Making fuzzers use dataProducer api instead of random seed for decisions

This commit is contained in:
Bimba Shrestha 2019-08-30 10:27:42 -07:00
parent dc17d39c2f
commit 7d153a704d
5 changed files with 56 additions and 7 deletions

View File

@ -13,19 +13,23 @@
#include "lz4.h"
#include "lz4frame.h"
#include "lz4_helpers.h"
#include "fuzz_data_producer.h"
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
uint32_t seed = FUZZ_seed(&data, &size);
LZ4F_preferences_t const prefs = FUZZ_randomPreferences(&seed);
FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, LZ4_compressBound(size));
LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer);
size_t const compressBound = LZ4F_compressFrameBound(size, &prefs);
size_t const dstCapacity = FUZZ_rand32(&seed, 0, compressBound);
size_t const dstCapacity = FUZZ_dataProducer_uint32(producer, 0, compressBound);
char* const dst = (char*)malloc(dstCapacity);
char* const rt = (char*)malloc(size);
FUZZ_ASSERT(dst);
FUZZ_ASSERT(rt);
/* Restrict to remaining data from producer */
size = FUZZ_dataProducer_remainingBytes(producer);
/* If compression succeeds it must round trip correctly. */
size_t const dstSize =
LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs);
@ -37,6 +41,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
free(dst);
free(rt);
FUZZ_dataProducer_free(producer);
return 0;
}

View File

@ -39,6 +39,31 @@ uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min,
return min + result % (range + 1);
}
LZ4F_frameInfo_t FUZZ_dataProducer_frameInfo(FUZZ_dataProducer_t* producer)
{
LZ4F_frameInfo_t info = LZ4F_INIT_FRAMEINFO;
info.blockSizeID = FUZZ_dataProducer_uint32(producer, LZ4F_max64KB - 1, LZ4F_max4MB);
if (info.blockSizeID < LZ4F_max64KB) {
info.blockSizeID = LZ4F_default;
}
info.blockMode = FUZZ_dataProducer_uint32(producer, LZ4F_blockLinked, LZ4F_blockIndependent);
info.contentChecksumFlag = FUZZ_dataProducer_uint32(producer, LZ4F_noContentChecksum,
LZ4F_contentChecksumEnabled);
info.blockChecksumFlag = FUZZ_dataProducer_uint32(producer, LZ4F_noBlockChecksum,
LZ4F_blockChecksumEnabled);
return info;
}
LZ4F_preferences_t FUZZ_dataProducer_preferences(FUZZ_dataProducer_t* producer)
{
LZ4F_preferences_t prefs = LZ4F_INIT_PREFERENCES;
prefs.frameInfo = FUZZ_dataProducer_frameInfo(producer);
prefs.compressionLevel = FUZZ_dataProducer_uint32(producer, 0, LZ4HC_CLEVEL_MAX + 3) - 3;
prefs.autoFlush = FUZZ_dataProducer_uint32(producer, 0, 1);
prefs.favorDecSpeed = FUZZ_dataProducer_uint32(producer, 0, 1);
return prefs;
}
size_t FUZZ_dataProducer_remainingBytes(FUZZ_dataProducer_t *producer){
return producer->size;
}

View File

@ -4,6 +4,8 @@
#include <stdlib.h>
#include "fuzz_helpers.h"
#include "lz4frame.h"
#include "lz4hc.h"
/* Struct used for maintaining the state of the data */
typedef struct FUZZ_dataProducer_s FUZZ_dataProducer_t;
@ -18,5 +20,11 @@ void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer);
uint32_t FUZZ_dataProducer_uint32(FUZZ_dataProducer_t *producer, uint32_t min,
uint32_t max);
/* Returns lz4 preferences */
LZ4F_preferences_t FUZZ_dataProducer_preferences(FUZZ_dataProducer_t* producer);
/* Returns lz4 frame info */
LZ4F_frameInfo_t FUZZ_dataProducer_frameInfo(FUZZ_dataProducer_t* producer);
/* Returns the size of the remaining bytes of data in the producer */
size_t FUZZ_dataProducer_remainingBytes(FUZZ_dataProducer_t *producer);

View File

@ -12,11 +12,12 @@
#include "lz4.h"
#include "lz4frame.h"
#include "lz4_helpers.h"
#include "fuzz_data_producer.h"
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
uint32_t seed = FUZZ_seed(&data, &size);
LZ4F_preferences_t const prefs = FUZZ_randomPreferences(&seed);
FUZZ_dataProducer_t* producer = FUZZ_dataProducer_create(data, LZ4_compressBound(size));
LZ4F_preferences_t const prefs = FUZZ_dataProducer_preferences(producer);
size_t const dstCapacity = LZ4F_compressFrameBound(size, &prefs);
char* const dst = (char*)malloc(dstCapacity);
char* const rt = (char*)malloc(size);
@ -24,6 +25,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
FUZZ_ASSERT(dst);
FUZZ_ASSERT(rt);
/* Restrict to remaining data from producer */
size = FUZZ_dataProducer_remainingBytes(producer);
/* Compression must succeed and round trip correctly. */
size_t const dstSize =
LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs);
@ -34,6 +38,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
free(dst);
free(rt);
FUZZ_dataProducer_free(producer);
return 0;
}

View File

@ -10,10 +10,12 @@
#include "fuzz_helpers.h"
#include "lz4.h"
#include "fuzz_data_producer.h"
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
uint32_t seed = FUZZ_seed(&data, &size);
FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size);
size_t const partialCapacity = FUZZ_dataProducer_uint32(producer, 0, size);
size_t const dstCapacity = LZ4_compressBound(size);
char* const dst = (char*)malloc(dstCapacity);
char* const rt = (char*)malloc(size);
@ -21,6 +23,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
FUZZ_ASSERT(dst);
FUZZ_ASSERT(rt);
/* Restrict to remaining data from producer */
size = FUZZ_dataProducer_remainingBytes(producer);
/* Compression must succeed and round trip correctly. */
int const dstSize = LZ4_compress_default((const char*)data, dst,
size, dstCapacity);
@ -32,7 +37,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
/* Partial decompression must succeed. */
{
size_t const partialCapacity = FUZZ_rand32(&seed, 0, size);
char* const partial = (char*)malloc(partialCapacity);
FUZZ_ASSERT(partial);
int const partialSize = LZ4_decompress_safe_partial(
@ -43,8 +47,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
free(partial);
}
free(dst);
free(rt);
FUZZ_dataProducer_free(producer);
return 0;
}