1*3117ece4Schristos /* 2*3117ece4Schristos * Copyright (c) Meta Platforms, Inc. and affiliates. 3*3117ece4Schristos * All rights reserved. 4*3117ece4Schristos * 5*3117ece4Schristos * This source code is licensed under both the BSD-style license (found in the 6*3117ece4Schristos * LICENSE file in the root directory of this source tree) and the GPLv2 (found 7*3117ece4Schristos * in the COPYING file in the root directory of this source tree). 8*3117ece4Schristos * You may select, at your option, one of the above-listed licenses. 9*3117ece4Schristos */ 10*3117ece4Schristos 11*3117ece4Schristos /** 12*3117ece4Schristos * This fuzz target attempts to decompress the fuzzed data with the dictionary 13*3117ece4Schristos * decompression function to ensure the decompressor never crashes. It does not 14*3117ece4Schristos * fuzz the dictionary. 15*3117ece4Schristos */ 16*3117ece4Schristos 17*3117ece4Schristos #include <stddef.h> 18*3117ece4Schristos #include <stdlib.h> 19*3117ece4Schristos #include <stdio.h> 20*3117ece4Schristos #include "fuzz_helpers.h" 21*3117ece4Schristos #include "zstd_helpers.h" 22*3117ece4Schristos #include "fuzz_data_producer.h" 23*3117ece4Schristos #include "fuzz_third_party_seq_prod.h" 24*3117ece4Schristos 25*3117ece4Schristos static ZSTD_DCtx *dctx = NULL; 26*3117ece4Schristos 27*3117ece4Schristos int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size) 28*3117ece4Schristos { 29*3117ece4Schristos FUZZ_SEQ_PROD_SETUP(); 30*3117ece4Schristos 31*3117ece4Schristos /* Give a random portion of src data to the producer, to use for 32*3117ece4Schristos parameter generation. The rest will be used for (de)compression */ 33*3117ece4Schristos FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size); 34*3117ece4Schristos size = FUZZ_dataProducer_reserveDataPrefix(producer); 35*3117ece4Schristos 36*3117ece4Schristos FUZZ_dict_t dict; 37*3117ece4Schristos ZSTD_DDict* ddict = NULL; 38*3117ece4Schristos 39*3117ece4Schristos if (!dctx) { 40*3117ece4Schristos dctx = ZSTD_createDCtx(); 41*3117ece4Schristos FUZZ_ASSERT(dctx); 42*3117ece4Schristos } 43*3117ece4Schristos dict = FUZZ_train(src, size, producer); 44*3117ece4Schristos if (FUZZ_dataProducer_uint32Range(producer, 0, 1) == 0) { 45*3117ece4Schristos ddict = ZSTD_createDDict(dict.buff, dict.size); 46*3117ece4Schristos FUZZ_ASSERT(ddict); 47*3117ece4Schristos } else { 48*3117ece4Schristos if (FUZZ_dataProducer_uint32Range(producer, 0, 1) == 0) 49*3117ece4Schristos FUZZ_ZASSERT(ZSTD_DCtx_loadDictionary_advanced( 50*3117ece4Schristos dctx, dict.buff, dict.size, 51*3117ece4Schristos (ZSTD_dictLoadMethod_e)FUZZ_dataProducer_uint32Range(producer, 0, 1), 52*3117ece4Schristos (ZSTD_dictContentType_e)FUZZ_dataProducer_uint32Range(producer, 0, 2))); 53*3117ece4Schristos else 54*3117ece4Schristos FUZZ_ZASSERT(ZSTD_DCtx_refPrefix_advanced( 55*3117ece4Schristos dctx, dict.buff, dict.size, 56*3117ece4Schristos (ZSTD_dictContentType_e)FUZZ_dataProducer_uint32Range(producer, 0, 2))); 57*3117ece4Schristos } 58*3117ece4Schristos 59*3117ece4Schristos { 60*3117ece4Schristos size_t const bufSize = FUZZ_dataProducer_uint32Range(producer, 0, 10 * size); 61*3117ece4Schristos void* rBuf = FUZZ_malloc(bufSize); 62*3117ece4Schristos if (ddict) { 63*3117ece4Schristos ZSTD_decompress_usingDDict(dctx, rBuf, bufSize, src, size, ddict); 64*3117ece4Schristos } else { 65*3117ece4Schristos ZSTD_decompressDCtx(dctx, rBuf, bufSize, src, size); 66*3117ece4Schristos } 67*3117ece4Schristos free(rBuf); 68*3117ece4Schristos } 69*3117ece4Schristos free(dict.buff); 70*3117ece4Schristos FUZZ_dataProducer_free(producer); 71*3117ece4Schristos ZSTD_freeDDict(ddict); 72*3117ece4Schristos #ifndef STATEFUL_FUZZING 73*3117ece4Schristos ZSTD_freeDCtx(dctx); dctx = NULL; 74*3117ece4Schristos #endif 75*3117ece4Schristos FUZZ_SEQ_PROD_TEARDOWN(); 76*3117ece4Schristos return 0; 77*3117ece4Schristos } 78