||
| -rw-r--r-- | ossfuzz/fuzz_data_producer.c | 44 | ||||
| -rw-r--r-- | ossfuzz/fuzz_data_producer.h | 22 | ||||
| -rw-r--r-- | ossfuzz/round_trip_hc_fuzzer.c | 10 |
8 files changed, 111 insertions, 15 deletions
diff --git a/ossfuzz/Makefile b/ossfuzz/Makefile index 6875eb6..7e043a1 100644 --- a/ossfuzz/Makefile +++ b/ossfuzz/Makefile @@ -58,7 +58,7 @@ $(LZ4DIR)/liblz4.a: $(CC) -c $(LZ4_CFLAGS) $(LZ4_CPPFLAGS) $< -o $@ # Generic rule for generating fuzzers -%_fuzzer: %_fuzzer.o lz4_helpers.o $(LZ4DIR)/liblz4.a +%_fuzzer: %_fuzzer.o lz4_helpers.o fuzz_data_producer.o $(LZ4DIR)/liblz4.a # Compile the standalone code just in case. The OSS-Fuzz code might # override the LIB_FUZZING_ENGINE value to "-fsanitize=fuzzer" $(CC) -c $(LZ4_CFLAGS) $(LZ4_CPPFLAGS) standaloneengine.c -o standaloneengine.o diff --git a/ossfuzz/compress_fuzzer.c b/ossfuzz/compress_fuzzer.c index 7021624..9d72e72 100644 --- a/ossfuzz/compress_fuzzer.c +++ b/ossfuzz/compress_fuzzer.c @@ -10,15 +10,20 @@ #include <string.h> #include "fuzz_helpers.h" +#include "fuzz_data_producer.h" #include "lz4.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - uint32_t seed = FUZZ_seed(&data, &size); - size_t const dstCapacity = FUZZ_rand32(&seed, 0, LZ4_compressBound(size)); + FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); + size_t const dstCapacity = FUZZ_dataProducer_uint32( + producer, 0, LZ4_compressBound(size)); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); + /* Restrict to remaining data from producer */ + size = FUZZ_dataProducer_remainingBytes(producer); + FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); @@ -46,6 +51,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) free(dst); free(rt); + FUZZ_dataProducer_free(producer); return 0; } diff --git a/ossfuzz/compress_hc_fuzzer.c b/ossfuzz/compress_hc_fuzzer.c index 4841367..5f22104 100644 --- a/ossfuzz/compress_hc_fuzzer.c +++ b/ossfuzz/compress_hc_fuzzer.c @@ -10,16 +10,22 @@ #include <string.h> #include "fuzz_helpers.h" +#include "fuzz_data_producer.h" #include "lz4.h" #include "lz4hc.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - uint32_t seed = FUZZ_seed(&data, &size); - size_t const dstCapacity = FUZZ_rand32(&seed, 0, LZ4_compressBound(size)); + FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); + size_t const dstCapacity = FUZZ_dataProducer_uint32( + producer, 0, LZ4_compressBound(size)); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); - int const level = FUZZ_rand32(&seed, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); + int const level = FUZZ_dataProducer_uint32( + producer, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); + + /* Restrict to remaining data from producer */ + size = FUZZ_dataProducer_remainingBytes(producer); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); @@ -52,6 +58,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) free(dst); free(rt); + FUZZ_dataProducer_free(producer); return 0; } diff --git a/ossfuzz/decompress_frame_fuzzer.c b/ossfuzz/decompress_frame_fuzzer.c index bda25b0..60d2ea1 100644 --- a/ossfuzz/decompress_frame_fuzzer.c +++ b/ossfuzz/decompress_frame_fuzzer.c @@ -9,6 +9,7 @@ #include <string.h> #include "fuzz_helpers.h" +#include "fuzz_data_producer.h" #include "lz4.h" #define LZ4F_STATIC_LINKING_ONLY #include "lz4frame.h" @@ -29,17 +30,21 @@ static void decompress(LZ4F_dctx* dctx, void* dst, size_t dstCapacity, int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - - uint32_t seed = FUZZ_seed(&data, &size); - size_t const dstCapacity = FUZZ_rand32(&seed, 0, 4 * size); + FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); + size_t const dstCapacity = FUZZ_dataProducer_uint32( + producer, 0, 4 * size); size_t const largeDictSize = 64 * 1024; - size_t const dictSize = FUZZ_rand32(&seed, 0, largeDictSize); + size_t const dictSize = FUZZ_dataProducer_uint32( + producer, 0, largeDictSize); char* const dst = (char*)malloc(dstCapacity); char* const dict = (char*)malloc(dictSize); LZ4F_decompressOptions_t opts; LZ4F_dctx* dctx; LZ4F_createDecompressionContext(&dctx, LZ4F_VERSION); + /* Restrict to remaining data from producer */ + size = FUZZ_dataProducer_remainingBytes(producer); + FUZZ_ASSERT(dctx); FUZZ_ASSERT(dst); FUZZ_ASSERT(dict); @@ -62,6 +67,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) LZ4F_freeDecompressionContext(dctx); free(dst); free(dict); + FUZZ_dataProducer_free(producer); return 0; } diff --git a/ossfuzz/decompress_fuzzer.c b/ossfuzz/decompress_fuzzer.c index 0267c93..bc4190b 100644 --- a/ossfuzz/decompress_fuzzer.c +++ b/ossfuzz/decompress_fuzzer.c @@ -9,13 +9,14 @@ #include <string.h> #include "fuzz_helpers.h" +#include "fuzz_data_producer.h" #include "lz4.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - - uint32_t seed = FUZZ_seed(&data, &size); - size_t const dstCapacity = FUZZ_rand32(&seed, 0, 4 * size); + FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); + size_t const dstCapacity = FUZZ_dataProducer_uint32( + producer, 0, 4 * size); size_t const smallDictSize = size + 1; size_t const largeDictSize = 64 * 1024 - 1; size_t const dictSize = MAX(smallDictSize, largeDictSize); @@ -25,6 +26,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) char* const dataAfterDict = dict + dictSize; char* const smallDict = dataAfterDict - smallDictSize; + /* Restrict to remaining data from producer */ + size = FUZZ_dataProducer_remainingBytes(producer); + FUZZ_ASSERT(dst); FUZZ_ASSERT(dict); @@ -53,6 +57,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) dstCapacity, dstCapacity); free(dst); free(dict); + FUZZ_dataProducer_free(producer); return 0; } diff --git a/ossfuzz/fuzz_data_producer.c b/ossfuzz/fuzz_data_producer.c new file mode 100644 index 0000000..992f5a7 --- /dev/null +++ b/ossfuzz/fuzz_data_producer.c @@ -0,0 +1,44 @@ +#include "fuzz_data_producer.h" + +struct FUZZ_dataProducer_s{ + const uint8_t *data; + size_t size; +}; + +FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size) { + FUZZ_dataProducer_t *producer = malloc(sizeof(FUZZ_dataProducer_t)); + + FUZZ_ASSERT(producer != NULL); + + producer->data = data; + producer->size = size; + return producer; +} + +void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer) { free(producer); } + +uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, + uint32_t max) { + FUZZ_ASSERT(min <= max); + + uint32_t range = max - min; + uint32_t rolling = range; + uint32_t result = 0; + + while (rolling > 0 && producer->size > 0) { + uint8_t next = *(producer->data + producer->size - 1); + producer->size -= 1; + result = (result << 8) | next; + rolling >>= 8; + } + + if (range == 0xffffffff) { + return result; + } + + return min + result % (range + 1); +} + +size_t FUZZ_dataProducer_remainingBytes(FUZZ_dataProducer_t *producer){ + return producer->size; +} diff --git a/ossfuzz/fuzz_data_producer.h b/ossfuzz/fuzz_data_producer.h new file mode 100644 index 0000000..8df5257 --- /dev/null +++ b/ossfuzz/fuzz_data_producer.h @@ -0,0 +1,22 @@ +#include <stddef.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> + +#include "fuzz_helpers.h" + +/* Struct used for maintaining the state of the data */ +typedef struct FUZZ_dataProducer_s FUZZ_dataProducer_t; + +/* Returns a data producer state struct. Use for producer initialization. */ +FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size); + +/* Frees the data producer */ +void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer); + +/* Returns value between [min, max] */ +uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, + uint32_t max); + +/* Returns the size of the remaining bytes of data in the producer */ +size_t FUZZ_dataProducer_remainingBytes(FUZZ_dataProducer_t *producer); diff --git a/ossfuzz/round_trip_hc_fuzzer.c b/ossfuzz/round_trip_hc_fuzzer.c index 325cdf0..8406809 100644 --- a/ossfuzz/round_trip_hc_fuzzer.c +++ b/ossfuzz/round_trip_hc_fuzzer.c @@ -9,16 +9,21 @@ #include <string.h> #include "fuzz_helpers.h" +#include "fuzz_data_producer.h" #include "lz4.h" #include "lz4hc.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - uint32_t seed = FUZZ_seed(&data, &size); + FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); size_t const dstCapacity = LZ4_compressBound(size); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); - int const level = FUZZ_rand32(&seed, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); + int const level = FUZZ_dataProducer_uint32( + producer, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); + + /* Restrict to remaining data from producer */ + size = FUZZ_dataProducer_remainingBytes(producer); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); @@ -34,6 +39,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) free(dst); free(rt); + FUZZ_dataProducer_free(producer); return 0; } |