• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /**
2  * Copyright (c) 2016-2020, Facebook, Inc.
3  * All rights reserved.
4  *
5  * This source code is licensed under both the BSD-style license (found in the
6  * LICENSE file in the root directory of this source tree) and the GPLv2 (found
7  * in the COPYING file in the root directory of this source tree).
8  * You may select, at your option, one of the above-listed licenses.
9  */
10 
11 /**
12  * This fuzz target performs a zstd round-trip test (compress & decompress),
13  * compares the result with the original, and calls abort() on corruption.
14  */
15 
16 #define ZSTD_STATIC_LINKING_ONLY
17 
18 #include <stddef.h>
19 #include <stdlib.h>
20 #include <stdio.h>
21 #include <string.h>
22 #include "fuzz_helpers.h"
23 #include "zstd.h"
24 #include "zstd_helpers.h"
25 #include "fuzz_data_producer.h"
26 
27 static ZSTD_CCtx *cctx = NULL;
28 static ZSTD_DCtx *dctx = NULL;
29 static void* cBuf = NULL;
30 static void* rBuf = NULL;
31 static size_t bufSize = 0;
32 
roundTripTest(void * result,size_t resultCapacity,void * compressed,size_t compressedCapacity,const void * src,size_t srcSize,int cLevel)33 static size_t roundTripTest(void *result, size_t resultCapacity,
34                             void *compressed, size_t compressedCapacity,
35                             const void *src, size_t srcSize,
36                             int cLevel)
37 {
38     ZSTD_parameters const params = ZSTD_getParams(cLevel, srcSize, 0);
39     size_t ret = ZSTD_compressBegin_advanced(cctx, NULL, 0, params, srcSize);
40     FUZZ_ZASSERT(ret);
41 
42     ret = ZSTD_compressBlock(cctx, compressed, compressedCapacity, src, srcSize);
43     FUZZ_ZASSERT(ret);
44     if (ret == 0) {
45         FUZZ_ASSERT(resultCapacity >= srcSize);
46         if (srcSize > 0) {
47             memcpy(result, src, srcSize);
48         }
49         return srcSize;
50     }
51     ZSTD_decompressBegin(dctx);
52     return ZSTD_decompressBlock(dctx, result, resultCapacity, compressed, ret);
53 }
54 
LLVMFuzzerTestOneInput(const uint8_t * src,size_t size)55 int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
56 {
57     /* Give a random portion of src data to the producer, to use for
58     parameter generation. The rest will be used for (de)compression */
59     FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
60     size = FUZZ_dataProducer_reserveDataPrefix(producer);
61 
62     int const cLevel = FUZZ_dataProducer_int32Range(producer, kMinClevel, kMaxClevel);
63 
64     size_t neededBufSize = size;
65     if (size > ZSTD_BLOCKSIZE_MAX)
66         size = ZSTD_BLOCKSIZE_MAX;
67 
68     /* Allocate all buffers and contexts if not already allocated */
69     if (neededBufSize > bufSize || !cBuf || !rBuf) {
70         free(cBuf);
71         free(rBuf);
72         cBuf = FUZZ_malloc(neededBufSize);
73         rBuf = FUZZ_malloc(neededBufSize);
74         bufSize = neededBufSize;
75     }
76     if (!cctx) {
77         cctx = ZSTD_createCCtx();
78         FUZZ_ASSERT(cctx);
79     }
80     if (!dctx) {
81         dctx = ZSTD_createDCtx();
82         FUZZ_ASSERT(dctx);
83     }
84 
85     {
86         size_t const result =
87             roundTripTest(rBuf, neededBufSize, cBuf, neededBufSize, src, size,
88               cLevel);
89         FUZZ_ZASSERT(result);
90         FUZZ_ASSERT_MSG(result == size, "Incorrect regenerated size");
91         FUZZ_ASSERT_MSG(!FUZZ_memcmp(src, rBuf, size), "Corruption!");
92     }
93     FUZZ_dataProducer_free(producer);
94 #ifndef STATEFUL_FUZZING
95     ZSTD_freeCCtx(cctx); cctx = NULL;
96     ZSTD_freeDCtx(dctx); dctx = NULL;
97 #endif
98     return 0;
99 }
100