Report generation date: 2024-07-23

Project overview: libarchive

High level conclusions

Fuzzers reach 58.98% code coverage.

Fuzzers reach 73.50% of cyclomatic complexity.

Fuzzers reach 65.64% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

837 / 1275

Cyclomatic complexity statically reachable by fuzzers

7242 / 9853

Runtime code coverage of functions

752 / 1275

Fuzzers overview

Fuzzer	Fuzzer filename	Functions Reached	Functions unreached	Fuzzer depth	Files reached	Basic blocks reached	Cyclomatic complexity	Details
libarchive_fuzzer	/src/libarchive_fuzzer.cc	901	502	8	42	19371	7402	libarchive_fuzzer.cc

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer details

Fuzzer: libarchive_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 104 19.4%

gold [1:9] 44 8.20%

yellow [10:29] 29 5.41%

greenyellow [30:49] 22 4.10%

lawngreen 50+ 337 62.8%

All colors 536 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	104	19.4%
gold	[1:9]	44	8.20%
yellow	[10:29]	29	5.41%
greenyellow	[30:49]	22	4.10%
lawngreen	50+	337	62.8%
All colors	536	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
872	874	2 : View List ['archive_entry_set_size', 'read_symlink_stored']	872	874	read_header	call site: 00000	/src/libarchive/libarchive/archive_read_support_format_rar.c:1820
788	2267	19 : View List ['archive_entry_set_ino', 'archive_entry_set_rdev', 'open', '__errno_location', 'archive_entry_set_dev', 'archive_entry_set_perm', 'archive_entry_set_gid', 'archive_entry_set_size', 'lstat', 'archive_entry_linkify', 'fstat', 'archive_entry_set_uid', 'archive_entry_pathname', 'archive_entry_set_mtime', 'archive_entry_filetype', '__archive_ensure_cloexec_flag', 'archive_set_error', 'close', 'archive_entry_set_nlink']	788	2269	parse_file	call site: 00000	/src/libarchive/libarchive/archive_read_support_format_mtree.c:1232
645	645	1 : View List ['lha_replace_path_separator']	723	1424	archive_read_format_lha_read_header	call site: 00000	/src/libarchive/libarchive/archive_read_support_format_lha.c:693
632	632	1 : View List ['cab_convert_path_separator_2']	632	640	archive_read_format_cab_read_header	call site: 00000	/src/libarchive/libarchive/archive_read_support_format_cab.c:980
519	519	1 : View List ['cab_consume_cfdata']	519	1031	archive_read_format_cab_read_data	call site: 00000	/src/libarchive/libarchive/archive_read_support_format_cab.c:1040
501	899	6 : View List ['inflateReset', 'inflateSetDictionary', 'inflate', 'truncated_error', 'cab_minimum_consume_cfdata', '__archive_read_ahead']	501	1207	cab_read_ahead_cfdata_deflate	call site: 00000	/src/libarchive/libarchive/archive_read_support_format_cab.c:1495
485	485	1 : View List ['read_Bools']	487	967	read_Digests	call site: 00000	/src/libarchive/libarchive/archive_read_support_format_7zip.c:1851
485	485	1 : View List ['read_Bools']	485	1937	read_Times	call site: 00000	/src/libarchive/libarchive/archive_read_support_format_7zip.c:2870
478	478	1 : View List ['skip_stream']	478	478	archive_read_format_7zip_read_data_skip	call site: 00000	/src/libarchive/libarchive/archive_read_support_format_7zip.c:936
299	661	17 : View List ['_warc_rduri', '_warc_skip', '_warc_rdrtm', 'archive_entry_copy_pathname', '__archive_read_consume', '_warc_find_eoh', 'archive_entry_set_size', 'archive_entry_set_perm', 'archive_entry_set_ctime', '_warc_rdlen', 'archive_entry_set_filetype', '__archive_read_ahead', 'realloc', 'archive_entry_set_mtime', '_warc_rdtyp', '_warc_rdver', '_warc_rdmtm']	299	1200	_warc_rdhdr	call site: 00000	/src/libarchive/libarchive/archive_read_support_format_warc.c:273
229	229	1 : View List ['zip_read_mac_metadata']	229	229	archive_read_format_zip_seekable_read_header	call site: 00000	/src/libarchive/libarchive/archive_read_support_format_zip.c:4363
206	206	1 : View List ['gnu_sparse_old_read']	206	206	header_gnutar	call site: 00000	/src/libarchive/libarchive/archive_read_support_format_tar.c:2890

Runtime coverage analysis

Covered functions

754

Functions that are reachable but not covered

302

Reachable functions

901

Percentage of reachable functions covered

66.48%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/libarchive_fuzzer.cc	1
/src/libarchive/libarchive/archive_read.c	26
/src/libarchive/libarchive/archive_entry.c	18
/src/libarchive/libarchive/archive_read_support_filter_all.c	1
/src/libarchive/libarchive/archive_check_magic.c	6
/src/libarchive/libarchive/archive_util.c	4
/src/libarchive/libarchive/archive_string_sprintf.c	3
/src/libarchive/libarchive/archive_string.c	23
/src/libarchive/libarchive/archive_read_support_filter_bzip2.c	1
/src/libarchive/libarchive/archive_read_support_filter_compress.c	1
/src/libarchive/libarchive/archive_read_support_filter_gzip.c	1
/src/libarchive/libarchive/archive_read_support_filter_xz.c	3
/src/libarchive/libarchive/archive_read_support_filter_uu.c	1
/src/libarchive/libarchive/archive_read_support_filter_rpm.c	1
/src/libarchive/libarchive/archive_read_support_filter_lrzip.c	1
/src/libarchive/libarchive/archive_read_support_filter_lzop.c	1
/src/libarchive/libarchive/archive_read_support_filter_grzip.c	1
/src/libarchive/libarchive/archive_read_support_filter_lz4.c	1
/src/libarchive/libarchive/archive_read_support_filter_zstd.c	1
/src/libarchive/libarchive/archive_read_support_format_all.c	1
/src/libarchive/libarchive/archive_read_support_format_ar.c	2
/src/libarchive/libarchive/archive_read_support_format_cpio.c	2
/src/libarchive/libarchive/archive_read_support_format_empty.c	2
/src/libarchive/libarchive/archive_read_support_format_lha.c	3
/src/libarchive/libarchive/archive_read_support_format_mtree.c	9
/src/libarchive/libarchive/archive_rb.c	1
/src/libarchive/libarchive/archive_read_support_format_tar.c	10
/src/libarchive/libarchive/archive_read_support_format_xar.c	2
/src/libarchive/libarchive/archive_endian.h	5
/src/libarchive/libarchive/archive_read_support_format_warc.c	3
/src/libarchive/libarchive/archive_read_support_format_7zip.c	3
/src/libarchive/libarchive/archive_read_support_format_cab.c	3
/src/libarchive/libarchive/archive_read_support_format_rar.c	2
/src/libarchive/libarchive/archive_read_support_format_rar5.c	17
/src/libarchive/libarchive/archive_read_support_format_iso9660.c	13
/src/libarchive/libarchive/archive_read_support_format_zip.c	7
/src/libarchive/libarchive/archive_read_support_format_raw.c	2
/src/libarchive/libarchive/archive_read_set_options.c	3
/src/libarchive/libarchive/archive_options.c	3
/src/libarchive/libarchive/archive_read_add_passphrase.c	3
/src/libarchive/libarchive/archive_read_open_memory.c	7
/src/libarchive/libarchive/archive_virtual.c	4

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	instr count	bb count	cyclomatic complexity	Reachable functions	total cyclomatic complexity	Unreached complexity
`parse_file`	/src/libarchive/libarchive/archive_read_support_format_mtree.c	5	['N/A', 'N/A', 'N/A', 'N/A', 'N/A']	10	868	155	55	156	1045	261
`Ppmd7_EncodeSymbol`	/src/libarchive/libarchive/archive_ppmd7.c	3	['N/A', 'N/A', 'int']	7	748	52	17	23	149	149
`archive_entry_acl_from_text_w`	/src/libarchive/libarchive/archive_entry.c	3	['N/A', 'N/A', 'int']	8	25	3	2	28	206	132
`archive_entry_acl_text_w`	/src/libarchive/libarchive/archive_entry.c	2	['N/A', 'int']	11	53	6	3	84	710	105
`read_mtree`	/src/libarchive/libarchive/archive_read_support_format_mtree.c	2	['N/A', 'N/A']	10	364	65	24	55	421	97
`grzip_bidder_init`	/src/libarchive/libarchive/archive_read_support_filter_grzip.c	1	['N/A']	6	26	3	2	42	177	90
`uudecode_filter_read`	/src/libarchive/libarchive/archive_read_support_filter_uu.c	2	['N/A', 'N/A']	7	1285	184	69	30	238	83
`lz4_filter_read`	/src/libarchive/libarchive/archive_read_support_filter_lz4.c	2	['N/A', 'N/A']	9	265	40	12	35	224	71
`XXH32_update`	/src/libarchive/libarchive/xxhash.c	3	['N/A', 'N/A', 'int']	1	1827	180	61	2	65	65
`header_odc`	/src/libarchive/libarchive/archive_read_support_format_cpio.c	5	['N/A', 'N/A', 'N/A', 'N/A', 'N/A']	9	171	12	6	45	235	55

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

940 / 1275

Cyclomatic complexity statically reachable by fuzzers

8310 / 9853

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

/src/libarchive_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['archive_read_format_iso9660_bid', '__archive_check_magic', 'archive_string_ensure', 'archive_strncat', 'read_zip64_eocd', 'isSVD', 'archive_string_append', 'archive_string_append_from_wcs', '__archive_read_ahead', 'detect_form']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
archive_entry_linkresolver_set_strategy	33	8	24.24%	[]
_archive_set_options	56	24	42.85%	['libarchive_fuzzer']
ReduceOrder	63	15	23.80%	[]
client_skip_proxy	32	17	53.12%	['libarchive_fuzzer']
peek_at_header	66	27	40.90%	[]
consume_header	46	22	47.82%	[]
lzma_bidder_bid	49	25	51.02%	[]
archive_read_format_7zip_read_header	156	66	42.30%	['libarchive_fuzzer']
read_stream	77	31	40.25%	['libarchive_fuzzer']
extract_pack_stream	129	47	36.43%	['libarchive_fuzzer']
decompress	115	28	24.34%	['libarchive_fuzzer']
case_7Z_LZMA2	223	30	13.45%
get_uncompressed_data	38	16	42.10%	['libarchive_fuzzer']
read_CodersInfo	81	37	45.67%	['libarchive_fuzzer']
setup_decode_folder	181	29	16.02%	['libarchive_fuzzer']
init_decompression	36	19	52.77%	['libarchive_fuzzer']
read_Header	284	117	41.19%	['libarchive_fuzzer']
free_decompression	35	15	42.85%	['libarchive_fuzzer']
archive_read_format_cab_read_data	47	15	31.91%	['libarchive_fuzzer']
cab_next_cfdata	114	60	52.63%	['libarchive_fuzzer']
cab_read_ahead_cfdata_deflate	173	59	34.10%	['libarchive_fuzzer']
cab_read_data	38	14	36.84%	['libarchive_fuzzer']
archive_read_format_cpio_read_header	75	33	44.0%	['libarchive_fuzzer']
isJolietSVD	31	16	51.61%	['libarchive_fuzzer']
isEVD	43	10	23.25%	['libarchive_fuzzer']
archive_read_format_iso9660_read_header	182	74	40.65%	['libarchive_fuzzer']
choose_volume	64	29	45.31%	['libarchive_fuzzer']
parse_file_info	203	86	42.36%	['libarchive_fuzzer']
read_CE	39	12	30.76%	['libarchive_fuzzer']
lha_read_file_extended_header	259	117	45.17%	['libarchive_fuzzer']
lzh_read_blocks	185	85	45.94%	['libarchive_fuzzer']
lzh_make_huffman_table	151	78	51.65%	['libarchive_fuzzer']
parse_escapes	70	20	28.57%	[]
parse_file	151	36	23.84%	[]
parse_keyword	248	81	32.66%	[]
read_data	39	11	28.20%	['libarchive_fuzzer']
parse_filter	42	20	47.61%	['libarchive_fuzzer']
archive_read_format_rar_seek_data	128	12	9.375%	['libarchive_fuzzer']
parse_file_extra_redir	56	29	51.78%	['libarchive_fuzzer']
parse_file_extra_owner	65	22	33.84%	['libarchive_fuzzer']
parse_tables	129	58	44.96%	['libarchive_fuzzer']
archive_read_format_tar_options	31	14	45.16%	['libarchive_fuzzer']
tar_read_header	195	83	42.56%	['libarchive_fuzzer']
header_common	137	37	27.00%	['libarchive_fuzzer']
_warc_rdhdr	134	29	21.64%	['libarchive_fuzzer']
xar_read_header	168	17	10.11%	['libarchive_fuzzer']
read_toc	100	30	30.0%	['libarchive_fuzzer']
xml2_read_toc	49	12	24.48%	['libarchive_fuzzer']
decompression_init	120	19	15.83%	['libarchive_fuzzer']
archive_read_format_zip_options	38	15	39.47%	['libarchive_fuzzer']
zip_read_local_file_header	318	172	54.08%	['libarchive_fuzzer']
process_extra	299	130	43.47%	['libarchive_fuzzer']
read_decryption_header	150	65	43.33%	['libarchive_fuzzer']
get_sconv_object	33	18	54.54%	['libarchive_fuzzer']
setup_converter	84	28	33.33%	['libarchive_fuzzer']
utf16_to_unicode	38	14	36.84%	['libarchive_fuzzer']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/libarchive/libarchive/archive_read_support_filter_zstd.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_string.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_empty.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/usr/local/bin/../include/c++/v1/stdexcept	[]	[]
/src/libarchive/libarchive/archive_read_support_filter_rpm.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_program.c	[]	[]
/src/libarchive/libarchive/archive_entry_xattr.c	[]	[]
/src/libarchive/libarchive/archive_read_support_format_tar.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_add_passphrase.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_string_sprintf.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_rb.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_entry_sparse.c	[]	[]
/src/libarchive/libarchive/archive_read_support_filter_grzip.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/xxhash.c	[]	[]
/src/libarchive/libarchive/archive_read_support_format_cpio.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_options.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_check_magic.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_compress.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_entry.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_xar.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_all.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_open_memory.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive_fuzzer.cc	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_7zip.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_gzip.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_iso9660.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_rar.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_bzip2.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/filter_fork_posix.c	[]	[]
/src/libarchive/libarchive/archive_cryptor.c	[]	[]
/src/libarchive/libarchive/archive_read_support_format_lha.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_cmdline.c	[]	[]
/src/libarchive/libarchive/archive_read_support_format_cab.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_mtree.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_blake2_impl.h	[]	[]
/src/libarchive/libarchive/archive_acl.c	[]	[]
/src/libarchive/libarchive/archive_pack_dev.c	[]	[]
/src/libarchive/libarchive/archive_read_support_format_zip.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_raw.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_xz.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_lz4.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_lrzip.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_digest.c	[]	[]
/src/libarchive/libarchive/archive_read_support_filter_lzop.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_util.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_hmac.c	[]	[]
/src/libarchive/libarchive/archive_read_support_filter_uu.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_all.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_virtual.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_blake2sp_ref.c	[]	[]
/src/libarchive/libarchive/archive_entry_link_resolver.c	[]	[]
/src/libarchive/libarchive/archive_read_set_options.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_ppmd8.c	[]	[]
/src/libarchive/libarchive/archive_read_support_format_ar.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_warc.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_ppmd7.c	[]	[]
/src/libarchive/libarchive/archive_read_support_format_rar5.c	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_endian.h	['libarchive_fuzzer']	['libarchive_fuzzer']
/src/libarchive/libarchive/archive_blake2s_ref.c	[]	[]

Directories in report

Directory

/usr/local/bin/../include/c++/v1/
/src/
/src/libarchive/libarchive/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file

libarchive_fuzzer fuzzerLogFile-0-PIwc4Tl4Oe.data fuzzerLogFile-0-PIwc4Tl4Oe.data.yaml libarchive_fuzzer.covreport

Table of contents

Project overview: libarchive

High level conclusions

Reachability and coverage overview

Fuzzers overview

Project functions overview

Fuzzer details

Fuzzer: libarchive_fuzzer

Call tree

Fuzz blockers

Runtime coverage analysis

Files reached

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

All functions overview

Fuzz engine guidance

/src/libarchive_fuzzer.cc

Dictionary

Fuzzer function priority

Runtime coverage analysis

Complex functions with low coverage

Files and Directories in report

Files in report

Directories in report

Metadata section