/src/gzio_fuzzer.c

Source
/********************************************************************************
 * Copyright 2025 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 *******************************************************************************/
#include <stdio.h>
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#include <assert.h>
#include <stdlib.h>
#include <inttypes.h>
#include "zlib.h"

#undef gzgetc

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataLen) {

    gzFile file;
    char fname[] = "gzio.XXXXXX";
    close(mkstemp(fname));
    unsigned mode_sz = (dataLen ? (--dataLen, *data++) | 2 : 8) & 0xF;
    char mode[mode_sz];
    memcpy(mode, data, dataLen >= mode_sz ? mode_sz - 1: dataLen);
    mode[mode_sz - 1] = 0;
    file = gzopen(fname, mode);

    /* Chain I/O operations on a file opened with random mode the nature of the
     * operation and their operand are controlled by the fuzzer
     */
    int op_count = 2; //< Number of operations chained.
    while(op_count-- && dataLen > 0) {
      switch((--dataLen, (*data++)%26)) {
        case 0: {
          char c = dataLen ? (--dataLen, (char)*data++) : 'c';
          if(gzputc(file, c) < 0) {
            goto exit;
          }
          break;
        }
        case 1: {
          unsigned sz = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
          char input[sz];
          memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
          input[sz - 1] = 0;
          if(gzputs(file, input) < 0)
            goto exit;
          break;
        }
        case 2: {
          unsigned sz = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
          unsigned nitems = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
          unsigned count = sz * nitems;
          char input[count];
          memcpy(input, data, dataLen >= count ? count - 1: dataLen);
          input[count - 1] = 0;
          if(gzfwrite(input, sz, nitems, file) <= 0)
            goto exit;
          break;
        }
        case 3: {
          unsigned sz = dataLen ? (--dataLen, *data++) : 8;
          char uncompr[sz];
          if(gzread(file, uncompr, sz) < 0)
            goto exit;
          break;
        }
        case 4: {
          int whences[5] = {SEEK_CUR, SEEK_SET, SEEK_END, 18};
          int whence = dataLen ? (--dataLen, whences[(*data++)%5]) : SEEK_CUR;
          long offset = dataLen >= sizeof(long) ? (*(long*)data &0xFF) + 1: 1L;
          if(gzseek(file, offset, whence) < 0)
            goto exit;
          break;
        }
        case 5:
          gztell(file);
          break;
        case 6:
          gzgetc(file);
          break;
        case 7: {
          char c = dataLen ? (--dataLen, (char)*data++) : 'c';
          if(gzungetc(c, file) < 0)
            goto exit;
          break;
        }
        case 8: {
          unsigned sz = dataLen ? (--dataLen, *data++) : 8;
          char uncompr[sz];
          if(gzgets(file, uncompr, sz) < 0)
            goto exit;
          break;
        }
        case 9: {
          int level = dataLen ? (--dataLen, *data++) : 1;
          int strat = dataLen ? (--dataLen, *data++) : 2;
          if(gzsetparams(file, level, strat) < 0)
            goto exit;
          break;
        }
        case 10: {
          int flush = dataLen ? (--dataLen, *data++) : 0;
          gzflush(file, flush); break;
        }
        case 11: {
          static const char formats [][4] = { "%d", "%f", "%c", "%s" };
          int nformat = dataLen ? (--dataLen, *data++)%5 : 1;
          switch(nformat) {
            case 0: {
              int value = dataLen >= sizeof(int) ? *(int*)data : 1;
              gzprintf(file, formats[nformat], value);
              break;
            }
            case 1: {
              float value = dataLen >= sizeof(float) ? *(float*)data : 1;
              gzprintf(file, formats[nformat], value);
              break;
            }
            case 2: {
              char value = dataLen >= sizeof(char) ? *(char*)data : 1;
              gzprintf(file, formats[nformat], value);
              break;
            }
            case 3: {
             unsigned sz = dataLen ? ((--dataLen, *data++)&0xF)+1 : 8;
             char input[sz];
             memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
             input[sz - 1] = 0;
             gzprintf(file, formats[nformat], input);
             break;
            }
            default: {
             unsigned sz = dataLen ? ((--dataLen, *data++)&0xF)+1 : 8;
             char input[sz] = {};
             memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
             for(int i = 0; i < sz - 1; ++i)
               if(input[i] == '%') input[i] = '!';
             gzprintf(file, input);
             break;
            }
          };
          break;
        }
        case 12: {
          gzoffset(file);
          break;
        }
        case 13: {
          gzrewind(file);
          break;
        }
        case 14: {
          gzeof(file);
          break;
        }
        case 15: {
          gzdirect(file);
          break;
        }
        case 16: {
          unsigned sz = dataLen ? ((--dataLen, *data++))|1 : 128;
          if(gzbuffer(file, sz) <0)
            goto exit;
          break;
        }
        case 17: {
          int errnum;
          gzerror(file, &errnum);
          break;
        }
        case 18: {
          gzclearerr(file);
          break;
        }
        case 19: {
          unsigned sz = dataLen ? (--dataLen, *data++) : 8;
          unsigned nitems = dataLen ? (--dataLen, *data++) : 8;
          char buffer[sz * nitems];
          if(gzfread(buffer, sz, nitems, file) < 0)
            goto exit;
          break;
        }
        case 20: {
          gzgetc_(file);
          break;
        }
        case 21: {
          gzclose(file);
          file = NULL;
          break;
        }
        case 22: {
          zlibVersion();
          break;
        }
        case 23: {
          zlibCompileFlags();
          break;
        }
        case 24: {
          get_crc_table();
          break;
        }
        case 25: {
          unsigned err = dataLen ? (--dataLen, *data++) : 0;
          zError(err);
          break;
        }
      }
    }
    gzclose(file);
    remove(fname);
  return 0;
exit:
    gzclose(file);
    remove(fname);
  return -1;
}

Coverage Report

Created: 2026-05-16 06:34

Line	Count	Source
1		/********************************************************************************
2		* Copyright 2025 Google LLC
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		*******************************************************************************/
17		#include <stdio.h>
18		#include <stddef.h>
19		#include <stdint.h>
20		#include <string.h>
21		#include <assert.h>
22		#include <stdlib.h>
23		#include <inttypes.h>
24		#include "zlib.h"
25
26		#undef gzgetc
27
28	2.32k	int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataLen) {
29
30	2.32k	gzFile file;
31	2.32k	char fname[] = "gzio.XXXXXX";
32	2.32k	close(mkstemp(fname));
33	2.32k	unsigned mode_sz = (dataLen ? (--dataLen, *data++) \| 2 : 8) & 0xF;
34	2.32k	char mode[mode_sz];
35	2.32k	memcpy(mode, data, dataLen >= mode_sz ? mode_sz - 1: dataLen);
36	2.32k	mode[mode_sz - 1] = 0;
37	2.32k	file = gzopen(fname, mode);
38
39		/* Chain I/O operations on a file opened with random mode the nature of the
40		* operation and their operand are controlled by the fuzzer
41		*/
42	2.32k	int op_count = 2; //< Number of operations chained.
43	6.37k	while(op_count-- && dataLen > 0) {
44	4.26k	switch((--dataLen, (*data++)%26)) {
45	127	case 0: {
46	127	char c = dataLen ? (--dataLen, (char)*data++) : 'c';
47	127	if(gzputc(file, c) < 0) {
48	35	goto exit;
49	35	}
50	92	break;
51	127	}
52	191	case 1: {
53	191	unsigned sz = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
54	191	char input[sz];
55	191	memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
56	191	input[sz - 1] = 0;
57	191	if(gzputs(file, input) < 0)
58	34	goto exit;
59	157	break;
60	191	}
61	1.26k	case 2: {
62	1.26k	unsigned sz = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
63	1.26k	unsigned nitems = dataLen ? ((--dataLen, *data++)&0xF) + 1 : 8;
64	1.26k	unsigned count = sz * nitems;
65	1.26k	char input[count];
66	1.26k	memcpy(input, data, dataLen >= count ? count - 1: dataLen);
67	1.26k	input[count - 1] = 0;
68	1.26k	if(gzfwrite(input, sz, nitems, file) <= 0)
69	41	goto exit;
70	1.22k	break;
71	1.26k	}
72	1.22k	case 3: {
73	40	unsigned sz = dataLen ? (--dataLen, *data++) : 8;
74	40	char uncompr[sz];
75	40	if(gzread(file, uncompr, sz) < 0)
76	15	goto exit;
77	25	break;
78	40	}
79	372	case 4: {
80	372	int whences[5] = {SEEK_CUR, SEEK_SET, SEEK_END, 18};
81	372	int whence = dataLen ? (--dataLen, whences[(*data++)%5]) : SEEK_CUR;
82	372	long offset = dataLen >= sizeof(long) ? ((long)data &0xFF) + 1: 1L;
83	372	if(gzseek(file, offset, whence) < 0)
84	39	goto exit;
85	333	break;
86	372	}
87	333	case 5:
88	32	gztell(file);
89	32	break;
90	50	case 6:
91	50	gzgetc(file);
92	50	break;
93	76	case 7: {
94	76	char c = dataLen ? (--dataLen, (char)*data++) : 'c';
95	76	if(gzungetc(c, file) < 0)
96	18	goto exit;
97	58	break;
98	76	}
99	78	case 8: {
100	78	unsigned sz = dataLen ? (--dataLen, *data++) : 8;
101	78	char uncompr[sz];
102	78	if(gzgets(file, uncompr, sz) < 0)
103	0	goto exit;
104	78	break;
105	78	}
106	223	case 9: {
107	223	int level = dataLen ? (--dataLen, *data++) : 1;
108	223	int strat = dataLen ? (--dataLen, *data++) : 2;
109	223	if(gzsetparams(file, level, strat) < 0)
110	13	goto exit;
111	210	break;
112	223	}
113	217	case 10: {
114	217	int flush = dataLen ? (--dataLen, *data++) : 0;
115	217	gzflush(file, flush); break;
116	223	}
117	454	case 11: {
118	454	static const char formats [][4] = { "%d", "%f", "%c", "%s" };
119	454	int nformat = dataLen ? (--dataLen, *data++)%5 : 1;
120	454	switch(nformat) {
121	57	case 0: {
122	57	int value = dataLen >= sizeof(int) ? (int)data : 1;
123	57	gzprintf(file, formats[nformat], value);
124	57	break;
125	0	}
126	129	case 1: {
127	129	float value = dataLen >= sizeof(float) ? (float)data : 1;
128	129	gzprintf(file, formats[nformat], value);
129	129	break;
130	0	}
131	49	case 2: {
132	49	char value = dataLen >= sizeof(char) ? (char)data : 1;
133	49	gzprintf(file, formats[nformat], value);
134	49	break;
135	0	}
136	85	case 3: {
137	85	unsigned sz = dataLen ? ((--dataLen, *data++)&0xF)+1 : 8;
138	85	char input[sz];
139	85	memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
140	85	input[sz - 1] = 0;
141	85	gzprintf(file, formats[nformat], input);
142	85	break;
143	0	}
144	134	default: {
145	134	unsigned sz = dataLen ? ((--dataLen, *data++)&0xF)+1 : 8;
146	134	char input[sz] = {};
147	134	memcpy(input, data, dataLen >= sz ? sz - 1: dataLen);
148	1.23k	for(int i = 0; i < sz - 1; ++i)
149	1.09k	if(input[i] == '%') input[i] = '!';
150	134	gzprintf(file, input);
151	134	break;
152	0	}
153	454	};
154	454	break;
155	454	}
156	18	case 12: {
157	18	gzoffset(file);
158	18	break;
159	454	}
160	20	case 13: {
161	20	gzrewind(file);
162	20	break;
163	454	}
164	15	case 14: {
165	15	gzeof(file);
166	15	break;
167	454	}
168	209	case 15: {
169	209	gzdirect(file);
170	209	break;
171	454	}
172	274	case 16: {
173	274	unsigned sz = dataLen ? ((--dataLen, *data++))\|1 : 128;
174	274	if(gzbuffer(file, sz) <0)
175	11	goto exit;
176	263	break;
177	274	}
178	263	case 17: {
179	21	int errnum;
180	21	gzerror(file, &errnum);
181	21	break;
182	274	}
183	33	case 18: {
184	33	gzclearerr(file);
185	33	break;
186	274	}
187	318	case 19: {
188	318	unsigned sz = dataLen ? (--dataLen, *data++) : 8;
189	318	unsigned nitems = dataLen ? (--dataLen, *data++) : 8;
190	318	char buffer[sz * nitems];
191	318	if(gzfread(buffer, sz, nitems, file) < 0)
192	0	goto exit;
193	318	break;
194	318	}
195	318	case 20: {
196	36	gzgetc_(file);
197	36	break;
198	318	}
199	41	case 21: {
200	41	gzclose(file);
201	41	file = NULL;
202	41	break;
203	318	}
204	27	case 22: {
205	27	zlibVersion();
206	27	break;
207	318	}
208	37	case 23: {
209	37	zlibCompileFlags();
210	37	break;
211	318	}
212	30	case 24: {
213	30	get_crc_table();
214	30	break;
215	318	}
216	53	case 25: {
217	53	unsigned err = dataLen ? (--dataLen, *data++) : 0;
218	53	zError(err);
219	53	break;
220	318	}
221	4.26k	}
222	4.26k	}
223	2.11k	gzclose(file);
224	2.11k	remove(fname);
225	2.11k	return 0;
226	206	exit:
227	206	gzclose(file);
228	206	remove(fname);
229	206	return -1;
230	2.32k	}