/src/gzio_fuzzer.c

Source (jump to first uncovered line)
/********************************************************************************
 * Copyright 2025 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 *******************************************************************************/
#include <stdio.h>
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#include <assert.h>
#include <stdlib.h>
#include <inttypes.h>
#include "zlib.h"

#undef gzgetc

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataLen) {

    gzFile file;
    char fname[] = "gzio.XXXXXX";
    close(mkstemp(fname));
    unsigned mode_sz = (dataLen ? (--dataLen, *data++) | 2 : 8) & 0xF;
    char mode[mode_sz];
    memcpy(mode, data, dataLen >= mode_sz ? mode_sz - 1: dataLen);
    mode[mode_sz - 1] = 0;
    file = gzopen(fname, mode);

    /* Chain I/O operations on a file opened with random mode the nature of the
     * operation and their operand are controlled by the fuzzer
     */
    int op_count = 2; //< Number of operations chained.
    while(op_count--) {
      switch((--dataLen, (*data)%26)) {
        case 0: {
          char c = dataLen ? (--dataLen, (char)*data++) : 'c';
          if(gzputc(file, c) < 0) {
            goto exit;
          }
          break;
        }
        case 1: {
          unsigned sz = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
          char input[sz];
          memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
          input[sz - 1] = 0;
          if(gzputs(file, input) < 0)
            goto exit;
          break;
        }
        case 2: {
          unsigned sz = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
          unsigned nitems = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
          unsigned count = sz * nitems;
          char input[count];
          memcpy(input, data, dataLen >= count ? count - 1: dataLen);
          input[count - 1] = 0;
          if(gzfwrite(input, sz, nitems, file) <= 0)
            goto exit;
          break;
        }
        case 3: {
          unsigned sz = dataLen ? (--dataLen, *data++) : 8;
          char uncompr[sz];
          if(gzread(file, uncompr, sz) < 0)
            goto exit;
          break;
        }
        case 4: {
          int whences[5] = {SEEK_CUR, SEEK_SET, SEEK_END, 18};
          int whence = dataLen ? (--dataLen, whences[(*data++)%6]) : SEEK_CUR;
          long offset = dataLen >= sizeof(long) ? (*(long*)data &0xFF) + 1: 1L;
          if(gzseek(file, offset, whence) < 0)
            goto exit;
          break;
        }
        case 5:
          gztell(file);
          break;
        case 6:
          gzgetc(file);
          break;
        case 7: {
          char c = dataLen ? (--dataLen, (char)*data++) : 'c';
          if(gzungetc(c, file) < 0)
            goto exit;
          break;
        }
        case 8: {
          unsigned sz = dataLen ? (--dataLen, *data++) : 8;
          char uncompr[sz];
          if(gzgets(file, uncompr, sz) < 0)
            goto exit;
          break;
        }
        case 9: {
          int level = dataLen ? (--dataLen, *data++) : 1;
          int strat = dataLen ? (--dataLen, *data++) : 2;
          if(gzsetparams(file, level, strat) < 0)
            goto exit;
          break;
        }
        case 10: {
          int flush = dataLen ? (--dataLen, *data++) : 0;
          gzflush(file, flush); break;
        }
        case 11: {
          static const char formats [][4] = { "%d", "%f", "%c", "%s" };
          int nformat = dataLen ? (--dataLen, *data++)%5 : 1;
          switch(nformat) {
            case 0: {
              int value = dataLen >= sizeof(int) ? *(int*)data : 1;
              gzprintf(file, formats[nformat], value);
              break;
            }
            case 1: {
              float value = dataLen >= sizeof(float) ? *(float*)data : 1;
              gzprintf(file, formats[nformat], value);
              break;
            }
            case 2: {
              char value = dataLen >= sizeof(char) ? *(char*)data : 1;
              gzprintf(file, formats[nformat], value);
              break;
            }
            case 3: {
             unsigned sz = dataLen ? ((--dataLen, *data++)&0xF)+1 : 8;
             char input[sz];
             memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
             input[sz - 1] = 0;
             gzprintf(file, formats[nformat], input);
             break;
            }
            default: {
             unsigned sz = dataLen ? ((--dataLen, *data++)&0xF)+1 : 8;
             char input[sz] = {};
             memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
             for(int i = 0; i < sz - 1; ++i)
               if(input[i] == '%') input[i] = '!';
             gzprintf(file, input);
             break;
            }
          };
          break;
        }
        case 12: {
          gzoffset(file);
          break;
        }
        case 13: {
          gzrewind(file);
          break;
        }
        case 14: {
          gzeof(file);
          break;
        }
        case 15: {
          gzdirect(file);
          break;
        }
        case 16: {
          unsigned sz = dataLen ? ((--dataLen, *data++))|1 : 128;
          if(gzbuffer(file, sz) <0)
            goto exit;
          break;
        }
        case 17: {
          int errnum;
          gzerror(file, &errnum);
          break;
        }
        case 18: {
          gzclearerr(file);
          break;
        }
        case 19: {
          unsigned sz = dataLen ? (--dataLen, *data++) : 8;
          unsigned nitems = dataLen ? (--dataLen, *data++) : 8;
          char buffer[sz * nitems];
          if(gzfread(buffer, sz, nitems, file) < 0)
            goto exit;
          break;
        }
        case 20: {
          gzgetc_(file);
          break;
        }
        case 21: {
          gzclose_r(file);
          file = NULL;
          break;
        }
        case 22: {
          zlibVersion();
          break;
        }
        case 23: {
          zlibCompileFlags();
          break;
        }
        case 24: {
          get_crc_table();
          break;
        }
        case 25: {
          unsigned err = dataLen ? (--dataLen, *data++) : 0;
          zError(err);
          break;
        }
      }
    }
    gzclose(file);
    remove(fname);
  return 0;
exit:
    gzclose(file);
    remove(fname);
  return -1;
}

Coverage Report

Created: 2025-08-26 06:25

Line	Count	Source (jump to first uncovered line)
1		/********************************************************************************
2		* Copyright 2025 Google LLC
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		*******************************************************************************/
17		#include <stdio.h>
18		#include <stddef.h>
19		#include <stdint.h>
20		#include <string.h>
21		#include <assert.h>
22		#include <stdlib.h>
23		#include <inttypes.h>
24		#include "zlib.h"
25
26		#undef gzgetc
27
28	676	int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataLen) {
29
30	676	gzFile file;
31	676	char fname[] = "gzio.XXXXXX";
32	676	close(mkstemp(fname));
33	676	unsigned mode_sz = (dataLen ? (--dataLen, *data++) \| 2 : 8) & 0xF;
34	676	char mode[mode_sz];
35	676	memcpy(mode, data, dataLen >= mode_sz ? mode_sz - 1: dataLen);
36	676	mode[mode_sz - 1] = 0;
37	676	file = gzopen(fname, mode);
38
39		/* Chain I/O operations on a file opened with random mode the nature of the
40		* operation and their operand are controlled by the fuzzer
41		*/
42	676	int op_count = 2; //< Number of operations chained.
43	1.68k	while(op_count--) {
44	1.19k	switch((--dataLen, (*data)%26)) {
45	125	case 0: {
46	125	char c = dataLen ? (--dataLen, (char)*data++) : 'c';
47	125	if(gzputc(file, c) < 0) {
48	32	goto exit;
49	32	}
50	93	break;
51	125	}
52	93	case 1: {
53	65	unsigned sz = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
54	65	char input[sz];
55	65	memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
56	65	input[sz - 1] = 0;
57	65	if(gzputs(file, input) < 0)
58	30	goto exit;
59	35	break;
60	65	}
61	108	case 2: {
62	108	unsigned sz = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
63	108	unsigned nitems = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
64	108	unsigned count = sz * nitems;
65	108	char input[count];
66	108	memcpy(input, data, dataLen >= count ? count - 1: dataLen);
67	108	input[count - 1] = 0;
68	108	if(gzfwrite(input, sz, nitems, file) <= 0)
69	26	goto exit;
70	82	break;
71	108	}
72	82	case 3: {
73	25	unsigned sz = dataLen ? (--dataLen, *data++) : 8;
74	25	char uncompr[sz];
75	25	if(gzread(file, uncompr, sz) < 0)
76	21	goto exit;
77	4	break;
78	25	}
79	53	case 4: {
80	53	int whences[5] = {SEEK_CUR, SEEK_SET, SEEK_END, 18};
81	53	int whence = dataLen ? (--dataLen, whences[(*data++)%6]) : SEEK_CUR;
82	53	long offset = dataLen >= sizeof(long) ? ((long)data &0xFF) + 1: 1L;
83	53	if(gzseek(file, offset, whence) < 0)
84	21	goto exit;
85	32	break;
86	53	}
87	32	case 5:
88	23	gztell(file);
89	23	break;
90	39	case 6:
91	39	gzgetc(file);
92	39	break;
93	28	case 7: {
94	28	char c = dataLen ? (--dataLen, (char)*data++) : 'c';
95	28	if(gzungetc(c, file) < 0)
96	17	goto exit;
97	11	break;
98	28	}
99	30	case 8: {
100	30	unsigned sz = dataLen ? (--dataLen, *data++) : 8;
101	30	char uncompr[sz];
102	30	if(gzgets(file, uncompr, sz) < 0)
103	0	goto exit;
104	30	break;
105	30	}
106	77	case 9: {
107	77	int level = dataLen ? (--dataLen, *data++) : 1;
108	77	int strat = dataLen ? (--dataLen, *data++) : 2;
109	77	if(gzsetparams(file, level, strat) < 0)
110	16	goto exit;
111	61	break;
112	77	}
113	61	case 10: {
114	38	int flush = dataLen ? (--dataLen, *data++) : 0;
115	38	gzflush(file, flush); break;
116	77	}
117	93	case 11: {
118	93	static const char formats [][4] = { "%d", "%f", "%c", "%s" };
119	93	int nformat = dataLen ? (--dataLen, *data++)%5 : 1;
120	93	switch(nformat) {
121	10	case 0: {
122	10	int value = dataLen >= sizeof(int) ? (int)data : 1;
123	10	gzprintf(file, formats[nformat], value);
124	10	break;
125	0	}
126	52	case 1: {
127	52	float value = dataLen >= sizeof(float) ? (float)data : 1;
128	52	gzprintf(file, formats[nformat], value);
129	52	break;
130	0	}
131	5	case 2: {
132	5	char value = dataLen >= sizeof(char) ? (char)data : 1;
133	5	gzprintf(file, formats[nformat], value);
134	5	break;
135	0	}
136	14	case 3: {
137	14	unsigned sz = dataLen ? ((--dataLen, *data++)&0xF)+1 : 8;
138	14	char input[sz];
139	14	memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
140	14	input[sz - 1] = 0;
141	14	gzprintf(file, formats[nformat], input);
142	14	break;
143	0	}
144	12	default: {
145	12	unsigned sz = dataLen ? ((--dataLen, *data++)&0xF)+1 : 8;
146	12	char input[sz] = {};
147	12	memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
148	106	for(int i = 0; i < sz - 1; ++i)
149	94	if(input[i] == '%') input[i] = '!';
150	12	gzprintf(file, input);
151	12	break;
152	0	}
153	93	};
154	93	break;
155	93	}
156	19	case 12: {
157	19	gzoffset(file);
158	19	break;
159	93	}
160	11	case 13: {
161	11	gzrewind(file);
162	11	break;
163	93	}
164	17	case 14: {
165	17	gzeof(file);
166	17	break;
167	93	}
168	60	case 15: {
169	60	gzdirect(file);
170	60	break;
171	93	}
172	76	case 16: {
173	76	unsigned sz = dataLen ? ((--dataLen, *data++))\|1 : 128;
174	76	if(gzbuffer(file, sz) <0)
175	18	goto exit;
176	58	break;
177	76	}
178	58	case 17: {
179	20	int errnum;
180	20	gzerror(file, &errnum);
181	20	break;
182	76	}
183	27	case 18: {
184	27	gzclearerr(file);
185	27	break;
186	76	}
187	140	case 19: {
188	140	unsigned sz = dataLen ? (--dataLen, *data++) : 8;
189	140	unsigned nitems = dataLen ? (--dataLen, *data++) : 8;
190	140	char buffer[sz * nitems];
191	140	if(gzfread(buffer, sz, nitems, file) < 0)
192	0	goto exit;
193	140	break;
194	140	}
195	140	case 20: {
196	11	gzgetc_(file);
197	11	break;
198	140	}
199	22	case 21: {
200	22	gzclose_r(file);
201	22	file = NULL;
202	22	break;
203	140	}
204	21	case 22: {
205	21	zlibVersion();
206	21	break;
207	140	}
208	34	case 23: {
209	34	zlibCompileFlags();
210	34	break;
211	140	}
212	18	case 24: {
213	18	get_crc_table();
214	18	break;
215	140	}
216	14	case 25: {
217	14	unsigned err = dataLen ? (--dataLen, *data++) : 0;
218	14	zError(err);
219	14	break;
220	140	}
221	1.19k	}
222	1.19k	}
223	495	gzclose(file);
224	495	remove(fname);
225	495	return 0;
226	181	exit:
227	181	gzclose(file);
228	181	remove(fname);
229	181	return -1;
230	676	}