diff options
author | Yann Collet <Cyan4973@users.noreply.github.com> | 2019-09-18 17:21:43 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-18 17:21:43 (GMT) |
commit | 804d47cf78b36edc05e29aa89e64d72b53200aeb (patch) | |
tree | bc76e79fb8c70c3eb8b4bf58f71220c86c6898e7 | |
parent | 9b2b96edc4642c4a21e2485ffe9bd43ed5f3a2b2 (diff) | |
parent | 8edc5879d029459074a9c7bd9489dabf5b510bf6 (diff) | |
download | lz4-804d47cf78b36edc05e29aa89e64d72b53200aeb.zip lz4-804d47cf78b36edc05e29aa89e64d72b53200aeb.tar.gz lz4-804d47cf78b36edc05e29aa89e64d72b53200aeb.tar.bz2 |
Merge pull request #790 from bimbashrestha/seperating_seed_generation_and_use_in_fuzzers
Separating the seed generation and use in FUZZ_dataProducer api
-rw-r--r-- | ossfuzz/compress_frame_fuzzer.c | 9 | ||||
-rw-r--r-- | ossfuzz/compress_fuzzer.c | 11 | ||||
-rw-r--r-- | ossfuzz/compress_hc_fuzzer.c | 14 | ||||
-rw-r--r-- | ossfuzz/decompress_frame_fuzzer.c | 16 | ||||
-rw-r--r-- | ossfuzz/decompress_fuzzer.c | 9 | ||||
-rw-r--r-- | ossfuzz/fuzz_data_producer.c | 58 | ||||
-rw-r--r-- | ossfuzz/fuzz_data_producer.h | 8 | ||||
-rw-r--r-- | ossfuzz/round_trip_frame_fuzzer.c | 11 | ||||
-rw-r--r-- | ossfuzz/round_trip_fuzzer.c | 9 | ||||
-rw-r--r-- | ossfuzz/round_trip_hc_fuzzer.c | 9 |
10 files changed, 85 insertions, 69 deletions
diff --git a/ossfuzz/compress_frame_fuzzer.c b/ossfuzz/compress_frame_fuzzer.c index 7fe09a1..668d7c3 100644 --- a/ossfuzz/compress_frame_fuzzer.c +++ b/ossfuzz/compress_frame_fuzzer.c @@ -19,17 +19,18 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, LZ4_compressBound(size)); LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer); + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); + size = FUZZ_dataProducer_remainingBytes(producer); + size_t const compressBound = LZ4F_compressFrameBound(size, &prefs); - size_t const dstCapacity = FUZZ_dataProducer_uint32(producer, 0, compressBound); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, compressBound); + char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); - /* If compression succeeds it must round trip correctly. */ size_t const dstSize = LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs); diff --git a/ossfuzz/compress_fuzzer.c b/ossfuzz/compress_fuzzer.c index 9d72e72..edc8aad 100644 --- a/ossfuzz/compress_fuzzer.c +++ b/ossfuzz/compress_fuzzer.c @@ -16,14 +16,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacity = FUZZ_dataProducer_uint32( - producer, 0, LZ4_compressBound(size)); + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); + size = FUZZ_dataProducer_remainingBytes(producer); + + size_t const compressBound = LZ4_compressBound(size); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, compressBound); + char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); - FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); diff --git a/ossfuzz/compress_hc_fuzzer.c b/ossfuzz/compress_hc_fuzzer.c index 5f22104..7d8e45a 100644 --- a/ossfuzz/compress_hc_fuzzer.c +++ b/ossfuzz/compress_hc_fuzzer.c @@ -17,15 +17,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacity = FUZZ_dataProducer_uint32( - producer, 0, LZ4_compressBound(size)); + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); + size_t const levelSeed = FUZZ_dataProducer_retrieve32(producer); + size = FUZZ_dataProducer_remainingBytes(producer); + + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, size); + int const level = FUZZ_getRange_from_uint32(levelSeed, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); + char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); - int const level = FUZZ_dataProducer_uint32( - producer, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); - - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); diff --git a/ossfuzz/decompress_frame_fuzzer.c b/ossfuzz/decompress_frame_fuzzer.c index 60d2ea1..0fcbb16 100644 --- a/ossfuzz/decompress_frame_fuzzer.c +++ b/ossfuzz/decompress_frame_fuzzer.c @@ -31,20 +31,22 @@ static void decompress(LZ4F_dctx* dctx, void* dst, size_t dstCapacity, int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacity = FUZZ_dataProducer_uint32( - producer, 0, 4 * size); + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); + size_t const dictSizeSeed = FUZZ_dataProducer_retrieve32(producer); + size = FUZZ_dataProducer_remainingBytes(producer); + + size_t const dstCapacity = FUZZ_getRange_from_uint32( + dstCapacitySeed, 0, 4 * size); size_t const largeDictSize = 64 * 1024; - size_t const dictSize = FUZZ_dataProducer_uint32( - producer, 0, largeDictSize); + size_t const dictSize = FUZZ_getRange_from_uint32( + dictSizeSeed, 0, largeDictSize); + char* const dst = (char*)malloc(dstCapacity); char* const dict = (char*)malloc(dictSize); LZ4F_decompressOptions_t opts; LZ4F_dctx* dctx; LZ4F_createDecompressionContext(&dctx, LZ4F_VERSION); - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); - FUZZ_ASSERT(dctx); FUZZ_ASSERT(dst); FUZZ_ASSERT(dict); diff --git a/ossfuzz/decompress_fuzzer.c b/ossfuzz/decompress_fuzzer.c index bc4190b..6f48e30 100644 --- a/ossfuzz/decompress_fuzzer.c +++ b/ossfuzz/decompress_fuzzer.c @@ -15,8 +15,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacity = FUZZ_dataProducer_uint32( - producer, 0, 4 * size); + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); + size = FUZZ_dataProducer_remainingBytes(producer); + + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, 4 * size); size_t const smallDictSize = size + 1; size_t const largeDictSize = 64 * 1024 - 1; size_t const dictSize = MAX(smallDictSize, largeDictSize); @@ -26,9 +28,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) char* const dataAfterDict = dict + dictSize; char* const smallDict = dataAfterDict - smallDictSize; - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); - FUZZ_ASSERT(dst); FUZZ_ASSERT(dict); diff --git a/ossfuzz/fuzz_data_producer.c b/ossfuzz/fuzz_data_producer.c index f35bd8a..cc06958 100644 --- a/ossfuzz/fuzz_data_producer.c +++ b/ossfuzz/fuzz_data_producer.c @@ -17,39 +17,47 @@ FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size) void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer) { free(producer); } -uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, - uint32_t max) { - FUZZ_ASSERT(min <= max); - - uint32_t range = max - min; - uint32_t rolling = range; - uint32_t result = 0; - - while (rolling > 0 && producer->size > 0) { - uint8_t next = *(producer->data + producer->size - 1); - producer->size -= 1; - result = (result << 8) | next; - rolling >>= 8; - } +uint32_t FUZZ_dataProducer_retrieve32(FUZZ_dataProducer_t *producer) { + const uint8_t* data = producer->data; + const size_t size = producer->size; + if (size == 0) { + return 0; + } else if (size < 4) { + producer->size -= 1; + return (uint32_t)data[size - 1]; + } else { + producer->size -= 4; + return *(data + size - 4); + } +} - if (range == 0xffffffff) { - return result; - } +uint32_t FUZZ_getRange_from_uint32(uint32_t seed, uint32_t min, uint32_t max) +{ + uint32_t range = max - min; + if (range == 0xffffffff) { + return seed; + } + return min + seed % (range + 1); +} - return min + result % (range + 1); +uint32_t FUZZ_dataProducer_range32(FUZZ_dataProducer_t* producer, + uint32_t min, uint32_t max) +{ + size_t const seed = FUZZ_dataProducer_retrieve32(producer); + return FUZZ_getRange_from_uint32(seed, min, max); } LZ4F_frameInfo_t FUZZ_dataProducer_frameInfo(FUZZ_dataProducer_t* producer) { LZ4F_frameInfo_t info = LZ4F_INIT_FRAMEINFO; - info.blockSizeID = FUZZ_dataProducer_uint32(producer, LZ4F_max64KB - 1, LZ4F_max4MB); + info.blockSizeID = FUZZ_dataProducer_range32(producer, LZ4F_max64KB - 1, LZ4F_max4MB); if (info.blockSizeID < LZ4F_max64KB) { info.blockSizeID = LZ4F_default; } - info.blockMode = FUZZ_dataProducer_uint32(producer, LZ4F_blockLinked, LZ4F_blockIndependent); - info.contentChecksumFlag = FUZZ_dataProducer_uint32(producer, LZ4F_noContentChecksum, + info.blockMode = FUZZ_dataProducer_range32(producer, LZ4F_blockLinked, LZ4F_blockIndependent); + info.contentChecksumFlag = FUZZ_dataProducer_range32(producer, LZ4F_noContentChecksum, LZ4F_contentChecksumEnabled); - info.blockChecksumFlag = FUZZ_dataProducer_uint32(producer, LZ4F_noBlockChecksum, + info.blockChecksumFlag = FUZZ_dataProducer_range32(producer, LZ4F_noBlockChecksum, LZ4F_blockChecksumEnabled); return info; } @@ -58,9 +66,9 @@ LZ4F_preferences_t FUZZ_dataProducer_preferences(FUZZ_dataProducer_t* producer) { LZ4F_preferences_t prefs = LZ4F_INIT_PREFERENCES; prefs.frameInfo = FUZZ_dataProducer_frameInfo(producer); - prefs.compressionLevel = FUZZ_dataProducer_uint32(producer, 0, LZ4HC_CLEVEL_MAX + 3) - 3; - prefs.autoFlush = FUZZ_dataProducer_uint32(producer, 0, 1); - prefs.favorDecSpeed = FUZZ_dataProducer_uint32(producer, 0, 1); + prefs.compressionLevel = FUZZ_dataProducer_range32(producer, 0, LZ4HC_CLEVEL_MAX + 3) - 3; + prefs.autoFlush = FUZZ_dataProducer_range32(producer, 0, 1); + prefs.favorDecSpeed = FUZZ_dataProducer_range32(producer, 0, 1); return prefs; } diff --git a/ossfuzz/fuzz_data_producer.h b/ossfuzz/fuzz_data_producer.h index 4c097a7..b96dcba 100644 --- a/ossfuzz/fuzz_data_producer.h +++ b/ossfuzz/fuzz_data_producer.h @@ -16,8 +16,14 @@ FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size); /* Frees the data producer */ void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer); +/* Returns 32 bits from the end of data */ +uint32_t FUZZ_dataProducer_retrieve32(FUZZ_dataProducer_t *producer); + /* Returns value between [min, max] */ -uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, +uint32_t FUZZ_getRange_from_uint32(uint32_t seed, uint32_t min, uint32_t max); + +/* Combination of above two functions for non adaptive use cases. ie where size is not involved */ +uint32_t FUZZ_dataProducer_range32(FUZZ_dataProducer_t *producer, uint32_t min, uint32_t max); /* Returns lz4 preferences */ diff --git a/ossfuzz/round_trip_frame_fuzzer.c b/ossfuzz/round_trip_frame_fuzzer.c index fe6fc77..149542d 100644 --- a/ossfuzz/round_trip_frame_fuzzer.c +++ b/ossfuzz/round_trip_frame_fuzzer.c @@ -16,18 +16,17 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - FUZZ_dataProducer_t* producer = FUZZ_dataProducer_create(data, LZ4_compressBound(size)); + FUZZ_dataProducer_t* producer = FUZZ_dataProducer_create(data, size); LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer); - size_t const dstCapacity = LZ4F_compressFrameBound(size, &prefs); + size = FUZZ_dataProducer_remainingBytes(producer); + + size_t const dstCapacity = LZ4F_compressFrameBound(LZ4_compressBound(size), &prefs); char* const dst = (char*)malloc(dstCapacity); - char* const rt = (char*)malloc(size); + char* const rt = (char*)malloc(FUZZ_dataProducer_remainingBytes(producer)); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); - /* Compression must succeed and round trip correctly. */ size_t const dstSize = LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs); diff --git a/ossfuzz/round_trip_fuzzer.c b/ossfuzz/round_trip_fuzzer.c index e37a0a6..6307058 100644 --- a/ossfuzz/round_trip_fuzzer.c +++ b/ossfuzz/round_trip_fuzzer.c @@ -15,17 +15,18 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const partialCapacity = FUZZ_dataProducer_uint32(producer, 0, size); + size_t const partialCapacitySeed = FUZZ_dataProducer_retrieve32(producer); + size = FUZZ_dataProducer_remainingBytes(producer); + + size_t const partialCapacity = FUZZ_getRange_from_uint32(partialCapacitySeed, 0, size); size_t const dstCapacity = LZ4_compressBound(size); + char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); - /* Compression must succeed and round trip correctly. */ int const dstSize = LZ4_compress_default((const char*)data, dst, size, dstCapacity); diff --git a/ossfuzz/round_trip_hc_fuzzer.c b/ossfuzz/round_trip_hc_fuzzer.c index 8406809..7d03ee2 100644 --- a/ossfuzz/round_trip_hc_fuzzer.c +++ b/ossfuzz/round_trip_hc_fuzzer.c @@ -16,14 +16,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); + int const level = FUZZ_dataProducer_range32(producer, + LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); + size = FUZZ_dataProducer_remainingBytes(producer); + size_t const dstCapacity = LZ4_compressBound(size); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); - int const level = FUZZ_dataProducer_uint32( - producer, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); - - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); |