1*3117ece4Schristos /* 2*3117ece4Schristos * Copyright (c) Meta Platforms, Inc. and affiliates. 3*3117ece4Schristos * All rights reserved. 4*3117ece4Schristos * 5*3117ece4Schristos * This source code is licensed under both the BSD-style license (found in the 6*3117ece4Schristos * LICENSE file in the root directory of this source tree) and the GPLv2 (found 7*3117ece4Schristos * in the COPYING file in the root directory of this source tree). 8*3117ece4Schristos * You may select, at your option, one of the above-listed licenses. 9*3117ece4Schristos */ 10*3117ece4Schristos 11*3117ece4Schristos /** 12*3117ece4Schristos * This fuzz target attempts to compress the fuzzed data with the simple 13*3117ece4Schristos * compression function with an output buffer that may be too small to 14*3117ece4Schristos * ensure that the compressor never crashes. 15*3117ece4Schristos */ 16*3117ece4Schristos 17*3117ece4Schristos #include <stddef.h> 18*3117ece4Schristos #include <stdlib.h> 19*3117ece4Schristos #include <stdio.h> 20*3117ece4Schristos #include "fuzz_helpers.h" 21*3117ece4Schristos #include "zstd.h" 22*3117ece4Schristos #include "zstd_errors.h" 23*3117ece4Schristos #include "zstd_helpers.h" 24*3117ece4Schristos #include "fuzz_data_producer.h" 25*3117ece4Schristos #include "fuzz_third_party_seq_prod.h" 26*3117ece4Schristos 27*3117ece4Schristos static ZSTD_CCtx *cctx = NULL; 28*3117ece4Schristos 29*3117ece4Schristos int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size) 30*3117ece4Schristos { 31*3117ece4Schristos FUZZ_SEQ_PROD_SETUP(); 32*3117ece4Schristos 33*3117ece4Schristos /* Give a random portion of src data to the producer, to use for 34*3117ece4Schristos parameter generation. The rest will be used for (de)compression */ 35*3117ece4Schristos FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size); 36*3117ece4Schristos size = FUZZ_dataProducer_reserveDataPrefix(producer); 37*3117ece4Schristos 38*3117ece4Schristos size_t const maxSize = ZSTD_compressBound(size); 39*3117ece4Schristos size_t const bufSize = FUZZ_dataProducer_uint32Range(producer, 0, maxSize); 40*3117ece4Schristos 41*3117ece4Schristos int const cLevel = FUZZ_dataProducer_int32Range(producer, kMinClevel, kMaxClevel); 42*3117ece4Schristos 43*3117ece4Schristos if (!cctx) { 44*3117ece4Schristos cctx = ZSTD_createCCtx(); 45*3117ece4Schristos FUZZ_ASSERT(cctx); 46*3117ece4Schristos } 47*3117ece4Schristos 48*3117ece4Schristos void *rBuf = FUZZ_malloc(bufSize); 49*3117ece4Schristos size_t const ret = ZSTD_compressCCtx(cctx, rBuf, bufSize, src, size, cLevel); 50*3117ece4Schristos if (ZSTD_isError(ret)) { 51*3117ece4Schristos FUZZ_ASSERT(ZSTD_getErrorCode(ret) == ZSTD_error_dstSize_tooSmall); 52*3117ece4Schristos } 53*3117ece4Schristos free(rBuf); 54*3117ece4Schristos FUZZ_dataProducer_free(producer); 55*3117ece4Schristos #ifndef STATEFUL_FUZZING 56*3117ece4Schristos ZSTD_freeCCtx(cctx); cctx = NULL; 57*3117ece4Schristos #endif 58*3117ece4Schristos FUZZ_SEQ_PROD_TEARDOWN(); 59*3117ece4Schristos return 0; 60*3117ece4Schristos } 61