summaryrefslogtreecommitdiffstats
path: root/ossfuzz/compress_fuzzer.c
diff options
context:
space:
mode:
authorNick Terrell <terrelln@fb.com>2019-07-13 02:27:00 (GMT)
committerNick Terrell <terrelln@fb.com>2019-07-15 19:22:04 (GMT)
commit3c40db8d258716b9efcfb46fa6dc29de6e43e616 (patch)
tree7fd1d48f6195dfde2c6475fe035a0061b948e9c3 /ossfuzz/compress_fuzzer.c
parent725cb0aafdf78b550c52618fe5cea1fadd278881 (diff)
downloadlz4-3c40db8d258716b9efcfb46fa6dc29de6e43e616.zip
lz4-3c40db8d258716b9efcfb46fa6dc29de6e43e616.tar.gz
lz4-3c40db8d258716b9efcfb46fa6dc29de6e43e616.tar.bz2
[ossfuzz] Improve the fuzzers
* Run more decompression variants * Round trip the compression fuzzer and do partial decompression as well * Add a compression fuzzer that compresses into a smaller output buffer and test the destSize variant These fuzzers caught 2 bugs that were fixed in the previous commit. * Input buffer over-read in partial decompress * Partial decompress fails if output size is 0
Diffstat (limited to 'ossfuzz/compress_fuzzer.c')
-rw-r--r--ossfuzz/compress_fuzzer.c52
1 files changed, 39 insertions, 13 deletions
diff --git a/ossfuzz/compress_fuzzer.c b/ossfuzz/compress_fuzzer.c
index 3908534..7021624 100644
--- a/ossfuzz/compress_fuzzer.c
+++ b/ossfuzz/compress_fuzzer.c
@@ -1,25 +1,51 @@
+/**
+ * This fuzz target attempts to compress the fuzzed data with the simple
+ * compression function with an output buffer that may be too small to
+ * ensure that the compressor never crashes.
+ */
+
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
-#include "lz4.h"
+#include <string.h>
-#define CHECK(COND) if (!(COND)) { abort(); }
+#include "fuzz_helpers.h"
+#include "lz4.h"
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
- size_t const compressed_dest_size = LZ4_compressBound(size);
- char *const dest_buffer = (char *)malloc(compressed_dest_size);
+ uint32_t seed = FUZZ_seed(&data, &size);
+ size_t const dstCapacity = FUZZ_rand32(&seed, 0, LZ4_compressBound(size));
+ char* const dst = (char*)malloc(dstCapacity);
+ char* const rt = (char*)malloc(size);
+
+ FUZZ_ASSERT(dst);
+ FUZZ_ASSERT(rt);
- CHECK(dest_buffer != NULL);
+ /* If compression succeeds it must round trip correctly. */
+ {
+ int const dstSize = LZ4_compress_default((const char*)data, dst,
+ size, dstCapacity);
+ if (dstSize > 0) {
+ int const rtSize = LZ4_decompress_safe(dst, rt, dstSize, size);
+ FUZZ_ASSERT_MSG(rtSize == size, "Incorrect regenerated size");
+ FUZZ_ASSERT_MSG(!memcmp(data, rt, size), "Corruption!");
+ }
+ }
- // Allocation succeeded, try compressing the incoming data.
- int result = LZ4_compress_default((const char*)data,
- dest_buffer,
- size,
- compressed_dest_size);
- CHECK(result != 0);
+ if (dstCapacity > 0) {
+ /* Compression succeeds and must round trip correctly. */
+ int compressedSize = size;
+ int const dstSize = LZ4_compress_destSize((const char*)data, dst,
+ &compressedSize, dstCapacity);
+ FUZZ_ASSERT(dstSize > 0);
+ int const rtSize = LZ4_decompress_safe(dst, rt, dstSize, size);
+ FUZZ_ASSERT_MSG(rtSize == compressedSize, "Incorrect regenerated size");
+ FUZZ_ASSERT_MSG(!memcmp(data, rt, compressedSize), "Corruption!");
+ }
- free(dest_buffer);
+ free(dst);
+ free(rt);
- return 0;
+ return 0;
}