AuroraMiddleware/lz4
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[fuzz] Add LZ4 frame fuzzers

Browse Source 
* Round trip fuzzer
* Compress fuzzer
* Decompress fuzzer
This commit is contained in:
Nick Terrell 2019-07-18 18:49:40 -07:00
parent b487660309
commit d28159c025
6 changed files with 219 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ossfuzz/Makefile
View File

@ -33,7 +33,8 @@ DEBUGFLAGS = -g -DLZ4_DEBUG=$(DEBUGLEVEL)
LZ4_CFLAGS = $(CFLAGS) $(DEBUGFLAGS) $(MOREFLAGS)
LZ4_CXXFLAGS = $(CXXFLAGS) $(DEBUGFLAGS) $(MOREFLAGS)
LZ4_CPPFLAGS = $(CPPFLAGS) -I$(LZ4DIR) -DXXH_NAMESPACE=LZ4_
LZ4_CPPFLAGS = $(CPPFLAGS) -I$(LZ4DIR) -DXXH_NAMESPACE=LZ4_ \
-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
FUZZERS := \
compress_fuzzer \
@ -41,7 +42,10 @@ FUZZERS := \
round_trip_fuzzer \
round_trip_stream_fuzzer \
compress_hc_fuzzer \
round_trip_hc_fuzzer
round_trip_hc_fuzzer \
compress_frame_fuzzer \
round_trip_frame_fuzzer \
decompress_frame_fuzzer
all: $(FUZZERS)
@ -54,7 +58,7 @@ $(LZ4DIR)/liblz4.a:
$(CC) -c $(LZ4_CFLAGS) $(LZ4_CPPFLAGS) $< -o $@
# Generic rule for generating fuzzers
%_fuzzer: %_fuzzer.o $(LZ4DIR)/liblz4.a
%_fuzzer: %_fuzzer.o lz4_helpers.o $(LZ4DIR)/liblz4.a
# Compile the standalone code just in case. The OSS-Fuzz code might
# override the LIB_FUZZING_ENGINE value to "-fsanitize=fuzzer"
$(CC) -c $(LZ4_CFLAGS) $(LZ4_CPPFLAGS) standaloneengine.c -o standaloneengine.o

42
ossfuzz/compress_frame_fuzzer.c Normal file
View File

@ -0,0 +1,42 @@
/**
* This fuzz target attempts to compress the fuzzed data with the simple
* compression function with an output buffer that may be too small to
* ensure that the compressor never crashes.
*/
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "fuzz_helpers.h"
#include "lz4.h"
#include "lz4frame.h"
#include "lz4_helpers.h"
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
uint32_t seed = FUZZ_seed(&data, &size);
LZ4F_preferences_t const prefs = FUZZ_randomPreferences(&seed);
size_t const compressBound = LZ4F_compressFrameBound(size, &prefs);
size_t const dstCapacity = FUZZ_rand32(&seed, 0, compressBound);
char* const dst = (char*)malloc(dstCapacity);
char* const rt = (char*)malloc(size);
FUZZ_ASSERT(dst);
FUZZ_ASSERT(rt);
/* If compression succeeds it must round trip correctly. */
size_t const dstSize =
LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs);
if (!LZ4F_isError(dstSize)) {
size_t const rtSize = FUZZ_decompressFrame(rt, size, dst, dstSize);
FUZZ_ASSERT_MSG(rtSize == size, "Incorrect regenerated size");
FUZZ_ASSERT_MSG(!memcmp(data, rt, size), "Corruption!");
}
free(dst);
free(rt);
return 0;
}

67
ossfuzz/decompress_frame_fuzzer.c Normal file
View File

@ -0,0 +1,67 @@
/**
* This fuzz target attempts to decompress the fuzzed data with the simple
* decompression function to ensure the decompressor never crashes.
*/
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "fuzz_helpers.h"
#include "lz4.h"
#define LZ4F_STATIC_LINKING_ONLY
#include "lz4frame.h"
#include "lz4_helpers.h"
static void decompress(LZ4F_dctx* dctx, void* dst, size_t dstCapacity,
const void* src, size_t srcSize,
const void* dict, size_t dictSize,
const LZ4F_decompressOptions_t* opts)
{
LZ4F_resetDecompressionContext(dctx);
if (dictSize == 0)
LZ4F_decompress(dctx, dst, &dstCapacity, src, &srcSize, opts);
else
LZ4F_decompress_usingDict(dctx, dst, &dstCapacity, src, &srcSize,
dict, dictSize, opts);
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
uint32_t seed = FUZZ_seed(&data, &size);
size_t const dstCapacity = FUZZ_rand32(&seed, 0, 4 * size);
size_t const largeDictSize = 64 * 1024;
size_t const dictSize = FUZZ_rand32(&seed, 0, largeDictSize);
char* const dst = (char*)malloc(dstCapacity);
char* const dict = (char*)malloc(dictSize);
LZ4F_decompressOptions_t opts;
LZ4F_dctx* dctx;
LZ4F_createDecompressionContext(&dctx, LZ4F_VERSION);
FUZZ_ASSERT(dctx);
FUZZ_ASSERT(dst);
FUZZ_ASSERT(dict);
/* Prepare the dictionary. The data doesn't matter for decompression. */
memset(dict, 0, dictSize);
/* Decompress using multiple configurations. */
memset(&opts, 0, sizeof(opts));
opts.stableDst = 0;
decompress(dctx, dst, dstCapacity, data, size, NULL, 0, &opts);
opts.stableDst = 1;
decompress(dctx, dst, dstCapacity, data, size, NULL, 0, &opts);
opts.stableDst = 0;
decompress(dctx, dst, dstCapacity, data, size, dict, dictSize, &opts);
opts.stableDst = 1;
decompress(dctx, dst, dstCapacity, data, size, dict, dictSize, &opts);
LZ4F_freeDecompressionContext(dctx);
free(dst);
free(dict);
return 0;
}

51
ossfuzz/lz4_helpers.c Normal file
View File

@ -0,0 +1,51 @@
#include "fuzz_helpers.h"
#include "lz4_helpers.h"
#include "lz4hc.h"
LZ4F_frameInfo_t FUZZ_randomFrameInfo(uint32_t* seed)
{
LZ4F_frameInfo_t info = LZ4F_INIT_FRAMEINFO;
info.blockSizeID = FUZZ_rand32(seed, LZ4F_max64KB - 1, LZ4F_max4MB);
if (info.blockSizeID < LZ4F_max64KB) {
info.blockSizeID = LZ4F_default;
}
info.blockMode = FUZZ_rand32(seed, LZ4F_blockLinked, LZ4F_blockIndependent);
info.contentChecksumFlag = FUZZ_rand32(seed, LZ4F_noContentChecksum,
LZ4F_contentChecksumEnabled);
info.blockChecksumFlag = FUZZ_rand32(seed, LZ4F_noBlockChecksum,
LZ4F_blockChecksumEnabled);
return info;
}
LZ4F_preferences_t FUZZ_randomPreferences(uint32_t* seed)
{
LZ4F_preferences_t prefs = LZ4F_INIT_PREFERENCES;
prefs.frameInfo = FUZZ_randomFrameInfo(seed);
prefs.compressionLevel = FUZZ_rand32(seed, 0, LZ4HC_CLEVEL_MAX + 3) - 3;
prefs.autoFlush = FUZZ_rand32(seed, 0, 1);
prefs.favorDecSpeed = FUZZ_rand32(seed, 0, 1);
return prefs;
}
size_t FUZZ_decompressFrame(void* dst, const size_t dstCapacity,
const void* src, const size_t srcSize)
{
LZ4F_decompressOptions_t opts;
memset(&opts, 0, sizeof(opts));
opts.stableDst = 1;
LZ4F_dctx* dctx;
LZ4F_createDecompressionContext(&dctx, LZ4F_VERSION);
FUZZ_ASSERT(dctx);
size_t dstSize = dstCapacity;
size_t srcConsumed = srcSize;
size_t const rc =
LZ4F_decompress(dctx, dst, &dstSize, src, &srcConsumed, &opts);
FUZZ_ASSERT(!LZ4F_isError(rc));
FUZZ_ASSERT(rc == 0);
FUZZ_ASSERT(srcConsumed == srcSize);
LZ4F_freeDecompressionContext(dctx);
return dstSize;
}

13
ossfuzz/lz4_helpers.h Normal file
View File

@ -0,0 +1,13 @@
#ifndef LZ4_HELPERS
#define LZ4_HELPERS
#include "lz4frame.h"
LZ4F_frameInfo_t FUZZ_randomFrameInfo(uint32_t* seed);
LZ4F_preferences_t FUZZ_randomPreferences(uint32_t* seed);
size_t FUZZ_decompressFrame(void* dst, const size_t dstCapacity,
const void* src, const size_t srcSize);
#endif /* LZ4_HELPERS */

39
ossfuzz/round_trip_frame_fuzzer.c Normal file
View File

@ -0,0 +1,39 @@
/**
* This fuzz target performs a lz4 round-trip test (compress & decompress),
* compares the result with the original, and calls abort() on corruption.
*/
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "fuzz_helpers.h"
#include "lz4.h"
#include "lz4frame.h"
#include "lz4_helpers.h"
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
uint32_t seed = FUZZ_seed(&data, &size);
LZ4F_preferences_t const prefs = FUZZ_randomPreferences(&seed);
size_t const dstCapacity = LZ4F_compressFrameBound(size, &prefs);
char* const dst = (char*)malloc(dstCapacity);
char* const rt = (char*)malloc(size);
FUZZ_ASSERT(dst);
FUZZ_ASSERT(rt);
/* Compression must succeed and round trip correctly. */
size_t const dstSize =
LZ4F_compressFrame(dst, dstCapacity, data, size, &prefs);
FUZZ_ASSERT(!LZ4F_isError(dstSize));
size_t const rtSize = FUZZ_decompressFrame(rt, size, dst, dstSize);
FUZZ_ASSERT_MSG(rtSize == size, "Incorrect regenerated size");
FUZZ_ASSERT_MSG(!memcmp(data, rt, size), "Corruption!");
free(dst);
free(rt);
return 0;
}