/src/gzio_fuzzer.c

Source (jump to first uncovered line)
/********************************************************************************
 * Copyright 2025 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 *******************************************************************************/
#include <stdio.h>
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#include <assert.h>
#include <stdlib.h>
#include <inttypes.h>
#include "zlib.h"

#undef gzgetc

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataLen) {

    gzFile file;
    char fname[] = "gzio.XXXXXX";
    close(mkstemp(fname));
    unsigned mode_sz = (dataLen ? (--dataLen, *data++) | 2 : 8) & 0xF;
    char mode[mode_sz];
    memcpy(mode, data, dataLen >= mode_sz ? mode_sz - 1: dataLen);
    mode[mode_sz - 1] = 0;
    file = gzopen(fname, mode);

    /* Chain I/O operations on a file opened with random mode the nature of the
     * operation and their operand are controlled by the fuzzer
     */
    int op_count = 2; //< Number of operations chained.
    while(op_count--) {
      switch((--dataLen, (*data)%19)) {
        case 0: {
          char c = dataLen ? (--dataLen, (char)*data++) : 'c';
          if(gzputc(file, c) < 0) {
            goto exit;
          }
          break;
        }
        case 1: {
          unsigned sz = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
          char input[sz];
          memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
          input[sz - 1] = 0;
          if(gzputs(file, input) < 0)
            goto exit;
          break;
        }
        case 2: {
          unsigned sz = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
          unsigned nitems = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
          unsigned count = sz * nitems;
          char input[count];
          memcpy(input, data, dataLen >= count ? count - 1: dataLen);
          input[count - 1] = 0;
          if(gzfwrite(input, sz, nitems, file) <= 0)
            goto exit;
          break;
        }
        case 3: {
          unsigned sz = dataLen ? (--dataLen, *data++) : 8;
          char uncompr[sz];
          if(gzread(file, uncompr, sz) < 0)
            goto exit;
          break;
        }
        case 4: {
          int whences[5] = {SEEK_CUR, SEEK_SET, SEEK_END, 18};
          int whence = dataLen ? (--dataLen, whences[(*data++)%6]) : SEEK_CUR;
          long offset = dataLen >= sizeof(long) ? (*(long*)data &0xFF) + 1: 1L;
          if(gzseek(file, offset, whence) < 0)
            goto exit;
          break;
        }
        case 5:
          gztell(file);
          break;
        case 6:
          gzgetc(file);
          break;
        case 7: {
          char c = dataLen ? (--dataLen, (char)*data++) : 'c';
          if(gzungetc(c, file) < 0)
            goto exit;
          break;
        }
        case 8: {
          unsigned sz = dataLen ? (--dataLen, *data++) : 8;
          char uncompr[sz];
          if(gzgets(file, uncompr, sz) < 0)
            goto exit;
          break;
        }
        case 9: {
          int level = dataLen ? (--dataLen, *data++) : 1;
          int strat = dataLen ? (--dataLen, *data++) : 2;
          if(gzsetparams(file, level, strat) < 0)
            goto exit;
          break;
        }
        case 10: {
          int flush = dataLen ? (--dataLen, *data++) : 1;
          gzflush(file, flush); break;
        }
        case 11: {
          static const char formats [][4] = { "%d", "%f", "%c", "%s" };
          int nformat = dataLen ? (--dataLen, *data++)%5 : 1;
          switch(nformat) {
            case 0: {
              int value = dataLen >= sizeof(int) ? *(int*)data : 1;
              gzprintf(file, formats[nformat], value);
              break;
            }
            case 1: {
              float value = dataLen >= sizeof(float) ? *(float*)data : 1;
              gzprintf(file, formats[nformat], value);
              break;
            }
            case 2: {
              char value = dataLen >= sizeof(char) ? *(char*)data : 1;
              gzprintf(file, formats[nformat], value);
              break;
            }
            case 3: {
             unsigned sz = dataLen ? ((--dataLen, *data++)&0xF)+1 : 8;
             char input[sz];
             memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
             input[sz - 1] = 0;
             gzprintf(file, formats[nformat], input);
             break;
            }
            default: {
             unsigned sz = dataLen ? ((--dataLen, *data++)&0xF)+1 : 8;
             char input[sz] = {};
             memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
             for(int i = 0; i < sz - 1; ++i)
               if(input[i] == '%') input[i] = '!';
             gzprintf(file, input);
             break;
            }
          };
          break;
        }
        case 12: {
          gzoffset(file);
          break;
        }
        case 13: {
          gzrewind(file);
          break;
        }
        case 14: {
          gzeof(file);
          break;
        }
        case 15: {
          gzdirect(file);
          break;
        }
        case 16: {
          unsigned sz = dataLen ? ((--dataLen, *data++))|1 : 128;
          if(gzbuffer(file, sz) <0)
            goto exit;
          break;
        }
        case 17: {
          int errnum;
          gzerror(file, &errnum);
          break;
        }
        case 18: {
          gzclearerr(file);
          break;
        }
      }
    }
    gzclose(file);
    remove(fname);
  return 0;
exit:
    gzclose(file);
    remove(fname);
  return -1;
}

Coverage Report

Created: 2025-07-01 07:02

Line	Count	Source (jump to first uncovered line)
1		/********************************************************************************
2		* Copyright 2025 Google LLC
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		*******************************************************************************/
17		#include <stdio.h>
18		#include <stddef.h>
19		#include <stdint.h>
20		#include <string.h>
21		#include <assert.h>
22		#include <stdlib.h>
23		#include <inttypes.h>
24		#include "zlib.h"
25
26		#undef gzgetc
27
28	0	int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataLen) {
29
30	0	gzFile file;
31	0	char fname[] = "gzio.XXXXXX";
32	0	close(mkstemp(fname));
33	0	unsigned mode_sz = (dataLen ? (--dataLen, *data++) \| 2 : 8) & 0xF;
34	0	char mode[mode_sz];
35	0	memcpy(mode, data, dataLen >= mode_sz ? mode_sz - 1: dataLen);
36	0	mode[mode_sz - 1] = 0;
37	0	file = gzopen(fname, mode);
38
39		/* Chain I/O operations on a file opened with random mode the nature of the
40		* operation and their operand are controlled by the fuzzer
41		*/
42	0	int op_count = 2; //< Number of operations chained.
43	0	while(op_count--) {
44	0	switch((--dataLen, (*data)%19)) {
45	0	case 0: {
46	0	char c = dataLen ? (--dataLen, (char)*data++) : 'c';
47	0	if(gzputc(file, c) < 0) {
48	0	goto exit;
49	0	}
50	0	break;
51	0	}
52	0	case 1: {
53	0	unsigned sz = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
54	0	char input[sz];
55	0	memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
56	0	input[sz - 1] = 0;
57	0	if(gzputs(file, input) < 0)
58	0	goto exit;
59	0	break;
60	0	}
61	0	case 2: {
62	0	unsigned sz = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
63	0	unsigned nitems = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
64	0	unsigned count = sz * nitems;
65	0	char input[count];
66	0	memcpy(input, data, dataLen >= count ? count - 1: dataLen);
67	0	input[count - 1] = 0;
68	0	if(gzfwrite(input, sz, nitems, file) <= 0)
69	0	goto exit;
70	0	break;
71	0	}
72	0	case 3: {
73	0	unsigned sz = dataLen ? (--dataLen, *data++) : 8;
74	0	char uncompr[sz];
75	0	if(gzread(file, uncompr, sz) < 0)
76	0	goto exit;
77	0	break;
78	0	}
79	0	case 4: {
80	0	int whences[5] = {SEEK_CUR, SEEK_SET, SEEK_END, 18};
81	0	int whence = dataLen ? (--dataLen, whences[(*data++)%6]) : SEEK_CUR;
82	0	long offset = dataLen >= sizeof(long) ? ((long)data &0xFF) + 1: 1L;
83	0	if(gzseek(file, offset, whence) < 0)
84	0	goto exit;
85	0	break;
86	0	}
87	0	case 5:
88	0	gztell(file);
89	0	break;
90	0	case 6:
91	0	gzgetc(file);
92	0	break;
93	0	case 7: {
94	0	char c = dataLen ? (--dataLen, (char)*data++) : 'c';
95	0	if(gzungetc(c, file) < 0)
96	0	goto exit;
97	0	break;
98	0	}
99	0	case 8: {
100	0	unsigned sz = dataLen ? (--dataLen, *data++) : 8;
101	0	char uncompr[sz];
102	0	if(gzgets(file, uncompr, sz) < 0)
103	0	goto exit;
104	0	break;
105	0	}
106	0	case 9: {
107	0	int level = dataLen ? (--dataLen, *data++) : 1;
108	0	int strat = dataLen ? (--dataLen, *data++) : 2;
109	0	if(gzsetparams(file, level, strat) < 0)
110	0	goto exit;
111	0	break;
112	0	}
113	0	case 10: {
114	0	int flush = dataLen ? (--dataLen, *data++) : 1;
115	0	gzflush(file, flush); break;
116	0	}
117	0	case 11: {
118	0	static const char formats [][4] = { "%d", "%f", "%c", "%s" };
119	0	int nformat = dataLen ? (--dataLen, *data++)%5 : 1;
120	0	switch(nformat) {
121	0	case 0: {
122	0	int value = dataLen >= sizeof(int) ? (int)data : 1;
123	0	gzprintf(file, formats[nformat], value);
124	0	break;
125	0	}
126	0	case 1: {
127	0	float value = dataLen >= sizeof(float) ? (float)data : 1;
128	0	gzprintf(file, formats[nformat], value);
129	0	break;
130	0	}
131	0	case 2: {
132	0	char value = dataLen >= sizeof(char) ? (char)data : 1;
133	0	gzprintf(file, formats[nformat], value);
134	0	break;
135	0	}
136	0	case 3: {
137	0	unsigned sz = dataLen ? ((--dataLen, *data++)&0xF)+1 : 8;
138	0	char input[sz];
139	0	memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
140	0	input[sz - 1] = 0;
141	0	gzprintf(file, formats[nformat], input);
142	0	break;
143	0	}
144	0	default: {
145	0	unsigned sz = dataLen ? ((--dataLen, *data++)&0xF)+1 : 8;
146	0	char input[sz] = {};
147	0	memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
148	0	for(int i = 0; i < sz - 1; ++i)
149	0	if(input[i] == '%') input[i] = '!';
150	0	gzprintf(file, input);
151	0	break;
152	0	}
153	0	};
154	0	break;
155	0	}
156	0	case 12: {
157	0	gzoffset(file);
158	0	break;
159	0	}
160	0	case 13: {
161	0	gzrewind(file);
162	0	break;
163	0	}
164	0	case 14: {
165	0	gzeof(file);
166	0	break;
167	0	}
168	0	case 15: {
169	0	gzdirect(file);
170	0	break;
171	0	}
172	0	case 16: {
173	0	unsigned sz = dataLen ? ((--dataLen, *data++))\|1 : 128;
174	0	if(gzbuffer(file, sz) <0)
175	0	goto exit;
176	0	break;
177	0	}
178	0	case 17: {
179	0	int errnum;
180	0	gzerror(file, &errnum);
181	0	break;
182	0	}
183	0	case 18: {
184	0	gzclearerr(file);
185	0	break;
186	0	}
187	0	}
188	0	}
189	0	gzclose(file);
190	0	remove(fname);
191	0	return 0;
192	0	exit:
193	0	gzclose(file);
194	0	remove(fname);
195	0	return -1;
196	0	}