1 /**
2 * Copyright (c) 2016-present, Facebook, Inc.
3 * All rights reserved.
4 *
5 * This source code is licensed under both the BSD-style license (found in the
6 * LICENSE file in the root directory of this source tree) and the GPLv2 (found
7 * in the COPYING file in the root directory of this source tree).
8 */
9
10 /**
11 * This fuzz target performs a zstd round-trip test (compress & decompress),
12 * compares the result with the original, and calls abort() on corruption.
13 */
14
15 #define ZSTD_STATIC_LINKING_ONLY
16
17 #include <stddef.h>
18 #include <stdlib.h>
19 #include <stdio.h>
20 #include <string.h>
21 #include "fuzz_helpers.h"
22 #include "zstd.h"
23 #include "zstd_helpers.h"
24 #include "fuzz_data_producer.h"
25
26 static ZSTD_CCtx *cctx = NULL;
27 static ZSTD_DCtx *dctx = NULL;
28 static void* cBuf = NULL;
29 static void* rBuf = NULL;
30 static size_t bufSize = 0;
31
roundTripTest(void * result,size_t resultCapacity,void * compressed,size_t compressedCapacity,const void * src,size_t srcSize,int cLevel)32 static size_t roundTripTest(void *result, size_t resultCapacity,
33 void *compressed, size_t compressedCapacity,
34 const void *src, size_t srcSize,
35 int cLevel)
36 {
37 ZSTD_parameters const params = ZSTD_getParams(cLevel, srcSize, 0);
38 size_t ret = ZSTD_compressBegin_advanced(cctx, NULL, 0, params, srcSize);
39 FUZZ_ZASSERT(ret);
40
41 ret = ZSTD_compressBlock(cctx, compressed, compressedCapacity, src, srcSize);
42 FUZZ_ZASSERT(ret);
43 if (ret == 0) {
44 FUZZ_ASSERT(resultCapacity >= srcSize);
45 memcpy(result, src, srcSize);
46 return srcSize;
47 }
48 ZSTD_decompressBegin(dctx);
49 return ZSTD_decompressBlock(dctx, result, resultCapacity, compressed, ret);
50 }
51
LLVMFuzzerTestOneInput(const uint8_t * src,size_t size)52 int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
53 {
54 /* Give a random portion of src data to the producer, to use for
55 parameter generation. The rest will be used for (de)compression */
56 FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
57 size = FUZZ_dataProducer_reserveDataPrefix(producer);
58
59 int const cLevel = FUZZ_dataProducer_int32Range(producer, kMinClevel, kMaxClevel);
60
61 size_t neededBufSize = size;
62 if (size > ZSTD_BLOCKSIZE_MAX)
63 size = ZSTD_BLOCKSIZE_MAX;
64
65 /* Allocate all buffers and contexts if not already allocated */
66 if (neededBufSize > bufSize || !cBuf || !rBuf) {
67 free(cBuf);
68 free(rBuf);
69 cBuf = malloc(neededBufSize);
70 rBuf = malloc(neededBufSize);
71 bufSize = neededBufSize;
72 FUZZ_ASSERT(cBuf && rBuf);
73 }
74 if (!cctx) {
75 cctx = ZSTD_createCCtx();
76 FUZZ_ASSERT(cctx);
77 }
78 if (!dctx) {
79 dctx = ZSTD_createDCtx();
80 FUZZ_ASSERT(dctx);
81 }
82
83 {
84 size_t const result =
85 roundTripTest(rBuf, neededBufSize, cBuf, neededBufSize, src, size,
86 cLevel);
87 FUZZ_ZASSERT(result);
88 FUZZ_ASSERT_MSG(result == size, "Incorrect regenerated size");
89 FUZZ_ASSERT_MSG(!memcmp(src, rBuf, size), "Corruption!");
90 }
91 FUZZ_dataProducer_free(producer);
92 #ifndef STATEFUL_FUZZING
93 ZSTD_freeCCtx(cctx); cctx = NULL;
94 ZSTD_freeDCtx(dctx); dctx = NULL;
95 #endif
96 return 0;
97 }
98