fuzz.h File Reference

#include <stddef.h>
#include <stdint.h>

Go to the source code of this file.

Macros
#define	FUZZ_RNG_SEED_SIZE   4

Functions
int	LLVMFuzzerTestOneInput (const uint8_t *src, size_t size)

Macro Definition Documentation

FUZZ_RNG_SEED_SIZE

#define FUZZ_RNG_SEED_SIZE   4

Fuzz target interface. Fuzz targets have some common parameters passed as macros during compilation. Check the documentation for each individual fuzzer for more parameters.

Parameters

FUZZ_RNG_SEED_SIZE	The number of bytes of the source to look at when constructing a seed for the deterministic RNG. These bytes are discarded before passing the data to lz4 functions. Every fuzzer initializes the RNG exactly once before doing anything else, even if it is unused. Default: 4.
LZ4_DEBUG	This is a parameter for the lz4 library. Defining LZ4_DEBUG=1 enables assert() statements in the lz4 library. Higher levels enable logging, so aren't recommended. Defining LZ4_DEBUG=1 is recommended.
LZ4_FORCE_MEMORY_ACCESS	This flag controls how the zstd library accesses unaligned memory. It can be undefined, or 0 through 2. If it is undefined, it selects the method to use based on the compiler. If testing with UBSAN set MEM_FORCE_MEMORY_ACCESS=0 to use the standard compliant method.
FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION	This is the canonical flag to enable deterministic builds for fuzzing. Changes to zstd for fuzzing are gated behind this define. It is recommended to define this when building zstd for fuzzing.

Definition at line 32 of file fuzz.h.

Function Documentation

LLVMFuzzerTestOneInput()

int LLVMFuzzerTestOneInput	(	const uint8_t *	data,
		size_t	size
	)

This fuzz target attempts to compress the fuzzed data with the simple compression function with an output buffer that may be too small to ensure that the compressor never crashes.

This fuzz target attempts to decompress the fuzzed data with the simple decompression function to ensure the decompressor never crashes.

This fuzz target performs a lz4 round-trip test (compress & decompress), compares the result with the original, and calls abort() on corruption.

This fuzz target attempts to compress the fuzzed data with the simple compression function with an output buffer that may be too small to ensure that the compressor never crashes.

This fuzz target attempts to decompress the fuzzed data with the simple decompression function to ensure the decompressor never crashes.

This fuzz target performs a lz4 round-trip test (compress & decompress), compares the result with the original, and calls abort() on corruption.

Definition at line 180 of file fuzz_diff.c.

                                                             {
    csh handle;
    cs_insn *insn;
    cs_err err;
    const uint8_t **Datap = &Data;
    size_t * Sizep = &Size;
    uint64_t address = 0x1000;
    char LLVMAssemblyText[80];
    char CapstoneAssemblyText[80];
 
    if (Size < 1) {
        // 1 byte for arch choice
        return 0;
    } else if (Size > 0x1000) {
        //limit input to 4kb
        Size = 0x1000;
    }
    if (outfile == NULL) {
        // we compute the output
        outfile = fopen("/dev/null", "w");
        if (outfile == NULL) {
            return 0;
        }
        LLVMFuzzerInit();
    }
 
    if (Data[0] >= sizeof(platforms)/sizeof(platforms[0])) {
        return 0;
    }
 
    if (LLVMFuzzerReturnOneInput(Data, Size, LLVMAssemblyText) == 1) {
        return 0;
    }
 
    err = cs_open(platforms[Data[0]].arch, platforms[Data[0]].mode, &handle);
    if (err) {
        return 0;
    }
 
    insn = cs_malloc(handle);
    Data++;
    Size--;
    assert(insn);
        if (cs_disasm_iter(handle, Datap, Sizep, &address, insn)) {
            snprintf(CapstoneAssemblyText, 80, "\t%s\t%s", insn->mnemonic, insn->op_str);
            if (strcmp(CapstoneAssemblyText, LLVMAssemblyText) != 0) {
                printf("capstone %s != llvm %s", CapstoneAssemblyText, LLVMAssemblyText);
                abort();
            }
        } else {
            printf("capstone failed with llvm %s", LLVMAssemblyText);
            abort();
        }
    cs_free(insn, 1);
    cs_close(&handle);
 
    return 0;
}

References compressBound(), compressedSize, DEBUGLOG, decompress(), dst, error(), f, free(), FUZZ_ASSERT, FUZZ_ASSERT_MSG, FUZZ_dataProducer_create(), FUZZ_dataProducer_free(), FUZZ_dataProducer_preferences(), FUZZ_dataProducer_range32(), FUZZ_dataProducer_remainingBytes(), FUZZ_dataProducer_retrieve32(), FUZZ_decompressFrame(), FUZZ_getRange_from_uint32(), FUZZ_seed(), i, level, LZ4_compress_default(), LZ4_compress_destSize(), LZ4_compress_HC(), LZ4_compress_HC_destSize(), LZ4_compressBound(), LZ4_decompress_safe(), LZ4_decompress_safe_partial(), LZ4_decompress_safe_usingDict(), LZ4_sizeofStateHC(), LZ4F_compressFrame(), LZ4F_compressFrameBound(), LZ4F_createDecompressionContext(), LZ4F_freeDecompressionContext(), LZ4F_isError(), LZ4F_VERSION, LZ4HC_CLEVEL_MAX, LZ4HC_CLEVEL_MIN, malloc(), MAX, memcpy(), memset(), n, NULL, roundTrips, src, LZ4F_decompressOptions_t::stableDst, state_checkRoundTrip(), state_create(), state_free(), state_reset(), za, zip_close(), zip_error_fini(), zip_error_init(), zip_fclose(), zip_fopen_index(), zip_fread(), zip_get_num_entries(), zip_open_from_source(), zip_source_buffer_create(), and zip_source_free().