From 7d153a704d00a266c9601c947e07fd33e1cd6f4d Mon Sep 17 00:00:00 2001 From: Bimba Shrestha Date: Fri, 30 Aug 2019 10:27:42 -0700 Subject: Making fuzzers use dataProducer api instead of random seed for decisions --- ossfuzz/compress_frame_fuzzer.c | 11 ++++++++--- ossfuzz/fuzz_data_producer.c | 25 +++++++++++++++++++++++++ ossfuzz/fuzz_data_producer.h | 8 ++++++++ ossfuzz/round_trip_frame_fuzzer.c | 9 +++++++-- ossfuzz/round_trip_fuzzer.c | 10 ++++++++-- 5 files changed, 56 insertions(+), 7 deletions(-) diff --git a/ossfuzz/compress_frame_fuzzer.c b/ossfuzz/compress_frame_fuzzer.c index 75c609f..7fe09a1 100644 --- a/ossfuzz/compress_frame_fuzzer.c +++ b/ossfuzz/compress_frame_fuzzer.c @@ -13,19 +13,23 @@ #include "lz4.h" #include "lz4frame.h" #include "lz4_helpers.h" +#include "fuzz_data_producer.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - uint32_t seed = FUZZ_seed(&data, &size); - LZ4F_preferences_t const prefs = FUZZ_randomPreferences(&seed); + FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, LZ4_compressBound(size)); + LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer); size_t const compressBound = LZ4F_compressFrameBound(size, &prefs); - size_t const dstCapacity = FUZZ_rand32(&seed, 0, compressBound); + size_t const dstCapacity = FUZZ_dataProducer_uint32(producer, 0, compressBound); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); + /* Restrict to remaining data from producer */ + size = FUZZ_dataProducer_remainingBytes(producer); + /* If compression succeeds it must round trip correctly. */ size_t const dstSize = LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs); @@ -37,6 +41,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) free(dst); free(rt); + FUZZ_dataProducer_free(producer); return 0; } diff --git a/ossfuzz/fuzz_data_producer.c b/ossfuzz/fuzz_data_producer.c index 992f5a7..f35bd8a 100644 --- a/ossfuzz/fuzz_data_producer.c +++ b/ossfuzz/fuzz_data_producer.c @@ -39,6 +39,31 @@ uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, return min + result % (range + 1); } +LZ4F_frameInfo_t FUZZ_dataProducer_frameInfo(FUZZ_dataProducer_t* producer) +{ + LZ4F_frameInfo_t info = LZ4F_INIT_FRAMEINFO; + info.blockSizeID = FUZZ_dataProducer_uint32(producer, LZ4F_max64KB - 1, LZ4F_max4MB); + if (info.blockSizeID < LZ4F_max64KB) { + info.blockSizeID = LZ4F_default; + } + info.blockMode = FUZZ_dataProducer_uint32(producer, LZ4F_blockLinked, LZ4F_blockIndependent); + info.contentChecksumFlag = FUZZ_dataProducer_uint32(producer, LZ4F_noContentChecksum, + LZ4F_contentChecksumEnabled); + info.blockChecksumFlag = FUZZ_dataProducer_uint32(producer, LZ4F_noBlockChecksum, + LZ4F_blockChecksumEnabled); + return info; +} + +LZ4F_preferences_t FUZZ_dataProducer_preferences(FUZZ_dataProducer_t* producer) +{ + LZ4F_preferences_t prefs = LZ4F_INIT_PREFERENCES; + prefs.frameInfo = FUZZ_dataProducer_frameInfo(producer); + prefs.compressionLevel = FUZZ_dataProducer_uint32(producer, 0, LZ4HC_CLEVEL_MAX + 3) - 3; + prefs.autoFlush = FUZZ_dataProducer_uint32(producer, 0, 1); + prefs.favorDecSpeed = FUZZ_dataProducer_uint32(producer, 0, 1); + return prefs; +} + size_t FUZZ_dataProducer_remainingBytes(FUZZ_dataProducer_t *producer){ return producer->size; } diff --git a/ossfuzz/fuzz_data_producer.h b/ossfuzz/fuzz_data_producer.h index 8df5257..4c097a7 100644 --- a/ossfuzz/fuzz_data_producer.h +++ b/ossfuzz/fuzz_data_producer.h @@ -4,6 +4,8 @@ #include #include "fuzz_helpers.h" +#include "lz4frame.h" +#include "lz4hc.h" /* Struct used for maintaining the state of the data */ typedef struct FUZZ_dataProducer_s FUZZ_dataProducer_t; @@ -18,5 +20,11 @@ void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer); uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, uint32_t max); +/* Returns lz4 preferences */ +LZ4F_preferences_t FUZZ_dataProducer_preferences(FUZZ_dataProducer_t* producer); + +/* Returns lz4 frame info */ +LZ4F_frameInfo_t FUZZ_dataProducer_frameInfo(FUZZ_dataProducer_t* producer); + /* Returns the size of the remaining bytes of data in the producer */ size_t FUZZ_dataProducer_remainingBytes(FUZZ_dataProducer_t *producer); diff --git a/ossfuzz/round_trip_frame_fuzzer.c b/ossfuzz/round_trip_frame_fuzzer.c index 1eea90c..fe6fc77 100644 --- a/ossfuzz/round_trip_frame_fuzzer.c +++ b/ossfuzz/round_trip_frame_fuzzer.c @@ -12,11 +12,12 @@ #include "lz4.h" #include "lz4frame.h" #include "lz4_helpers.h" +#include "fuzz_data_producer.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - uint32_t seed = FUZZ_seed(&data, &size); - LZ4F_preferences_t const prefs = FUZZ_randomPreferences(&seed); + FUZZ_dataProducer_t* producer = FUZZ_dataProducer_create(data, LZ4_compressBound(size)); + LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer); size_t const dstCapacity = LZ4F_compressFrameBound(size, &prefs); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); @@ -24,6 +25,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); + /* Restrict to remaining data from producer */ + size = FUZZ_dataProducer_remainingBytes(producer); + /* Compression must succeed and round trip correctly. */ size_t const dstSize = LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs); @@ -34,6 +38,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) free(dst); free(rt); + FUZZ_dataProducer_free(producer); return 0; } diff --git a/ossfuzz/round_trip_fuzzer.c b/ossfuzz/round_trip_fuzzer.c index 3a66e80..e37a0a6 100644 --- a/ossfuzz/round_trip_fuzzer.c +++ b/ossfuzz/round_trip_fuzzer.c @@ -10,10 +10,12 @@ #include "fuzz_helpers.h" #include "lz4.h" +#include "fuzz_data_producer.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - uint32_t seed = FUZZ_seed(&data, &size); + FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); + size_t const partialCapacity = FUZZ_dataProducer_uint32(producer, 0, size); size_t const dstCapacity = LZ4_compressBound(size); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); @@ -21,6 +23,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); + /* Restrict to remaining data from producer */ + size = FUZZ_dataProducer_remainingBytes(producer); + /* Compression must succeed and round trip correctly. */ int const dstSize = LZ4_compress_default((const char*)data, dst, size, dstCapacity); @@ -32,7 +37,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) /* Partial decompression must succeed. */ { - size_t const partialCapacity = FUZZ_rand32(&seed, 0, size); char* const partial = (char*)malloc(partialCapacity); FUZZ_ASSERT(partial); int const partialSize = LZ4_decompress_safe_partial( @@ -43,8 +47,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) free(partial); } + free(dst); free(rt); + FUZZ_dataProducer_free(producer); return 0; } -- cgit v0.12