Rizin
unix-like reverse engineering framework and cli tools
Functions
decompress_fuzzer.c File Reference
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "fuzz_helpers.h"
#include "fuzz_data_producer.h"
#include "lz4.h"

Go to the source code of this file.

Functions

int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 

Function Documentation

◆ LLVMFuzzerTestOneInput()

int LLVMFuzzerTestOneInput ( const uint8_t data,
size_t  size 
)

This fuzz target attempts to decompress the fuzzed data with the simple decompression function to ensure the decompressor never crashes.

Definition at line 15 of file decompress_fuzzer.c.

16 {
17  FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size);
18  size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer);
19  size = FUZZ_dataProducer_remainingBytes(producer);
20 
21  size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, 4 * size);
22  size_t const smallDictSize = size + 1;
23  size_t const largeDictSize = 64 * 1024 - 1;
24  size_t const dictSize = MAX(smallDictSize, largeDictSize);
25  char* const dst = (char*)malloc(dstCapacity);
26  char* const dict = (char*)malloc(dictSize + size);
27  char* const largeDict = dict;
28  char* const dataAfterDict = dict + dictSize;
29  char* const smallDict = dataAfterDict - smallDictSize;
30 
31  FUZZ_ASSERT(dst);
32  FUZZ_ASSERT(dict);
33 
34  /* Prepare the dictionary. The data doesn't matter for decompression. */
35  memset(dict, 0, dictSize);
36  memcpy(dataAfterDict, data, size);
37 
38  /* Decompress using each possible dictionary configuration. */
39  /* No dictionary. */
40  LZ4_decompress_safe_usingDict((char const*)data, dst, size,
41  dstCapacity, NULL, 0);
42  /* Small external dictonary. */
43  LZ4_decompress_safe_usingDict((char const*)data, dst, size,
44  dstCapacity, smallDict, smallDictSize);
45  /* Large external dictionary. */
46  LZ4_decompress_safe_usingDict((char const*)data, dst, size,
47  dstCapacity, largeDict, largeDictSize);
48  /* Small prefix. */
49  LZ4_decompress_safe_usingDict((char const*)dataAfterDict, dst, size,
50  dstCapacity, smallDict, smallDictSize);
51  /* Large prefix. */
52  LZ4_decompress_safe_usingDict((char const*)data, dst, size,
53  dstCapacity, largeDict, largeDictSize);
54  /* Partial decompression. */
55  LZ4_decompress_safe_partial((char const*)data, dst, size,
56  dstCapacity, dstCapacity);
57  free(dst);
58  free(dict);
59  FUZZ_dataProducer_free(producer);
60 
61  return 0;
62 }
NULL
#define NULL
Definition: cris-opc.c:27
FUZZ_dataProducer_free
void FUZZ_dataProducer_free(FUZZ_dataProducer_t *producer)
Definition: fuzz_data_producer.c:18
FUZZ_getRange_from_uint32
uint32_t FUZZ_getRange_from_uint32(uint32_t seed, uint32_t min, uint32_t max)
Definition: fuzz_data_producer.c:34
FUZZ_dataProducer_remainingBytes
size_t FUZZ_dataProducer_remainingBytes(FUZZ_dataProducer_t *producer)
Definition: fuzz_data_producer.c:75
FUZZ_dataProducer_create
FUZZ_dataProducer_t * FUZZ_dataProducer_create(const uint8_t *data, size_t size)
Definition: fuzz_data_producer.c:8
FUZZ_dataProducer_retrieve32
uint32_t FUZZ_dataProducer_retrieve32(FUZZ_dataProducer_t *producer)
Definition: fuzz_data_producer.c:20
FUZZ_ASSERT
#define FUZZ_ASSERT(cond)
Definition: fuzz_helpers.h:46
free
RZ_API void Ht_() free(HtName_(Ht) *ht)
Definition: ht_inc.c:130
size
voidpf void uLong size
Definition: ioapi.h:138
memset
return memset(p, 0, total)
memcpy
memcpy(mem, inblock.get(), min(CONTAINING_RECORD(inblock.get(), MEMBLOCK, data) ->size, size))
malloc
void * malloc(size_t size)
Definition: malloc.c:123
LZ4_decompress_safe_usingDict
int LZ4_decompress_safe_usingDict(const char *source, char *dest, int compressedSize, int maxOutputSize, const char *dictStart, int dictSize)
Definition: lz4.c:2404
LZ4_decompress_safe_partial
LZ4_FORCE_O2 int LZ4_decompress_safe_partial(const char *src, char *dst, int compressedSize, int targetOutputSize, int dstCapacity)
Definition: lz4.c:2179
dst
char * dst
Definition: lz4.h:724
FUZZ_dataProducer_s
Definition: fuzz_data_producer.c:3
MAX
#define MAX(a, b)
Definition: xtensa-dis.c:40

References dst, free(), FUZZ_ASSERT, FUZZ_dataProducer_create(), FUZZ_dataProducer_free(), FUZZ_dataProducer_remainingBytes(), FUZZ_dataProducer_retrieve32(), FUZZ_getRange_from_uint32(), LZ4_decompress_safe_partial(), LZ4_decompress_safe_usingDict(), malloc(), MAX, memcpy(), memset(), and NULL.