From 208694297a308da8dae2b3bb104bdab486d1b683 Mon Sep 17 00:00:00 2001 From: Bimba Shrestha Date: Fri, 13 Sep 2019 14:07:52 -0700 Subject: Seperating the seed generation and use --- ossfuzz/compress_frame_fuzzer.c | 6 ++++-- ossfuzz/compress_fuzzer.c | 5 +++-- ossfuzz/compress_hc_fuzzer.c | 12 ++++++++---- ossfuzz/decompress_frame_fuzzer.c | 10 +++++++--- ossfuzz/decompress_fuzzer.c | 5 +++-- ossfuzz/fuzz_data_producer.c | 36 ++++++++++++++++++++++++------------ ossfuzz/fuzz_data_producer.h | 9 ++++++++- ossfuzz/round_trip_frame_fuzzer.c | 7 ++++--- ossfuzz/round_trip_fuzzer.c | 4 +++- ossfuzz/round_trip_hc_fuzzer.c | 7 ++++--- 10 files changed, 68 insertions(+), 33 deletions(-) diff --git a/ossfuzz/compress_frame_fuzzer.c b/ossfuzz/compress_frame_fuzzer.c index 7fe09a1..a99bb74 100644 --- a/ossfuzz/compress_frame_fuzzer.c +++ b/ossfuzz/compress_frame_fuzzer.c @@ -19,8 +19,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, LZ4_compressBound(size)); LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer); - size_t const compressBound = LZ4F_compressFrameBound(size, &prefs); - size_t const dstCapacity = FUZZ_dataProducer_uint32(producer, 0, compressBound); + size_t const compressBound = LZ4F_compressFrameBound(FUZZ_dataProducer_remainingBytes(producer), &prefs); + size_t const dstCapacitySeed = FUZZ_dataProducer_uint32_seed(producer, 0, compressBound); + size_t const dstCapacity = FUZZ_dataProducer_uint32(dstCapacitySeed, + 0, FUZZ_dataProducer_remainingBytes(producer)); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); diff --git a/ossfuzz/compress_fuzzer.c b/ossfuzz/compress_fuzzer.c index 9d72e72..76d227e 100644 --- a/ossfuzz/compress_fuzzer.c +++ b/ossfuzz/compress_fuzzer.c @@ -16,8 +16,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacity = FUZZ_dataProducer_uint32( - producer, 0, LZ4_compressBound(size)); + size_t const dstCapacitySeed = FUZZ_dataProducer_uint32_seed(producer, 0, LZ4_compressBound(size)); + size_t const dstCapacity = FUZZ_dataProducer_uint32(dstCapacitySeed, + 0, LZ4_compressBound(FUZZ_dataProducer_remainingBytes(producer))); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); diff --git a/ossfuzz/compress_hc_fuzzer.c b/ossfuzz/compress_hc_fuzzer.c index 5f22104..3e28f42 100644 --- a/ossfuzz/compress_hc_fuzzer.c +++ b/ossfuzz/compress_hc_fuzzer.c @@ -17,12 +17,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacity = FUZZ_dataProducer_uint32( - producer, 0, LZ4_compressBound(size)); + size_t const dstCapacitySeed = FUZZ_dataProducer_uint32_seed(producer, + 0, LZ4_compressBound(size)); + size_t const levelSeed = FUZZ_dataProducer_uint32_seed(producer, + LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); + size_t const dstCapacity = FUZZ_dataProducer_uint32(dstCapacitySeed, + 0, FUZZ_dataProducer_remainingBytes(producer)); + int const level = FUZZ_dataProducer_uint32( + levelSeed, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); - int const level = FUZZ_dataProducer_uint32( - producer, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); /* Restrict to remaining data from producer */ size = FUZZ_dataProducer_remainingBytes(producer); diff --git a/ossfuzz/decompress_frame_fuzzer.c b/ossfuzz/decompress_frame_fuzzer.c index 60d2ea1..1308100 100644 --- a/ossfuzz/decompress_frame_fuzzer.c +++ b/ossfuzz/decompress_frame_fuzzer.c @@ -31,11 +31,15 @@ static void decompress(LZ4F_dctx* dctx, void* dst, size_t dstCapacity, int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacity = FUZZ_dataProducer_uint32( - producer, 0, 4 * size); + size_t const dstCapacitySeed = FUZZ_dataProducer_uint32_seed(producer, + 0, 4 * size); size_t const largeDictSize = 64 * 1024; + size_t const dictSizeSeed = FUZZ_dataProducer_uint32_seed(producer, + 0, largeDictSize); + size_t const dstCapacity = FUZZ_dataProducer_uint32( + dstCapacitySeed, 0, 4 * FUZZ_dataProducer_remainingBytes(producer)); size_t const dictSize = FUZZ_dataProducer_uint32( - producer, 0, largeDictSize); + dictSizeSeed, 0, largeDictSize); char* const dst = (char*)malloc(dstCapacity); char* const dict = (char*)malloc(dictSize); LZ4F_decompressOptions_t opts; diff --git a/ossfuzz/decompress_fuzzer.c b/ossfuzz/decompress_fuzzer.c index bc4190b..111f5b5 100644 --- a/ossfuzz/decompress_fuzzer.c +++ b/ossfuzz/decompress_fuzzer.c @@ -15,8 +15,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacity = FUZZ_dataProducer_uint32( - producer, 0, 4 * size); + size_t const dstCapacitySeed = FUZZ_dataProducer_uint32_seed(producer, 0, 4 * size); + size_t const dstCapacity = FUZZ_dataProducer_uint32(dstCapacitySeed, + 0, 4 * FUZZ_dataProducer_remainingBytes(producer)); size_t const smallDictSize = size + 1; size_t const largeDictSize = 64 * 1024 - 1; size_t const dictSize = MAX(smallDictSize, largeDictSize); diff --git a/ossfuzz/fuzz_data_producer.c b/ossfuzz/fuzz_data_producer.c index f35bd8a..70e42ea 100644 --- a/ossfuzz/fuzz_data_producer.c +++ b/ossfuzz/fuzz_data_producer.c @@ -17,7 +17,7 @@ FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size) void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer) { free(producer); } -uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, +uint32_t FUZZ_dataProducer_uint32_seed(FUZZ_dataProducer_t *producer, uint32_t min, uint32_t max) { FUZZ_ASSERT(min <= max); @@ -32,24 +32,36 @@ uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, rolling >>= 8; } - if (range == 0xffffffff) { - return result; - } + return result; +} - return min + result % (range + 1); +uint32_t FUZZ_dataProducer_uint32(uint32_t seed, uint32_t min, uint32_t max) +{ + uint32_t range = max - min; + if (range == 0xffffffff) { + return seed; + } + return min + seed % (range + 1); +} + +uint32_t FUZZ_dataProducer_uint32NonAdaptive(FUZZ_dataProducer_t* producer, + uint32_t min, uint32_t max) +{ + size_t const seed = FUZZ_dataProducer_uint32_seed(producer, min, max); + return FUZZ_dataProducer_uint32(seed, min, max); } LZ4F_frameInfo_t FUZZ_dataProducer_frameInfo(FUZZ_dataProducer_t* producer) { LZ4F_frameInfo_t info = LZ4F_INIT_FRAMEINFO; - info.blockSizeID = FUZZ_dataProducer_uint32(producer, LZ4F_max64KB - 1, LZ4F_max4MB); + info.blockSizeID = FUZZ_dataProducer_uint32NonAdaptive(producer, LZ4F_max64KB - 1, LZ4F_max4MB); if (info.blockSizeID < LZ4F_max64KB) { info.blockSizeID = LZ4F_default; } - info.blockMode = FUZZ_dataProducer_uint32(producer, LZ4F_blockLinked, LZ4F_blockIndependent); - info.contentChecksumFlag = FUZZ_dataProducer_uint32(producer, LZ4F_noContentChecksum, + info.blockMode = FUZZ_dataProducer_uint32NonAdaptive(producer, LZ4F_blockLinked, LZ4F_blockIndependent); + info.contentChecksumFlag = FUZZ_dataProducer_uint32NonAdaptive(producer, LZ4F_noContentChecksum, LZ4F_contentChecksumEnabled); - info.blockChecksumFlag = FUZZ_dataProducer_uint32(producer, LZ4F_noBlockChecksum, + info.blockChecksumFlag = FUZZ_dataProducer_uint32NonAdaptive(producer, LZ4F_noBlockChecksum, LZ4F_blockChecksumEnabled); return info; } @@ -58,9 +70,9 @@ LZ4F_preferences_t FUZZ_dataProducer_preferences(FUZZ_dataProducer_t* producer) { LZ4F_preferences_t prefs = LZ4F_INIT_PREFERENCES; prefs.frameInfo = FUZZ_dataProducer_frameInfo(producer); - prefs.compressionLevel = FUZZ_dataProducer_uint32(producer, 0, LZ4HC_CLEVEL_MAX + 3) - 3; - prefs.autoFlush = FUZZ_dataProducer_uint32(producer, 0, 1); - prefs.favorDecSpeed = FUZZ_dataProducer_uint32(producer, 0, 1); + prefs.compressionLevel = FUZZ_dataProducer_uint32NonAdaptive(producer, 0, LZ4HC_CLEVEL_MAX + 3) - 3; + prefs.autoFlush = FUZZ_dataProducer_uint32NonAdaptive(producer, 0, 1); + prefs.favorDecSpeed = FUZZ_dataProducer_uint32NonAdaptive(producer, 0, 1); return prefs; } diff --git a/ossfuzz/fuzz_data_producer.h b/ossfuzz/fuzz_data_producer.h index 4c097a7..e12f899 100644 --- a/ossfuzz/fuzz_data_producer.h +++ b/ossfuzz/fuzz_data_producer.h @@ -16,8 +16,15 @@ FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size); /* Frees the data producer */ void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer); +/* Returns a seed value for the function after this one to consume */ +uint32_t FUZZ_dataProducer_uint32_seed(FUZZ_dataProducer_t *producer, uint32_t min, + uint32_t max); + /* Returns value between [min, max] */ -uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, +uint32_t FUZZ_dataProducer_uint32(uint32_t seed, uint32_t min, uint32_t max); + +/* Combination of above two functions for non adaptive use cases. ie where size is not involved */ +uint32_t FUZZ_dataProducer_uint32NonAdaptive(FUZZ_dataProducer_t *producer, uint32_t min, uint32_t max); /* Returns lz4 preferences */ diff --git a/ossfuzz/round_trip_frame_fuzzer.c b/ossfuzz/round_trip_frame_fuzzer.c index fe6fc77..c34553d 100644 --- a/ossfuzz/round_trip_frame_fuzzer.c +++ b/ossfuzz/round_trip_frame_fuzzer.c @@ -16,11 +16,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - FUZZ_dataProducer_t* producer = FUZZ_dataProducer_create(data, LZ4_compressBound(size)); + FUZZ_dataProducer_t* producer = FUZZ_dataProducer_create(data, size); LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer); - size_t const dstCapacity = LZ4F_compressFrameBound(size, &prefs); + size_t const dstCapacity = LZ4F_compressFrameBound( + LZ4_compressBound(FUZZ_dataProducer_remainingBytes(producer)), &prefs); char* const dst = (char*)malloc(dstCapacity); - char* const rt = (char*)malloc(size); + char* const rt = (char*)malloc(FUZZ_dataProducer_remainingBytes(producer)); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); diff --git a/ossfuzz/round_trip_fuzzer.c b/ossfuzz/round_trip_fuzzer.c index e37a0a6..85774fe 100644 --- a/ossfuzz/round_trip_fuzzer.c +++ b/ossfuzz/round_trip_fuzzer.c @@ -15,7 +15,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const partialCapacity = FUZZ_dataProducer_uint32(producer, 0, size); + size_t const partialCapacitySeed = FUZZ_dataProducer_uint32_seed(producer, 0, size); + size_t const partialCapacity = FUZZ_dataProducer_uint32(partialCapacitySeed, + 0, FUZZ_dataProducer_remainingBytes(producer)); size_t const dstCapacity = LZ4_compressBound(size); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); diff --git a/ossfuzz/round_trip_hc_fuzzer.c b/ossfuzz/round_trip_hc_fuzzer.c index 8406809..cc9c302 100644 --- a/ossfuzz/round_trip_hc_fuzzer.c +++ b/ossfuzz/round_trip_hc_fuzzer.c @@ -16,11 +16,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacity = LZ4_compressBound(size); + int const level = FUZZ_dataProducer_uint32NonAdaptive(producer, + LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); + size_t const dstCapacity = LZ4_compressBound( + FUZZ_dataProducer_remainingBytes(producer)); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); - int const level = FUZZ_dataProducer_uint32( - producer, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); /* Restrict to remaining data from producer */ size = FUZZ_dataProducer_remainingBytes(producer); -- cgit v0.12 From 9cb73d69c4d92e255826dfee47e46a6815955ee4 Mon Sep 17 00:00:00 2001 From: Bimba Shrestha Date: Fri, 13 Sep 2019 16:04:48 -0700 Subject: Addressing naming nits and moving size modification up in all fuzzers --- ossfuzz/compress_frame_fuzzer.c | 15 ++++++++------- ossfuzz/compress_fuzzer.c | 11 +++++------ ossfuzz/compress_hc_fuzzer.c | 16 +++++++--------- ossfuzz/decompress_frame_fuzzer.c | 16 ++++++++-------- ossfuzz/decompress_fuzzer.c | 11 +++++------ ossfuzz/fuzz_data_producer.c | 24 ++++++++++++------------ ossfuzz/fuzz_data_producer.h | 6 +++--- ossfuzz/round_trip_frame_fuzzer.c | 9 ++++----- ossfuzz/round_trip_fuzzer.c | 12 ++++++------ ossfuzz/round_trip_hc_fuzzer.c | 11 +++++------ 10 files changed, 63 insertions(+), 68 deletions(-) diff --git a/ossfuzz/compress_frame_fuzzer.c b/ossfuzz/compress_frame_fuzzer.c index a99bb74..30f0448 100644 --- a/ossfuzz/compress_frame_fuzzer.c +++ b/ossfuzz/compress_frame_fuzzer.c @@ -19,19 +19,20 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, LZ4_compressBound(size)); LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer); - size_t const compressBound = LZ4F_compressFrameBound(FUZZ_dataProducer_remainingBytes(producer), &prefs); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32_seed(producer, 0, compressBound); - size_t const dstCapacity = FUZZ_dataProducer_uint32(dstCapacitySeed, - 0, FUZZ_dataProducer_remainingBytes(producer)); + + size = FUZZ_dataProducer_remainingBytes(producer); + size_t const compressBound = LZ4F_compressFrameBound(size, &prefs); + size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, compressBound); + + size = FUZZ_dataProducer_remainingBytes(producer); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, size); + char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); - /* If compression succeeds it must round trip correctly. */ size_t const dstSize = LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs); diff --git a/ossfuzz/compress_fuzzer.c b/ossfuzz/compress_fuzzer.c index 76d227e..fac7dab 100644 --- a/ossfuzz/compress_fuzzer.c +++ b/ossfuzz/compress_fuzzer.c @@ -16,14 +16,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32_seed(producer, 0, LZ4_compressBound(size)); - size_t const dstCapacity = FUZZ_dataProducer_uint32(dstCapacitySeed, - 0, LZ4_compressBound(FUZZ_dataProducer_remainingBytes(producer))); - char* const dst = (char*)malloc(dstCapacity); - char* const rt = (char*)malloc(size); + size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, LZ4_compressBound(size)); - /* Restrict to remaining data from producer */ size = FUZZ_dataProducer_remainingBytes(producer); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, LZ4_compressBound(size)); + + char* const dst = (char*)malloc(dstCapacity); + char* const rt = (char*)malloc(size); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); diff --git a/ossfuzz/compress_hc_fuzzer.c b/ossfuzz/compress_hc_fuzzer.c index 3e28f42..fac5e6f 100644 --- a/ossfuzz/compress_hc_fuzzer.c +++ b/ossfuzz/compress_hc_fuzzer.c @@ -17,19 +17,17 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32_seed(producer, + size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, LZ4_compressBound(size)); - size_t const levelSeed = FUZZ_dataProducer_uint32_seed(producer, + size_t const levelSeed = FUZZ_dataProducer_uint32(producer, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); - size_t const dstCapacity = FUZZ_dataProducer_uint32(dstCapacitySeed, - 0, FUZZ_dataProducer_remainingBytes(producer)); - int const level = FUZZ_dataProducer_uint32( - levelSeed, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); - char* const dst = (char*)malloc(dstCapacity); - char* const rt = (char*)malloc(size); - /* Restrict to remaining data from producer */ size = FUZZ_dataProducer_remainingBytes(producer); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, size); + int const level = FUZZ_getRange_from_uint32(levelSeed, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); + + char* const dst = (char*)malloc(dstCapacity); + char* const rt = (char*)malloc(size); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); diff --git a/ossfuzz/decompress_frame_fuzzer.c b/ossfuzz/decompress_frame_fuzzer.c index 1308100..cf88579 100644 --- a/ossfuzz/decompress_frame_fuzzer.c +++ b/ossfuzz/decompress_frame_fuzzer.c @@ -31,24 +31,24 @@ static void decompress(LZ4F_dctx* dctx, void* dst, size_t dstCapacity, int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32_seed(producer, + size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, 4 * size); size_t const largeDictSize = 64 * 1024; - size_t const dictSizeSeed = FUZZ_dataProducer_uint32_seed(producer, + size_t const dictSizeSeed = FUZZ_dataProducer_uint32(producer, 0, largeDictSize); - size_t const dstCapacity = FUZZ_dataProducer_uint32( - dstCapacitySeed, 0, 4 * FUZZ_dataProducer_remainingBytes(producer)); - size_t const dictSize = FUZZ_dataProducer_uint32( + + size = FUZZ_dataProducer_remainingBytes(producer); + size_t const dstCapacity = FUZZ_getRange_from_uint32( + dstCapacitySeed, 0, 4 * size); + size_t const dictSize = FUZZ_getRange_from_uint32( dictSizeSeed, 0, largeDictSize); + char* const dst = (char*)malloc(dstCapacity); char* const dict = (char*)malloc(dictSize); LZ4F_decompressOptions_t opts; LZ4F_dctx* dctx; LZ4F_createDecompressionContext(&dctx, LZ4F_VERSION); - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); - FUZZ_ASSERT(dctx); FUZZ_ASSERT(dst); FUZZ_ASSERT(dict); diff --git a/ossfuzz/decompress_fuzzer.c b/ossfuzz/decompress_fuzzer.c index 111f5b5..c2595b0 100644 --- a/ossfuzz/decompress_fuzzer.c +++ b/ossfuzz/decompress_fuzzer.c @@ -15,9 +15,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32_seed(producer, 0, 4 * size); - size_t const dstCapacity = FUZZ_dataProducer_uint32(dstCapacitySeed, - 0, 4 * FUZZ_dataProducer_remainingBytes(producer)); + size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, 4 * size); + + size = FUZZ_dataProducer_remainingBytes(producer); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, 4 * size); + size_t const smallDictSize = size + 1; size_t const largeDictSize = 64 * 1024 - 1; size_t const dictSize = MAX(smallDictSize, largeDictSize); @@ -27,9 +29,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) char* const dataAfterDict = dict + dictSize; char* const smallDict = dataAfterDict - smallDictSize; - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); - FUZZ_ASSERT(dst); FUZZ_ASSERT(dict); diff --git a/ossfuzz/fuzz_data_producer.c b/ossfuzz/fuzz_data_producer.c index 70e42ea..9557f58 100644 --- a/ossfuzz/fuzz_data_producer.c +++ b/ossfuzz/fuzz_data_producer.c @@ -17,7 +17,7 @@ FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size) void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer) { free(producer); } -uint32_t FUZZ_dataProducer_uint32_seed(FUZZ_dataProducer_t *producer, uint32_t min, +uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, uint32_t max) { FUZZ_ASSERT(min <= max); @@ -35,7 +35,7 @@ uint32_t FUZZ_dataProducer_uint32_seed(FUZZ_dataProducer_t *producer, uint32_t m return result; } -uint32_t FUZZ_dataProducer_uint32(uint32_t seed, uint32_t min, uint32_t max) +uint32_t FUZZ_getRange_from_uint32(uint32_t seed, uint32_t min, uint32_t max) { uint32_t range = max - min; if (range == 0xffffffff) { @@ -44,24 +44,24 @@ uint32_t FUZZ_dataProducer_uint32(uint32_t seed, uint32_t min, uint32_t max) return min + seed % (range + 1); } -uint32_t FUZZ_dataProducer_uint32NonAdaptive(FUZZ_dataProducer_t* producer, +uint32_t FUZZ_dataProducer_range32(FUZZ_dataProducer_t* producer, uint32_t min, uint32_t max) { - size_t const seed = FUZZ_dataProducer_uint32_seed(producer, min, max); - return FUZZ_dataProducer_uint32(seed, min, max); + size_t const seed = FUZZ_dataProducer_uint32(producer, min, max); + return FUZZ_getRange_from_uint32(seed, min, max); } LZ4F_frameInfo_t FUZZ_dataProducer_frameInfo(FUZZ_dataProducer_t* producer) { LZ4F_frameInfo_t info = LZ4F_INIT_FRAMEINFO; - info.blockSizeID = FUZZ_dataProducer_uint32NonAdaptive(producer, LZ4F_max64KB - 1, LZ4F_max4MB); + info.blockSizeID = FUZZ_dataProducer_range32(producer, LZ4F_max64KB - 1, LZ4F_max4MB); if (info.blockSizeID < LZ4F_max64KB) { info.blockSizeID = LZ4F_default; } - info.blockMode = FUZZ_dataProducer_uint32NonAdaptive(producer, LZ4F_blockLinked, LZ4F_blockIndependent); - info.contentChecksumFlag = FUZZ_dataProducer_uint32NonAdaptive(producer, LZ4F_noContentChecksum, + info.blockMode = FUZZ_dataProducer_range32(producer, LZ4F_blockLinked, LZ4F_blockIndependent); + info.contentChecksumFlag = FUZZ_dataProducer_range32(producer, LZ4F_noContentChecksum, LZ4F_contentChecksumEnabled); - info.blockChecksumFlag = FUZZ_dataProducer_uint32NonAdaptive(producer, LZ4F_noBlockChecksum, + info.blockChecksumFlag = FUZZ_dataProducer_range32(producer, LZ4F_noBlockChecksum, LZ4F_blockChecksumEnabled); return info; } @@ -70,9 +70,9 @@ LZ4F_preferences_t FUZZ_dataProducer_preferences(FUZZ_dataProducer_t* producer) { LZ4F_preferences_t prefs = LZ4F_INIT_PREFERENCES; prefs.frameInfo = FUZZ_dataProducer_frameInfo(producer); - prefs.compressionLevel = FUZZ_dataProducer_uint32NonAdaptive(producer, 0, LZ4HC_CLEVEL_MAX + 3) - 3; - prefs.autoFlush = FUZZ_dataProducer_uint32NonAdaptive(producer, 0, 1); - prefs.favorDecSpeed = FUZZ_dataProducer_uint32NonAdaptive(producer, 0, 1); + prefs.compressionLevel = FUZZ_dataProducer_range32(producer, 0, LZ4HC_CLEVEL_MAX + 3) - 3; + prefs.autoFlush = FUZZ_dataProducer_range32(producer, 0, 1); + prefs.favorDecSpeed = FUZZ_dataProducer_range32(producer, 0, 1); return prefs; } diff --git a/ossfuzz/fuzz_data_producer.h b/ossfuzz/fuzz_data_producer.h index e12f899..db18fd2 100644 --- a/ossfuzz/fuzz_data_producer.h +++ b/ossfuzz/fuzz_data_producer.h @@ -17,14 +17,14 @@ FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size); void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer); /* Returns a seed value for the function after this one to consume */ -uint32_t FUZZ_dataProducer_uint32_seed(FUZZ_dataProducer_t *producer, uint32_t min, +uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, uint32_t max); /* Returns value between [min, max] */ -uint32_t FUZZ_dataProducer_uint32(uint32_t seed, uint32_t min, uint32_t max); +uint32_t FUZZ_getRange_from_uint32(uint32_t seed, uint32_t min, uint32_t max); /* Combination of above two functions for non adaptive use cases. ie where size is not involved */ -uint32_t FUZZ_dataProducer_uint32NonAdaptive(FUZZ_dataProducer_t *producer, uint32_t min, +uint32_t FUZZ_dataProducer_range32(FUZZ_dataProducer_t *producer, uint32_t min, uint32_t max); /* Returns lz4 preferences */ diff --git a/ossfuzz/round_trip_frame_fuzzer.c b/ossfuzz/round_trip_frame_fuzzer.c index c34553d..aea13bb 100644 --- a/ossfuzz/round_trip_frame_fuzzer.c +++ b/ossfuzz/round_trip_frame_fuzzer.c @@ -18,17 +18,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t* producer = FUZZ_dataProducer_create(data, size); LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer); - size_t const dstCapacity = LZ4F_compressFrameBound( - LZ4_compressBound(FUZZ_dataProducer_remainingBytes(producer)), &prefs); + + size = FUZZ_dataProducer_remainingBytes(producer); + size_t const dstCapacity = LZ4F_compressFrameBound(LZ4_compressBound(size), &prefs); + char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(FUZZ_dataProducer_remainingBytes(producer)); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); - /* Compression must succeed and round trip correctly. */ size_t const dstSize = LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs); diff --git a/ossfuzz/round_trip_fuzzer.c b/ossfuzz/round_trip_fuzzer.c index 85774fe..80cd910 100644 --- a/ossfuzz/round_trip_fuzzer.c +++ b/ossfuzz/round_trip_fuzzer.c @@ -15,19 +15,19 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const partialCapacitySeed = FUZZ_dataProducer_uint32_seed(producer, 0, size); - size_t const partialCapacity = FUZZ_dataProducer_uint32(partialCapacitySeed, - 0, FUZZ_dataProducer_remainingBytes(producer)); + size_t const partialCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, size); + + size = FUZZ_dataProducer_remainingBytes(producer); + size_t const partialCapacity = FUZZ_getRange_from_uint32(partialCapacitySeed, + 0, size); size_t const dstCapacity = LZ4_compressBound(size); + char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); - /* Restrict to remaining data from producer */ - size = FUZZ_dataProducer_remainingBytes(producer); - /* Compression must succeed and round trip correctly. */ int const dstSize = LZ4_compress_default((const char*)data, dst, size, dstCapacity); diff --git a/ossfuzz/round_trip_hc_fuzzer.c b/ossfuzz/round_trip_hc_fuzzer.c index cc9c302..75ca8ec 100644 --- a/ossfuzz/round_trip_hc_fuzzer.c +++ b/ossfuzz/round_trip_hc_fuzzer.c @@ -16,15 +16,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - int const level = FUZZ_dataProducer_uint32NonAdaptive(producer, + int const level = FUZZ_dataProducer_range32(producer, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); - size_t const dstCapacity = LZ4_compressBound( - FUZZ_dataProducer_remainingBytes(producer)); - char* const dst = (char*)malloc(dstCapacity); - char* const rt = (char*)malloc(size); - /* Restrict to remaining data from producer */ size = FUZZ_dataProducer_remainingBytes(producer); + size_t const dstCapacity = LZ4_compressBound(size); + + char* const dst = (char*)malloc(dstCapacity); + char* const rt = (char*)malloc(size); FUZZ_ASSERT(dst); FUZZ_ASSERT(rt); -- cgit v0.12 From 8edc5879d029459074a9c7bd9489dabf5b510bf6 Mon Sep 17 00:00:00 2001 From: Bimba Shrestha Date: Fri, 13 Sep 2019 18:08:58 -0700 Subject: Retreiving 32 bits from the end for fuzzer --- ossfuzz/compress_frame_fuzzer.c | 8 +++----- ossfuzz/compress_fuzzer.c | 7 ++++--- ossfuzz/compress_hc_fuzzer.c | 8 +++----- ossfuzz/decompress_frame_fuzzer.c | 10 ++++------ ossfuzz/decompress_fuzzer.c | 5 ++--- ossfuzz/fuzz_data_producer.c | 30 +++++++++++++----------------- ossfuzz/fuzz_data_producer.h | 5 ++--- ossfuzz/round_trip_frame_fuzzer.c | 3 +-- ossfuzz/round_trip_fuzzer.c | 7 +++---- ossfuzz/round_trip_hc_fuzzer.c | 3 +-- 10 files changed, 36 insertions(+), 50 deletions(-) diff --git a/ossfuzz/compress_frame_fuzzer.c b/ossfuzz/compress_frame_fuzzer.c index 30f0448..668d7c3 100644 --- a/ossfuzz/compress_frame_fuzzer.c +++ b/ossfuzz/compress_frame_fuzzer.c @@ -19,13 +19,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, LZ4_compressBound(size)); LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer); - + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); size = FUZZ_dataProducer_remainingBytes(producer); - size_t const compressBound = LZ4F_compressFrameBound(size, &prefs); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, compressBound); - size = FUZZ_dataProducer_remainingBytes(producer); - size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, size); + size_t const compressBound = LZ4F_compressFrameBound(size, &prefs); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, compressBound); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); diff --git a/ossfuzz/compress_fuzzer.c b/ossfuzz/compress_fuzzer.c index fac7dab..edc8aad 100644 --- a/ossfuzz/compress_fuzzer.c +++ b/ossfuzz/compress_fuzzer.c @@ -16,10 +16,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, LZ4_compressBound(size)); - + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); size = FUZZ_dataProducer_remainingBytes(producer); - size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, LZ4_compressBound(size)); + + size_t const compressBound = LZ4_compressBound(size); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, compressBound); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); diff --git a/ossfuzz/compress_hc_fuzzer.c b/ossfuzz/compress_hc_fuzzer.c index fac5e6f..7d8e45a 100644 --- a/ossfuzz/compress_hc_fuzzer.c +++ b/ossfuzz/compress_hc_fuzzer.c @@ -17,12 +17,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, - 0, LZ4_compressBound(size)); - size_t const levelSeed = FUZZ_dataProducer_uint32(producer, - LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); - + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); + size_t const levelSeed = FUZZ_dataProducer_retrieve32(producer); size = FUZZ_dataProducer_remainingBytes(producer); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, size); int const level = FUZZ_getRange_from_uint32(levelSeed, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); diff --git a/ossfuzz/decompress_frame_fuzzer.c b/ossfuzz/decompress_frame_fuzzer.c index cf88579..0fcbb16 100644 --- a/ossfuzz/decompress_frame_fuzzer.c +++ b/ossfuzz/decompress_frame_fuzzer.c @@ -31,15 +31,13 @@ static void decompress(LZ4F_dctx* dctx, void* dst, size_t dstCapacity, int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, - 0, 4 * size); - size_t const largeDictSize = 64 * 1024; - size_t const dictSizeSeed = FUZZ_dataProducer_uint32(producer, - 0, largeDictSize); - + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); + size_t const dictSizeSeed = FUZZ_dataProducer_retrieve32(producer); size = FUZZ_dataProducer_remainingBytes(producer); + size_t const dstCapacity = FUZZ_getRange_from_uint32( dstCapacitySeed, 0, 4 * size); + size_t const largeDictSize = 64 * 1024; size_t const dictSize = FUZZ_getRange_from_uint32( dictSizeSeed, 0, largeDictSize); diff --git a/ossfuzz/decompress_fuzzer.c b/ossfuzz/decompress_fuzzer.c index c2595b0..6f48e30 100644 --- a/ossfuzz/decompress_fuzzer.c +++ b/ossfuzz/decompress_fuzzer.c @@ -15,11 +15,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, 4 * size); - + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); size = FUZZ_dataProducer_remainingBytes(producer); - size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, 4 * size); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, 4 * size); size_t const smallDictSize = size + 1; size_t const largeDictSize = 64 * 1024 - 1; size_t const dictSize = MAX(smallDictSize, largeDictSize); diff --git a/ossfuzz/fuzz_data_producer.c b/ossfuzz/fuzz_data_producer.c index 9557f58..cc06958 100644 --- a/ossfuzz/fuzz_data_producer.c +++ b/ossfuzz/fuzz_data_producer.c @@ -17,22 +17,18 @@ FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size) void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer) { free(producer); } -uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, - uint32_t max) { - FUZZ_ASSERT(min <= max); - - uint32_t range = max - min; - uint32_t rolling = range; - uint32_t result = 0; - - while (rolling > 0 && producer->size > 0) { - uint8_t next = *(producer->data + producer->size - 1); - producer->size -= 1; - result = (result << 8) | next; - rolling >>= 8; - } - - return result; +uint32_t FUZZ_dataProducer_retrieve32(FUZZ_dataProducer_t *producer) { + const uint8_t* data = producer->data; + const size_t size = producer->size; + if (size == 0) { + return 0; + } else if (size < 4) { + producer->size -= 1; + return (uint32_t)data[size - 1]; + } else { + producer->size -= 4; + return *(data + size - 4); + } } uint32_t FUZZ_getRange_from_uint32(uint32_t seed, uint32_t min, uint32_t max) @@ -47,7 +43,7 @@ uint32_t FUZZ_getRange_from_uint32(uint32_t seed, uint32_t min, uint32_t max) uint32_t FUZZ_dataProducer_range32(FUZZ_dataProducer_t* producer, uint32_t min, uint32_t max) { - size_t const seed = FUZZ_dataProducer_uint32(producer, min, max); + size_t const seed = FUZZ_dataProducer_retrieve32(producer); return FUZZ_getRange_from_uint32(seed, min, max); } diff --git a/ossfuzz/fuzz_data_producer.h b/ossfuzz/fuzz_data_producer.h index db18fd2..b96dcba 100644 --- a/ossfuzz/fuzz_data_producer.h +++ b/ossfuzz/fuzz_data_producer.h @@ -16,9 +16,8 @@ FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size); /* Frees the data producer */ void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer); -/* Returns a seed value for the function after this one to consume */ -uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, - uint32_t max); +/* Returns 32 bits from the end of data */ +uint32_t FUZZ_dataProducer_retrieve32(FUZZ_dataProducer_t *producer); /* Returns value between [min, max] */ uint32_t FUZZ_getRange_from_uint32(uint32_t seed, uint32_t min, uint32_t max); diff --git a/ossfuzz/round_trip_frame_fuzzer.c b/ossfuzz/round_trip_frame_fuzzer.c index aea13bb..149542d 100644 --- a/ossfuzz/round_trip_frame_fuzzer.c +++ b/ossfuzz/round_trip_frame_fuzzer.c @@ -18,10 +18,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t* producer = FUZZ_dataProducer_create(data, size); LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer); - size = FUZZ_dataProducer_remainingBytes(producer); - size_t const dstCapacity = LZ4F_compressFrameBound(LZ4_compressBound(size), &prefs); + size_t const dstCapacity = LZ4F_compressFrameBound(LZ4_compressBound(size), &prefs); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(FUZZ_dataProducer_remainingBytes(producer)); diff --git a/ossfuzz/round_trip_fuzzer.c b/ossfuzz/round_trip_fuzzer.c index 80cd910..6307058 100644 --- a/ossfuzz/round_trip_fuzzer.c +++ b/ossfuzz/round_trip_fuzzer.c @@ -15,11 +15,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const partialCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, size); - + size_t const partialCapacitySeed = FUZZ_dataProducer_retrieve32(producer); size = FUZZ_dataProducer_remainingBytes(producer); - size_t const partialCapacity = FUZZ_getRange_from_uint32(partialCapacitySeed, - 0, size); + + size_t const partialCapacity = FUZZ_getRange_from_uint32(partialCapacitySeed, 0, size); size_t const dstCapacity = LZ4_compressBound(size); char* const dst = (char*)malloc(dstCapacity); diff --git a/ossfuzz/round_trip_hc_fuzzer.c b/ossfuzz/round_trip_hc_fuzzer.c index 75ca8ec..7d03ee2 100644 --- a/ossfuzz/round_trip_hc_fuzzer.c +++ b/ossfuzz/round_trip_hc_fuzzer.c @@ -18,10 +18,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); int const level = FUZZ_dataProducer_range32(producer, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); - size = FUZZ_dataProducer_remainingBytes(producer); - size_t const dstCapacity = LZ4_compressBound(size); + size_t const dstCapacity = LZ4_compressBound(size); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); -- cgit v0.12