From fad8c97532f74d92f6aa4427a739610035fcbbd1 Mon Sep 17 00:00:00 2001 From: bimbashrestha Date: Fri, 16 Aug 2019 10:50:46 -0700 Subject: Adding fuzz data producer for uint32 and using in decompress_fuzzer Summary: Consuming bytes from the end of data instead of from the front to prevent "all-in-one" decisions. Test Plan: Reviewers: Subscribers: Tasks: Tags: --- ossfuzz/decompress_fuzzer.c | 5 ++--- ossfuzz/fuzz_data_producer.h | 27 +++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 ossfuzz/fuzz_data_producer.h diff --git a/ossfuzz/decompress_fuzzer.c b/ossfuzz/decompress_fuzzer.c index 0267c93..b17783c 100644 --- a/ossfuzz/decompress_fuzzer.c +++ b/ossfuzz/decompress_fuzzer.c @@ -9,13 +9,12 @@ #include #include "fuzz_helpers.h" +#include "fuzz_data_producer.h" #include "lz4.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - - uint32_t seed = FUZZ_seed(&data, &size); - size_t const dstCapacity = FUZZ_rand32(&seed, 0, 4 * size); + size_t const dstCapacity = FUZZ_produceUint32Range(data, size, 0, 4 * size); size_t const smallDictSize = size + 1; size_t const largeDictSize = 64 * 1024 - 1; size_t const dictSize = MAX(smallDictSize, largeDictSize); diff --git a/ossfuzz/fuzz_data_producer.h b/ossfuzz/fuzz_data_producer.h new file mode 100644 index 0000000..c41aaec --- /dev/null +++ b/ossfuzz/fuzz_data_producer.h @@ -0,0 +1,27 @@ +#include +#include +#include +#include + +FUZZ_STATIC uint32_t FUZZ_produceUint32Range(uint8_t *data, size_t size, + uint32_t min, uint32_t max) { + if (min > max) { + return 0; + } + + uint32_t range = max - min; + uint32_t rolling = range; + uint32_t result = 0; + + while (rolling > 0 && size > 0) { + uint8_t next = *(data + size - 1); + size -= 1; + result = (result << 8) | next; + } + + if (range == 0xffffffff) { + return result; + } + + return min + result % (range + 1); +} -- cgit v0.12