• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) Facebook, Inc.
3  * All rights reserved.
4  *
5  * This source code is licensed under both the BSD-style license (found in the
6  * LICENSE file in the root directory of this source tree) and the GPLv2 (found
7  * in the COPYING file in the root directory of this source tree).
8  * You may select, at your option, one of the above-listed licenses.
9  */
10 
11 /**
12  * This fuzz target performs a zstd round-trip test (compress & decompress),
13  * compares the result with the original, and calls abort() on corruption.
14  */
15 
16 #define ZSTD_STATIC_LINKING_ONLY
17 
18 #include <stddef.h>
19 #include <stdlib.h>
20 #include <stdio.h>
21 #include <string.h>
22 #include "fuzz_helpers.h"
23 #include "zstd_helpers.h"
24 #include "fuzz_data_producer.h"
25 
26 static ZSTD_CCtx *cctx = NULL;
27 static ZSTD_DCtx *dctx = NULL;
28 
roundTripTest(void * result,size_t resultCapacity,void * compressed,size_t compressedCapacity,const void * src,size_t srcSize,FUZZ_dataProducer_t * producer)29 static size_t roundTripTest(void *result, size_t resultCapacity,
30                             void *compressed, size_t compressedCapacity,
31                             const void *src, size_t srcSize,
32                             FUZZ_dataProducer_t *producer)
33 {
34     size_t cSize;
35     size_t dSize;
36     int targetCBlockSize = 0;
37     if (FUZZ_dataProducer_uint32Range(producer, 0, 1)) {
38         size_t const remainingBytes = FUZZ_dataProducer_remainingBytes(producer);
39         FUZZ_setRandomParameters(cctx, srcSize, producer);
40         cSize = ZSTD_compress2(cctx, compressed, compressedCapacity, src, srcSize);
41         FUZZ_ZASSERT(cSize);
42         FUZZ_ZASSERT(ZSTD_CCtx_getParameter(cctx, ZSTD_c_targetCBlockSize, &targetCBlockSize));
43         // Compress a second time and check for determinism
44         {
45             size_t const cSize0 = cSize;
46             XXH64_hash_t const hash0 = XXH64(compressed, cSize, 0);
47             FUZZ_dataProducer_rollBack(producer, remainingBytes);
48             FUZZ_setRandomParameters(cctx, srcSize, producer);
49             cSize = ZSTD_compress2(cctx, compressed, compressedCapacity, src, srcSize);
50             FUZZ_ASSERT(cSize == cSize0);
51             FUZZ_ASSERT(XXH64(compressed, cSize, 0) == hash0);
52         }
53     } else {
54         int const cLevel = FUZZ_dataProducer_int32Range(producer, kMinClevel, kMaxClevel);
55         cSize = ZSTD_compressCCtx(
56             cctx, compressed, compressedCapacity, src, srcSize, cLevel);
57         FUZZ_ZASSERT(cSize);
58         // Compress a second time and check for determinism
59         {
60             size_t const cSize0 = cSize;
61             XXH64_hash_t const hash0 = XXH64(compressed, cSize, 0);
62             cSize = ZSTD_compressCCtx(
63                 cctx, compressed, compressedCapacity, src, srcSize, cLevel);
64             FUZZ_ASSERT(cSize == cSize0);
65             FUZZ_ASSERT(XXH64(compressed, cSize, 0) == hash0);
66         }
67     }
68     dSize = ZSTD_decompressDCtx(dctx, result, resultCapacity, compressed, cSize);
69     FUZZ_ZASSERT(dSize);
70     /* When superblock is enabled make sure we don't expand the block more than expected.
71      * NOTE: This test is currently disabled because superblock mode can arbitrarily
72      * expand the block in the worst case. Once superblock mode has been improved we can
73      * re-enable this test.
74      */
75     if (0 && targetCBlockSize != 0) {
76         size_t normalCSize;
77         FUZZ_ZASSERT(ZSTD_CCtx_setParameter(cctx, ZSTD_c_targetCBlockSize, 0));
78         normalCSize = ZSTD_compress2(cctx, compressed, compressedCapacity, src, srcSize);
79         FUZZ_ZASSERT(normalCSize);
80         {
81             size_t const bytesPerBlock = 3 /* block header */
82                 + 5 /* Literal header */
83                 + 6 /* Huffman jump table */
84                 + 3 /* number of sequences */
85                 + 1 /* symbol compression modes */;
86             size_t const expectedExpansion = bytesPerBlock * (1 + (normalCSize / MAX(1, targetCBlockSize)));
87             size_t const allowedExpansion = (srcSize >> 3) + 5 * expectedExpansion + 10;
88             FUZZ_ASSERT(cSize <= normalCSize + allowedExpansion);
89         }
90     }
91     return dSize;
92 }
93 
LLVMFuzzerTestOneInput(const uint8_t * src,size_t size)94 int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
95 {
96     size_t const rBufSize = size;
97     void* rBuf = FUZZ_malloc(rBufSize);
98     size_t cBufSize = ZSTD_compressBound(size);
99     void* cBuf;
100 
101     /* Give a random portion of src data to the producer, to use for
102     parameter generation. The rest will be used for (de)compression */
103     FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
104     size = FUZZ_dataProducer_reserveDataPrefix(producer);
105 
106     /* Half of the time fuzz with a 1 byte smaller output size.
107      * This will still succeed because we don't use a dictionary, so the dictID
108      * field is empty, giving us 4 bytes of overhead.
109      */
110     cBufSize -= FUZZ_dataProducer_uint32Range(producer, 0, 1);
111 
112     cBuf = FUZZ_malloc(cBufSize);
113 
114     if (!cctx) {
115         cctx = ZSTD_createCCtx();
116         FUZZ_ASSERT(cctx);
117     }
118     if (!dctx) {
119         dctx = ZSTD_createDCtx();
120         FUZZ_ASSERT(dctx);
121     }
122 
123     {
124         size_t const result =
125             roundTripTest(rBuf, rBufSize, cBuf, cBufSize, src, size, producer);
126         FUZZ_ZASSERT(result);
127         FUZZ_ASSERT_MSG(result == size, "Incorrect regenerated size");
128         FUZZ_ASSERT_MSG(!FUZZ_memcmp(src, rBuf, size), "Corruption!");
129     }
130     free(rBuf);
131     free(cBuf);
132     FUZZ_dataProducer_free(producer);
133 #ifndef STATEFUL_FUZZING
134     ZSTD_freeCCtx(cctx); cctx = NULL;
135     ZSTD_freeDCtx(dctx); dctx = NULL;
136 #endif
137     return 0;
138 }
139