From 8edc5879d029459074a9c7bd9489dabf5b510bf6 Mon Sep 17 00:00:00 2001 From: Bimba Shrestha Date: Fri, 13 Sep 2019 18:08:58 -0700 Subject: Retreiving 32 bits from the end for fuzzer --- ossfuzz/compress_frame_fuzzer.c | 8 +++----- ossfuzz/compress_fuzzer.c | 7 ++++--- ossfuzz/compress_hc_fuzzer.c | 8 +++----- ossfuzz/decompress_frame_fuzzer.c | 10 ++++------ ossfuzz/decompress_fuzzer.c | 5 ++--- ossfuzz/fuzz_data_producer.c | 30 +++++++++++++----------------- ossfuzz/fuzz_data_producer.h | 5 ++--- ossfuzz/round_trip_frame_fuzzer.c | 3 +-- ossfuzz/round_trip_fuzzer.c | 7 +++---- ossfuzz/round_trip_hc_fuzzer.c | 3 +-- 10 files changed, 36 insertions(+), 50 deletions(-) diff --git a/ossfuzz/compress_frame_fuzzer.c b/ossfuzz/compress_frame_fuzzer.c index 30f0448..668d7c3 100644 --- a/ossfuzz/compress_frame_fuzzer.c +++ b/ossfuzz/compress_frame_fuzzer.c @@ -19,13 +19,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, LZ4_compressBound(size)); LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer); - + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); size = FUZZ_dataProducer_remainingBytes(producer); - size_t const compressBound = LZ4F_compressFrameBound(size, &prefs); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, compressBound); - size = FUZZ_dataProducer_remainingBytes(producer); - size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, size); + size_t const compressBound = LZ4F_compressFrameBound(size, &prefs); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, compressBound); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); diff --git a/ossfuzz/compress_fuzzer.c b/ossfuzz/compress_fuzzer.c index fac7dab..edc8aad 100644 --- a/ossfuzz/compress_fuzzer.c +++ b/ossfuzz/compress_fuzzer.c @@ -16,10 +16,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, LZ4_compressBound(size)); - + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); size = FUZZ_dataProducer_remainingBytes(producer); - size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, LZ4_compressBound(size)); + + size_t const compressBound = LZ4_compressBound(size); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, compressBound); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); diff --git a/ossfuzz/compress_hc_fuzzer.c b/ossfuzz/compress_hc_fuzzer.c index fac5e6f..7d8e45a 100644 --- a/ossfuzz/compress_hc_fuzzer.c +++ b/ossfuzz/compress_hc_fuzzer.c @@ -17,12 +17,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, - 0, LZ4_compressBound(size)); - size_t const levelSeed = FUZZ_dataProducer_uint32(producer, - LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); - + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); + size_t const levelSeed = FUZZ_dataProducer_retrieve32(producer); size = FUZZ_dataProducer_remainingBytes(producer); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, size); int const level = FUZZ_getRange_from_uint32(levelSeed, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); diff --git a/ossfuzz/decompress_frame_fuzzer.c b/ossfuzz/decompress_frame_fuzzer.c index cf88579..0fcbb16 100644 --- a/ossfuzz/decompress_frame_fuzzer.c +++ b/ossfuzz/decompress_frame_fuzzer.c @@ -31,15 +31,13 @@ static void decompress(LZ4F_dctx* dctx, void* dst, size_t dstCapacity, int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, - 0, 4 * size); - size_t const largeDictSize = 64 * 1024; - size_t const dictSizeSeed = FUZZ_dataProducer_uint32(producer, - 0, largeDictSize); - + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); + size_t const dictSizeSeed = FUZZ_dataProducer_retrieve32(producer); size = FUZZ_dataProducer_remainingBytes(producer); + size_t const dstCapacity = FUZZ_getRange_from_uint32( dstCapacitySeed, 0, 4 * size); + size_t const largeDictSize = 64 * 1024; size_t const dictSize = FUZZ_getRange_from_uint32( dictSizeSeed, 0, largeDictSize); diff --git a/ossfuzz/decompress_fuzzer.c b/ossfuzz/decompress_fuzzer.c index c2595b0..6f48e30 100644 --- a/ossfuzz/decompress_fuzzer.c +++ b/ossfuzz/decompress_fuzzer.c @@ -15,11 +15,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const dstCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, 4 * size); - + size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer); size = FUZZ_dataProducer_remainingBytes(producer); - size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, 4 * size); + size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, 4 * size); size_t const smallDictSize = size + 1; size_t const largeDictSize = 64 * 1024 - 1; size_t const dictSize = MAX(smallDictSize, largeDictSize); diff --git a/ossfuzz/fuzz_data_producer.c b/ossfuzz/fuzz_data_producer.c index 9557f58..cc06958 100644 --- a/ossfuzz/fuzz_data_producer.c +++ b/ossfuzz/fuzz_data_producer.c @@ -17,22 +17,18 @@ FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size) void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer) { free(producer); } -uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, - uint32_t max) { - FUZZ_ASSERT(min <= max); - - uint32_t range = max - min; - uint32_t rolling = range; - uint32_t result = 0; - - while (rolling > 0 && producer->size > 0) { - uint8_t next = *(producer->data + producer->size - 1); - producer->size -= 1; - result = (result << 8) | next; - rolling >>= 8; - } - - return result; +uint32_t FUZZ_dataProducer_retrieve32(FUZZ_dataProducer_t *producer) { + const uint8_t* data = producer->data; + const size_t size = producer->size; + if (size == 0) { + return 0; + } else if (size < 4) { + producer->size -= 1; + return (uint32_t)data[size - 1]; + } else { + producer->size -= 4; + return *(data + size - 4); + } } uint32_t FUZZ_getRange_from_uint32(uint32_t seed, uint32_t min, uint32_t max) @@ -47,7 +43,7 @@ uint32_t FUZZ_getRange_from_uint32(uint32_t seed, uint32_t min, uint32_t max) uint32_t FUZZ_dataProducer_range32(FUZZ_dataProducer_t* producer, uint32_t min, uint32_t max) { - size_t const seed = FUZZ_dataProducer_uint32(producer, min, max); + size_t const seed = FUZZ_dataProducer_retrieve32(producer); return FUZZ_getRange_from_uint32(seed, min, max); } diff --git a/ossfuzz/fuzz_data_producer.h b/ossfuzz/fuzz_data_producer.h index db18fd2..b96dcba 100644 --- a/ossfuzz/fuzz_data_producer.h +++ b/ossfuzz/fuzz_data_producer.h @@ -16,9 +16,8 @@ FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size); /* Frees the data producer */ void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer); -/* Returns a seed value for the function after this one to consume */ -uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min, - uint32_t max); +/* Returns 32 bits from the end of data */ +uint32_t FUZZ_dataProducer_retrieve32(FUZZ_dataProducer_t *producer); /* Returns value between [min, max] */ uint32_t FUZZ_getRange_from_uint32(uint32_t seed, uint32_t min, uint32_t max); diff --git a/ossfuzz/round_trip_frame_fuzzer.c b/ossfuzz/round_trip_frame_fuzzer.c index aea13bb..149542d 100644 --- a/ossfuzz/round_trip_frame_fuzzer.c +++ b/ossfuzz/round_trip_frame_fuzzer.c @@ -18,10 +18,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t* producer = FUZZ_dataProducer_create(data, size); LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer); - size = FUZZ_dataProducer_remainingBytes(producer); - size_t const dstCapacity = LZ4F_compressFrameBound(LZ4_compressBound(size), &prefs); + size_t const dstCapacity = LZ4F_compressFrameBound(LZ4_compressBound(size), &prefs); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(FUZZ_dataProducer_remainingBytes(producer)); diff --git a/ossfuzz/round_trip_fuzzer.c b/ossfuzz/round_trip_fuzzer.c index 80cd910..6307058 100644 --- a/ossfuzz/round_trip_fuzzer.c +++ b/ossfuzz/round_trip_fuzzer.c @@ -15,11 +15,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); - size_t const partialCapacitySeed = FUZZ_dataProducer_uint32(producer, 0, size); - + size_t const partialCapacitySeed = FUZZ_dataProducer_retrieve32(producer); size = FUZZ_dataProducer_remainingBytes(producer); - size_t const partialCapacity = FUZZ_getRange_from_uint32(partialCapacitySeed, - 0, size); + + size_t const partialCapacity = FUZZ_getRange_from_uint32(partialCapacitySeed, 0, size); size_t const dstCapacity = LZ4_compressBound(size); char* const dst = (char*)malloc(dstCapacity); diff --git a/ossfuzz/round_trip_hc_fuzzer.c b/ossfuzz/round_trip_hc_fuzzer.c index 75ca8ec..7d03ee2 100644 --- a/ossfuzz/round_trip_hc_fuzzer.c +++ b/ossfuzz/round_trip_hc_fuzzer.c @@ -18,10 +18,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size); int const level = FUZZ_dataProducer_range32(producer, LZ4HC_CLEVEL_MIN, LZ4HC_CLEVEL_MAX); - size = FUZZ_dataProducer_remainingBytes(producer); - size_t const dstCapacity = LZ4_compressBound(size); + size_t const dstCapacity = LZ4_compressBound(size); char* const dst = (char*)malloc(dstCapacity); char* const rt = (char*)malloc(size); -- cgit v0.12