Rizin
unix-like reverse engineering framework and cli tools
decompress_frame_fuzzer.c
Go to the documentation of this file.
1 
6 #include <stddef.h>
7 #include <stdint.h>
8 #include <stdlib.h>
9 #include <string.h>
10 
11 #include "fuzz_helpers.h"
12 #include "fuzz_data_producer.h"
13 #include "lz4.h"
14 #define LZ4F_STATIC_LINKING_ONLY
15 #include "lz4frame.h"
16 #include "lz4_helpers.h"
17 
18 static void decompress(LZ4F_dctx* dctx, void* dst, size_t dstCapacity,
19  const void* src, size_t srcSize,
20  const void* dict, size_t dictSize,
21  const LZ4F_decompressOptions_t* opts)
22 {
23  LZ4F_resetDecompressionContext(dctx);
24  if (dictSize == 0)
25  LZ4F_decompress(dctx, dst, &dstCapacity, src, &srcSize, opts);
26  else
27  LZ4F_decompress_usingDict(dctx, dst, &dstCapacity, src, &srcSize,
28  dict, dictSize, opts);
29 }
30 
31 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
32 {
33  FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size);
34  size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer);
35  size_t const dictSizeSeed = FUZZ_dataProducer_retrieve32(producer);
36  size = FUZZ_dataProducer_remainingBytes(producer);
37 
38  size_t const dstCapacity = FUZZ_getRange_from_uint32(
39  dstCapacitySeed, 0, 4 * size);
40  size_t const largeDictSize = 64 * 1024;
41  size_t const dictSize = FUZZ_getRange_from_uint32(
42  dictSizeSeed, 0, largeDictSize);
43 
44  char* const dst = (char*)malloc(dstCapacity);
45  char* const dict = (char*)malloc(dictSize);
46  LZ4F_decompressOptions_t opts;
47  LZ4F_dctx* dctx;
48  LZ4F_createDecompressionContext(&dctx, LZ4F_VERSION);
49 
50  FUZZ_ASSERT(dctx);
51  FUZZ_ASSERT(dst);
52  FUZZ_ASSERT(dict);
53 
54  /* Prepare the dictionary. The data doesn't matter for decompression. */
55  memset(dict, 0, dictSize);
56 
57 
58  /* Decompress using multiple configurations. */
59  memset(&opts, 0, sizeof(opts));
60  opts.stableDst = 0;
61  decompress(dctx, dst, dstCapacity, data, size, NULL, 0, &opts);
62  opts.stableDst = 1;
63  decompress(dctx, dst, dstCapacity, data, size, NULL, 0, &opts);
64  opts.stableDst = 0;
65  decompress(dctx, dst, dstCapacity, data, size, dict, dictSize, &opts);
66  opts.stableDst = 1;
67  decompress(dctx, dst, dstCapacity, data, size, dict, dictSize, &opts);
68 
69  LZ4F_freeDecompressionContext(dctx);
70  free(dst);
71  free(dict);
72  FUZZ_dataProducer_free(producer);
73 
74  return 0;
75 }
src
lzma_index * src
Definition: index.h:567
NULL
#define NULL
Definition: cris-opc.c:27
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition: decompress_frame_fuzzer.c:31
decompress
static void decompress(LZ4F_dctx *dctx, void *dst, size_t dstCapacity, const void *src, size_t srcSize, const void *dict, size_t dictSize, const LZ4F_decompressOptions_t *opts)
Definition: decompress_frame_fuzzer.c:18
FUZZ_dataProducer_free
void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer)
Definition: fuzz_data_producer.c:18
FUZZ_getRange_from_uint32
uint32_t FUZZ_getRange_from_uint32(uint32_t seed, uint32_t min, uint32_t max)
Definition: fuzz_data_producer.c:34
FUZZ_dataProducer_remainingBytes
size_t FUZZ_dataProducer_remainingBytes(FUZZ_dataProducer_t *producer)
Definition: fuzz_data_producer.c:75
FUZZ_dataProducer_create
FUZZ_dataProducer_t * FUZZ_dataProducer_create(const uint8_t *data, size_t size)
Definition: fuzz_data_producer.c:8
FUZZ_dataProducer_retrieve32
uint32_t FUZZ_dataProducer_retrieve32(FUZZ_dataProducer_t *producer)
Definition: fuzz_data_producer.c:20
fuzz_data_producer.h
fuzz_helpers.h
FUZZ_ASSERT
#define FUZZ_ASSERT(cond)
Definition: fuzz_helpers.h:46
free
RZ_API void Ht_() free(HtName_(Ht) *ht)
Definition: ht_inc.c:130
size
voidpf void uLong size
Definition: ioapi.h:138
memset
return memset(p, 0, total)
malloc
void * malloc(size_t size)
Definition: malloc.c:123
srcSize
char int srcSize
Definition: lz4.h:697
dst
char * dst
Definition: lz4.h:724
lz4_helpers.h
LZ4F_freeDecompressionContext
LZ4F_errorCode_t LZ4F_freeDecompressionContext(LZ4F_dctx *dctx)
Definition: lz4frame.c:1082
LZ4F_decompress_usingDict
size_t LZ4F_decompress_usingDict(LZ4F_dctx *dctx, void *dstBuffer, size_t *dstSizePtr, const void *srcBuffer, size_t *srcSizePtr, const void *dict, size_t dictSize, const LZ4F_decompressOptions_t *decompressOptionsPtr)
Definition: lz4frame.c:1886
LZ4F_decompress
size_t LZ4F_decompress(LZ4F_dctx *dctx, void *dstBuffer, size_t *dstSizePtr, const void *srcBuffer, size_t *srcSizePtr, const LZ4F_decompressOptions_t *decompressOptionsPtr)
Definition: lz4frame.c:1384
LZ4F_createDecompressionContext
LZ4F_errorCode_t LZ4F_createDecompressionContext(LZ4F_dctx **LZ4F_decompressionContextPtr, unsigned versionNumber)
Definition: lz4frame.c:1069
LZ4F_resetDecompressionContext
void LZ4F_resetDecompressionContext(LZ4F_dctx *dctx)
Definition: lz4frame.c:1097
LZ4F_VERSION
#define LZ4F_VERSION
Definition: lz4frame.h:242
uint8_t
unsigned char uint8_t
Definition: sftypes.h:31
FUZZ_dataProducer_s
Definition: fuzz_data_producer.c:3
LZ4F_dctx_s
Definition: lz4frame.c:1041
LZ4F_decompressOptions_t
Definition: lz4frame.h:349
LZ4F_decompressOptions_t::stableDst
unsigned stableDst
Definition: lz4frame.h:350