1 /**
2 * Copyright (c) 2016-present, Yann Collet, Facebook, Inc.
3 * All rights reserved.
4 *
5 * This source code is licensed under both the BSD-style license (found in the
6 * LICENSE file in the root directory of this source tree) and the GPLv2 (found
7 * in the COPYING file in the root directory of this source tree).
8 */
9
10 /*
11 This program takes a file in input,
12 performs a zstd round-trip test (compression - decompress)
13 compares the result with original
14 and generates a crash (double free) on corruption detection.
15 */
16
17 /*===========================================
18 * Dependencies
19 *==========================================*/
20 #include <stddef.h> /* size_t */
21 #include <stdlib.h> /* malloc, free, exit */
22 #include <stdio.h> /* fprintf */
23 #include <linux/xxhash.h>
24 #include <linux/zstd.h>
25
26 /*===========================================
27 * Macros
28 *==========================================*/
29 #define MIN(a,b) ( (a) < (b) ? (a) : (b) )
30
31 static const int kMaxClevel = 22;
32
33 static ZSTD_CCtx *cctx = NULL;
34 void *cws = NULL;
35 static ZSTD_DCtx *dctx = NULL;
36 void *dws = NULL;
37 static void* cBuff = NULL;
38 static void* rBuff = NULL;
39 static size_t buffSize = 0;
40
41
42 /** roundTripTest() :
43 * Compresses `srcBuff` into `compressedBuff`,
44 * then decompresses `compressedBuff` into `resultBuff`.
45 * Compression level used is derived from first content byte.
46 * @return : result of decompression, which should be == `srcSize`
47 * or an error code if either compression or decompression fails.
48 * Note : `compressedBuffCapacity` should be `>= ZSTD_compressBound(srcSize)`
49 * for compression to be guaranteed to work */
roundTripTest(void * resultBuff,size_t resultBuffCapacity,void * compressedBuff,size_t compressedBuffCapacity,const void * srcBuff,size_t srcBuffSize)50 static size_t roundTripTest(void* resultBuff, size_t resultBuffCapacity,
51 void* compressedBuff, size_t compressedBuffCapacity,
52 const void* srcBuff, size_t srcBuffSize)
53 {
54 size_t const hashLength = MIN(128, srcBuffSize);
55 unsigned const h32 = xxh32(srcBuff, hashLength, 0);
56 int const cLevel = h32 % kMaxClevel;
57 ZSTD_parameters const params = ZSTD_getParams(cLevel, srcBuffSize, 0);
58 size_t const cSize = ZSTD_compressCCtx(cctx, compressedBuff, compressedBuffCapacity, srcBuff, srcBuffSize, params);
59 if (ZSTD_isError(cSize)) {
60 fprintf(stderr, "Compression error : %u \n", ZSTD_getErrorCode(cSize));
61 return cSize;
62 }
63 return ZSTD_decompressDCtx(dctx, resultBuff, resultBuffCapacity, compressedBuff, cSize);
64 }
65
66
checkBuffers(const void * buff1,const void * buff2,size_t buffSize)67 static size_t checkBuffers(const void* buff1, const void* buff2, size_t buffSize)
68 {
69 const char* ip1 = (const char*)buff1;
70 const char* ip2 = (const char*)buff2;
71 size_t pos;
72
73 for (pos=0; pos<buffSize; pos++)
74 if (ip1[pos]!=ip2[pos])
75 break;
76
77 return pos;
78 }
79
crash(int errorCode)80 static void crash(int errorCode){
81 /* abort if AFL/libfuzzer, exit otherwise */
82 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION /* could also use __AFL_COMPILER */
83 abort();
84 #else
85 exit(errorCode);
86 #endif
87 }
88
roundTripCheck(const void * srcBuff,size_t srcBuffSize)89 static void roundTripCheck(const void* srcBuff, size_t srcBuffSize)
90 {
91 size_t const neededBuffSize = ZSTD_compressBound(srcBuffSize);
92
93 /* Allocate all buffers and contexts if not already allocated */
94 if (neededBuffSize > buffSize) {
95 free(cBuff);
96 free(rBuff);
97 buffSize = 0;
98
99 cBuff = malloc(neededBuffSize);
100 rBuff = malloc(neededBuffSize);
101 if (!cBuff || !rBuff) {
102 fprintf(stderr, "not enough memory ! \n");
103 crash(1);
104 }
105 buffSize = neededBuffSize;
106 }
107 if (!cctx) {
108 ZSTD_compressionParameters const params = ZSTD_getCParams(kMaxClevel, 0, 0);
109 size_t const workspaceSize = ZSTD_CCtxWorkspaceBound(params);
110 cws = malloc(workspaceSize);
111 if (!cws) {
112 fprintf(stderr, "not enough memory ! \n");
113 crash(1);
114 }
115 cctx = ZSTD_initCCtx(cws, workspaceSize);
116 if (!cctx) {
117 fprintf(stderr, "not enough memory ! \n");
118 crash(1);
119 }
120 }
121 if (!dctx) {
122 size_t const workspaceSize = ZSTD_DCtxWorkspaceBound();
123 dws = malloc(workspaceSize);
124 if (!dws) {
125 fprintf(stderr, "not enough memory ! \n");
126 crash(1);
127 }
128 dctx = ZSTD_initDCtx(dws, workspaceSize);
129 if (!dctx) {
130 fprintf(stderr, "not enough memory ! \n");
131 crash(1);
132 }
133 }
134
135 { size_t const result = roundTripTest(rBuff, buffSize, cBuff, buffSize, srcBuff, srcBuffSize);
136 if (ZSTD_isError(result)) {
137 fprintf(stderr, "roundTripTest error : %u \n", ZSTD_getErrorCode(result));
138 crash(1);
139 }
140 if (result != srcBuffSize) {
141 fprintf(stderr, "Incorrect regenerated size : %u != %u\n", (unsigned)result, (unsigned)srcBuffSize);
142 crash(1);
143 }
144 if (checkBuffers(srcBuff, rBuff, srcBuffSize) != srcBuffSize) {
145 fprintf(stderr, "Silent decoding corruption !!!");
146 crash(1);
147 }
148 }
149
150 #ifndef SKIP_FREE
151 free(cws); cws = NULL; cctx = NULL;
152 free(dws); dws = NULL; dctx = NULL;
153 free(cBuff); cBuff = NULL;
154 free(rBuff); rBuff = NULL;
155 buffSize = 0;
156 #endif
157 }
158
LLVMFuzzerTestOneInput(const unsigned char * srcBuff,size_t srcBuffSize)159 int LLVMFuzzerTestOneInput(const unsigned char *srcBuff, size_t srcBuffSize) {
160 roundTripCheck(srcBuff, srcBuffSize);
161 return 0;
162 }
163