/src/lz4/ossfuzz/decompress_fuzzer.c

Source
/**
 * This fuzz target attempts to decompress the fuzzed data with the simple
 * decompression function to ensure the decompressor never crashes.
 */

#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>

#include "fuzz_helpers.h"
#include "fuzz_data_producer.h"
#include "lz4.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
    FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size);
    size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer);
    size = FUZZ_dataProducer_remainingBytes(producer);

    size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, 4 * size);
    size_t const smallDictSize = size + 1;
    size_t const largeDictSize = 64 * 1024 - 1;
    size_t const dictSize = MAX(smallDictSize, largeDictSize);
    char* const dst = (char*)malloc(dstCapacity);
    char* const dict = (char*)malloc(dictSize + size);
    char* const largeDict = dict;
    char* const dataAfterDict = dict + dictSize;
    char* const smallDict = dataAfterDict - smallDictSize;

    FUZZ_ASSERT(dst);
    FUZZ_ASSERT(dict);

    /* Prepare the dictionary. The data doesn't matter for decompression. */
    memset(dict, 0, dictSize);
    memcpy(dataAfterDict, data, size);

    /* Decompress using each possible dictionary configuration. */
    /* No dictionary. */
    LZ4_decompress_safe_usingDict((char const*)data, dst, size,
                                  dstCapacity, NULL, 0);
    /* Small external dictionary. */
    LZ4_decompress_safe_usingDict((char const*)data, dst, size,
                                  dstCapacity, smallDict, smallDictSize);
    /* Large external dictionary. */
    LZ4_decompress_safe_usingDict((char const*)data, dst, size,
                                  dstCapacity, largeDict, largeDictSize);
    /* Small prefix. */
    LZ4_decompress_safe_usingDict((char const*)dataAfterDict, dst, size,
                                  dstCapacity, smallDict, smallDictSize);
    /* Large prefix. */
    LZ4_decompress_safe_usingDict((char const*)dataAfterDict, dst, size,
                                  dstCapacity, largeDict, largeDictSize);
    /* Partial decompression. */
    LZ4_decompress_safe_partial((char const*)data, dst, size,
                                dstCapacity, dstCapacity);
    /* Partial decompression using each possible dictionary configuration. */
    /* Partial decompression with no dictionary. */
    LZ4_decompress_safe_partial_usingDict((char const*)data, dst, size,
                                  dstCapacity, dstCapacity, NULL, 0);
    /* Partial decompression with small external dictionary. */
    LZ4_decompress_safe_partial_usingDict((char const*)data, dst, size,
                                  dstCapacity, dstCapacity, smallDict, smallDictSize);
    /* Partial decompression with large external dictionary. */
    LZ4_decompress_safe_partial_usingDict((char const*)data, dst, size,
                                  dstCapacity, dstCapacity, largeDict, largeDictSize);
    /* Partial decompression with small prefix. */
    LZ4_decompress_safe_partial_usingDict((char const*)dataAfterDict, dst, size,
                                  dstCapacity, dstCapacity, smallDict, smallDictSize);
    /* Partial decompression with large prefix. */
    LZ4_decompress_safe_partial_usingDict((char const*)dataAfterDict, dst, size,
                                  dstCapacity, dstCapacity, largeDict, largeDictSize);
    free(dst);
    free(dict);
    FUZZ_dataProducer_free(producer);

    return 0;
}

Line	Count	Source
1		/**
2		* This fuzz target attempts to decompress the fuzzed data with the simple
3		* decompression function to ensure the decompressor never crashes.
4		*/
5
6		#include <stddef.h>
7		#include <stdint.h>
8		#include <stdlib.h>
9		#include <string.h>
10
11		#include "fuzz_helpers.h"
12		#include "fuzz_data_producer.h"
13		#include "lz4.h"
14
15		int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
16	1.02k	{
17	1.02k	FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(data, size);
18	1.02k	size_t const dstCapacitySeed = FUZZ_dataProducer_retrieve32(producer);
19	1.02k	size = FUZZ_dataProducer_remainingBytes(producer);
20
21	1.02k	size_t const dstCapacity = FUZZ_getRange_from_uint32(dstCapacitySeed, 0, 4 * size);
22	1.02k	size_t const smallDictSize = size + 1;
23	1.02k	size_t const largeDictSize = 64 * 1024 - 1;
24	1.02k	size_t const dictSize = MAX(smallDictSize, largeDictSize);
25	1.02k	char* const dst = (char*)malloc(dstCapacity);
26	1.02k	char* const dict = (char*)malloc(dictSize + size);
27	1.02k	char* const largeDict = dict;
28	1.02k	char* const dataAfterDict = dict + dictSize;
29	1.02k	char* const smallDict = dataAfterDict - smallDictSize;
30
31	1.02k	FUZZ_ASSERT(dst);
32	1.02k	FUZZ_ASSERT(dict);
33
34		/* Prepare the dictionary. The data doesn't matter for decompression. */
35	1.02k	memset(dict, 0, dictSize);
36	1.02k	memcpy(dataAfterDict, data, size);
37
38		/* Decompress using each possible dictionary configuration. */
39		/* No dictionary. */
40	1.02k	LZ4_decompress_safe_usingDict((char const*)data, dst, size,
41	1.02k	dstCapacity, NULL, 0);
42		/* Small external dictionary. */
43	1.02k	LZ4_decompress_safe_usingDict((char const*)data, dst, size,
44	1.02k	dstCapacity, smallDict, smallDictSize);
45		/* Large external dictionary. */
46	1.02k	LZ4_decompress_safe_usingDict((char const*)data, dst, size,
47	1.02k	dstCapacity, largeDict, largeDictSize);
48		/* Small prefix. */
49	1.02k	LZ4_decompress_safe_usingDict((char const*)dataAfterDict, dst, size,
50	1.02k	dstCapacity, smallDict, smallDictSize);
51		/* Large prefix. */
52	1.02k	LZ4_decompress_safe_usingDict((char const*)dataAfterDict, dst, size,
53	1.02k	dstCapacity, largeDict, largeDictSize);
54		/* Partial decompression. */
55	1.02k	LZ4_decompress_safe_partial((char const*)data, dst, size,
56	1.02k	dstCapacity, dstCapacity);
57		/* Partial decompression using each possible dictionary configuration. */
58		/* Partial decompression with no dictionary. */
59	1.02k	LZ4_decompress_safe_partial_usingDict((char const*)data, dst, size,
60	1.02k	dstCapacity, dstCapacity, NULL, 0);
61		/* Partial decompression with small external dictionary. */
62	1.02k	LZ4_decompress_safe_partial_usingDict((char const*)data, dst, size,
63	1.02k	dstCapacity, dstCapacity, smallDict, smallDictSize);
64		/* Partial decompression with large external dictionary. */
65	1.02k	LZ4_decompress_safe_partial_usingDict((char const*)data, dst, size,
66	1.02k	dstCapacity, dstCapacity, largeDict, largeDictSize);
67		/* Partial decompression with small prefix. */
68	1.02k	LZ4_decompress_safe_partial_usingDict((char const*)dataAfterDict, dst, size,
69	1.02k	dstCapacity, dstCapacity, smallDict, smallDictSize);
70		/* Partial decompression with large prefix. */
71	1.02k	LZ4_decompress_safe_partial_usingDict((char const*)dataAfterDict, dst, size,
72	1.02k	dstCapacity, dstCapacity, largeDict, largeDictSize);
73	1.02k	free(dst);
74	1.02k	free(dict);
75	1.02k	FUZZ_dataProducer_free(producer);
76
77	1.02k	return 0;
78	1.02k	}

Coverage Report

Created: 2025-07-18 06:05