[fuzz] Add LZ4 frame fuzzers

* Round trip fuzzer
* Compress fuzzer
* Decompress fuzzer

6 files changed, 219 insertions, 3 deletions

diff --git a/ossfuzz/Makefile b/ossfuzz/Makefile
index 9974b81..6875eb6 100644
--- a/ossfuzz/Makefile
+++ b/ossfuzz/Makefile
@@ -33,7 +33,8 @@ DEBUGFLAGS = -g -DLZ4_DEBUG=$(DEBUGLEVEL)
 
 LZ4_CFLAGS  = $(CFLAGS) $(DEBUGFLAGS) $(MOREFLAGS)
 LZ4_CXXFLAGS = $(CXXFLAGS) $(DEBUGFLAGS) $(MOREFLAGS)
-LZ4_CPPFLAGS = $(CPPFLAGS) -I$(LZ4DIR) -DXXH_NAMESPACE=LZ4_
+LZ4_CPPFLAGS = $(CPPFLAGS) -I$(LZ4DIR) -DXXH_NAMESPACE=LZ4_ \
+               -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 
 FUZZERS := \
 	compress_fuzzer \
@@ -41,7 +42,10 @@ FUZZERS := \
 	round_trip_fuzzer \
 	round_trip_stream_fuzzer \
 	compress_hc_fuzzer \
-	round_trip_hc_fuzzer
+	round_trip_hc_fuzzer \
+	compress_frame_fuzzer \
+	round_trip_frame_fuzzer \
+	decompress_frame_fuzzer
 
 all: $(FUZZERS)
 
@@ -54,7 +58,7 @@ $(LZ4DIR)/liblz4.a:
 	$(CC) -c $(LZ4_CFLAGS) $(LZ4_CPPFLAGS) $< -o $@
 
 # Generic rule for generating fuzzers
-%_fuzzer: %_fuzzer.o $(LZ4DIR)/liblz4.a
+%_fuzzer: %_fuzzer.o lz4_helpers.o $(LZ4DIR)/liblz4.a
 	# Compile the standalone code just in case. The OSS-Fuzz code might
 	# override the LIB_FUZZING_ENGINE value to "-fsanitize=fuzzer"
 	$(CC) -c $(LZ4_CFLAGS) $(LZ4_CPPFLAGS) standaloneengine.c -o standaloneengine.o
diff --git a/ossfuzz/compress_frame_fuzzer.c b/ossfuzz/compress_frame_fuzzer.c
new file mode 100644
index 0000000..75c609f
--- /dev/null
+++ b/ossfuzz/compress_frame_fuzzer.c
@@ -0,0 +1,42 @@
+/**
+ * This fuzz target attempts to compress the fuzzed data with the simple
+ * compression function with an output buffer that may be too small to
+ * ensure that the compressor never crashes.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "fuzz_helpers.h"
+#include "lz4.h"
+#include "lz4frame.h"
+#include "lz4_helpers.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    uint32_t seed = FUZZ_seed(&data, &size);
+    LZ4F_preferences_t const prefs = FUZZ_randomPreferences(&seed);
+    size_t const compressBound = LZ4F_compressFrameBound(size, &prefs);
+    size_t const dstCapacity = FUZZ_rand32(&seed, 0, compressBound);
+    char* const dst = (char*)malloc(dstCapacity);
+    char* const rt = (char*)malloc(size);
+
+    FUZZ_ASSERT(dst);
+    FUZZ_ASSERT(rt);
+
+    /* If compression succeeds it must round trip correctly. */
+    size_t const dstSize =
+            LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs);
+    if (!LZ4F_isError(dstSize)) {
+        size_t const rtSize = FUZZ_decompressFrame(rt, size, dst, dstSize);
+        FUZZ_ASSERT_MSG(rtSize == size, "Incorrect regenerated size");
+        FUZZ_ASSERT_MSG(!memcmp(data, rt, size), "Corruption!");
+    }
+
+    free(dst);
+    free(rt);
+
+    return 0;
+}
diff --git a/ossfuzz/decompress_frame_fuzzer.c b/ossfuzz/decompress_frame_fuzzer.c
new file mode 100644
index 0000000..bda25b0
--- /dev/null
+++ b/ossfuzz/decompress_frame_fuzzer.c
@@ -0,0 +1,67 @@
+/**
+ * This fuzz target attempts to decompress the fuzzed data with the simple
+ * decompression function to ensure the decompressor never crashes.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "fuzz_helpers.h"
+#include "lz4.h"
+#define LZ4F_STATIC_LINKING_ONLY
+#include "lz4frame.h"
+#include "lz4_helpers.h"
+
+static void decompress(LZ4F_dctx* dctx, void* dst, size_t dstCapacity,
+                       const void* src, size_t srcSize,
+                       const void* dict, size_t dictSize,
+                       const LZ4F_decompressOptions_t* opts)
+{
+    LZ4F_resetDecompressionContext(dctx);
+    if (dictSize == 0)
+        LZ4F_decompress(dctx, dst, &dstCapacity, src, &srcSize, opts);
+    else
+        LZ4F_decompress_usingDict(dctx, dst, &dstCapacity, src, &srcSize,
+                                  dict, dictSize, opts);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+
+    uint32_t seed = FUZZ_seed(&data, &size);
+    size_t const dstCapacity = FUZZ_rand32(&seed, 0, 4 * size);
+    size_t const largeDictSize = 64 * 1024;
+    size_t const dictSize = FUZZ_rand32(&seed, 0, largeDictSize);
+    char* const dst = (char*)malloc(dstCapacity);
+    char* const dict = (char*)malloc(dictSize);
+    LZ4F_decompressOptions_t opts;
+    LZ4F_dctx* dctx;
+    LZ4F_createDecompressionContext(&dctx, LZ4F_VERSION);
+
+    FUZZ_ASSERT(dctx);
+    FUZZ_ASSERT(dst);
+    FUZZ_ASSERT(dict);
+
+    /* Prepare the dictionary. The data doesn't matter for decompression. */
+    memset(dict, 0, dictSize);
+
+
+    /* Decompress using multiple configurations. */
+    memset(&opts, 0, sizeof(opts));
+    opts.stableDst = 0;
+    decompress(dctx, dst, dstCapacity, data, size, NULL, 0, &opts);
+    opts.stableDst = 1;
+    decompress(dctx, dst, dstCapacity, data, size, NULL, 0, &opts);
+    opts.stableDst = 0;
+    decompress(dctx, dst, dstCapacity, data, size, dict, dictSize, &opts);
+    opts.stableDst = 1;
+    decompress(dctx, dst, dstCapacity, data, size, dict, dictSize, &opts);
+
+    LZ4F_freeDecompressionContext(dctx);
+    free(dst);
+    free(dict);
+
+    return 0;
+}
diff --git a/ossfuzz/lz4_helpers.c b/ossfuzz/lz4_helpers.c
new file mode 100644
index 0000000..9471630
--- /dev/null
+++ b/ossfuzz/lz4_helpers.c
@@ -0,0 +1,51 @@
+#include "fuzz_helpers.h"
+#include "lz4_helpers.h"
+#include "lz4hc.h"
+
+LZ4F_frameInfo_t FUZZ_randomFrameInfo(uint32_t* seed)
+{
+    LZ4F_frameInfo_t info = LZ4F_INIT_FRAMEINFO;
+    info.blockSizeID = FUZZ_rand32(seed, LZ4F_max64KB - 1, LZ4F_max4MB);
+    if (info.blockSizeID < LZ4F_max64KB) {
+        info.blockSizeID = LZ4F_default;
+    }
+    info.blockMode = FUZZ_rand32(seed, LZ4F_blockLinked, LZ4F_blockIndependent);
+    info.contentChecksumFlag = FUZZ_rand32(seed, LZ4F_noContentChecksum,
+                                           LZ4F_contentChecksumEnabled);
+    info.blockChecksumFlag = FUZZ_rand32(seed, LZ4F_noBlockChecksum,
+                                         LZ4F_blockChecksumEnabled);
+    return info;
+}
+
+LZ4F_preferences_t FUZZ_randomPreferences(uint32_t* seed)
+{
+    LZ4F_preferences_t prefs = LZ4F_INIT_PREFERENCES;
+    prefs.frameInfo = FUZZ_randomFrameInfo(seed);
+    prefs.compressionLevel = FUZZ_rand32(seed, 0, LZ4HC_CLEVEL_MAX + 3) - 3;
+    prefs.autoFlush = FUZZ_rand32(seed, 0, 1);
+    prefs.favorDecSpeed = FUZZ_rand32(seed, 0, 1);
+    return prefs;
+}
+
+size_t FUZZ_decompressFrame(void* dst, const size_t dstCapacity,
+                            const void* src, const size_t srcSize)
+{
+    LZ4F_decompressOptions_t opts;
+    memset(&opts, 0, sizeof(opts));
+    opts.stableDst = 1;
+    LZ4F_dctx* dctx;
+    LZ4F_createDecompressionContext(&dctx, LZ4F_VERSION);
+    FUZZ_ASSERT(dctx);
+
+    size_t dstSize = dstCapacity;
+    size_t srcConsumed = srcSize;
+    size_t const rc =
+            LZ4F_decompress(dctx, dst, &dstSize, src, &srcConsumed, &opts);
+    FUZZ_ASSERT(!LZ4F_isError(rc));
+    FUZZ_ASSERT(rc == 0);
+    FUZZ_ASSERT(srcConsumed == srcSize);
+
+    LZ4F_freeDecompressionContext(dctx);
+
+    return dstSize;
+}
diff --git a/ossfuzz/lz4_helpers.h b/ossfuzz/lz4_helpers.h
new file mode 100644
index 0000000..c99fb01
--- /dev/null
+++ b/ossfuzz/lz4_helpers.h
@@ -0,0 +1,13 @@
+#ifndef LZ4_HELPERS
+#define LZ4_HELPERS
+
+#include "lz4frame.h"
+
+LZ4F_frameInfo_t FUZZ_randomFrameInfo(uint32_t* seed);
+
+LZ4F_preferences_t FUZZ_randomPreferences(uint32_t* seed);
+
+size_t FUZZ_decompressFrame(void* dst, const size_t dstCapacity,
+                            const void* src, const size_t srcSize);
+
+#endif /* LZ4_HELPERS */
diff --git a/ossfuzz/round_trip_frame_fuzzer.c b/ossfuzz/round_trip_frame_fuzzer.c
new file mode 100644
index 0000000..1eea90c
--- /dev/null
+++ b/ossfuzz/round_trip_frame_fuzzer.c
@@ -0,0 +1,39 @@
+/**
+ * This fuzz target performs a lz4 round-trip test (compress & decompress),
+ * compares the result with the original, and calls abort() on corruption.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "fuzz_helpers.h"
+#include "lz4.h"
+#include "lz4frame.h"
+#include "lz4_helpers.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    uint32_t seed = FUZZ_seed(&data, &size);
+    LZ4F_preferences_t const prefs = FUZZ_randomPreferences(&seed);
+    size_t const dstCapacity = LZ4F_compressFrameBound(size, &prefs);
+    char* const dst = (char*)malloc(dstCapacity);
+    char* const rt = (char*)malloc(size);
+
+    FUZZ_ASSERT(dst);
+    FUZZ_ASSERT(rt);
+
+    /* Compression must succeed and round trip correctly. */
+    size_t const dstSize =
+            LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs);
+    FUZZ_ASSERT(!LZ4F_isError(dstSize));
+    size_t const rtSize = FUZZ_decompressFrame(rt, size, dst, dstSize);
+    FUZZ_ASSERT_MSG(rtSize == size, "Incorrect regenerated size");
+    FUZZ_ASSERT_MSG(!memcmp(data, rt, size), "Corruption!");
+
+    free(dst);
+    free(rt);
+
+    return 0;
+}