diff options
author | Nick Terrell <terrelln@fb.com> | 2019-07-19 01:49:40 (GMT) |
---|---|---|
committer | Nick Terrell <terrelln@fb.com> | 2019-07-19 01:54:59 (GMT) |
commit | d28159c025829fc70a295b727e32f899a9e0c7c5 (patch) | |
tree | 5e178908dd7d63670366c78176b8621dba9d394c /ossfuzz/compress_frame_fuzzer.c | |
parent | b487660309d4245eec87e3ada4712bc2a19df791 (diff) | |
download | lz4-d28159c025829fc70a295b727e32f899a9e0c7c5.zip lz4-d28159c025829fc70a295b727e32f899a9e0c7c5.tar.gz lz4-d28159c025829fc70a295b727e32f899a9e0c7c5.tar.bz2 |
[fuzz] Add LZ4 frame fuzzers
* Round trip fuzzer
* Compress fuzzer
* Decompress fuzzer
Diffstat (limited to 'ossfuzz/compress_frame_fuzzer.c')
-rw-r--r-- | ossfuzz/compress_frame_fuzzer.c | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/ossfuzz/compress_frame_fuzzer.c b/ossfuzz/compress_frame_fuzzer.c new file mode 100644 index 0000000..75c609f --- /dev/null +++ b/ossfuzz/compress_frame_fuzzer.c @@ -0,0 +1,42 @@ +/** + * This fuzz target attempts to compress the fuzzed data with the simple + * compression function with an output buffer that may be too small to + * ensure that the compressor never crashes. + */ + +#include <stddef.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> + +#include "fuzz_helpers.h" +#include "lz4.h" +#include "lz4frame.h" +#include "lz4_helpers.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + uint32_t seed = FUZZ_seed(&data, &size); + LZ4F_preferences_t const prefs = FUZZ_randomPreferences(&seed); + size_t const compressBound = LZ4F_compressFrameBound(size, &prefs); + size_t const dstCapacity = FUZZ_rand32(&seed, 0, compressBound); + char* const dst = (char*)malloc(dstCapacity); + char* const rt = (char*)malloc(size); + + FUZZ_ASSERT(dst); + FUZZ_ASSERT(rt); + + /* If compression succeeds it must round trip correctly. */ + size_t const dstSize = + LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs); + if (!LZ4F_isError(dstSize)) { + size_t const rtSize = FUZZ_decompressFrame(rt, size, dst, dstSize); + FUZZ_ASSERT_MSG(rtSize == size, "Incorrect regenerated size"); + FUZZ_ASSERT_MSG(!memcmp(data, rt, size), "Corruption!"); + } + + free(dst); + free(rt); + + return 0; +} |