Project overview: libzip

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 908 77.1%

gold [1:9] 0 0.0%

yellow [10:29] 1 0.08%

greenyellow [30:49] 0 0.0%

lawngreen 50+ 268 22.7%

All colors 1177 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	908	77.1%
gold	[1:9]	0	0.0%
yellow	[10:29]	1	0.08%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	268	22.7%
All colors	1177	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
223	267	zip_realloc	call site: 00267	_zip_checkcons
58	152	_zip_buffer_get	call site: 00152	_zip_read_eocd64
42	522	zip_source_layered_create	call site: 00522	window_read
41	225	_zip_entry_finalize	call site: 00225	_zip_cdir_free
38	830	zip_close	call site: 00830	zip_source_zip_file_create
30	96	zip_source_open	call site: 00096	_zip_open
23	128	zip_source_read	call site: 00128	_zip_read_cdir
22	752	zip_file_extra_field_delete	call site: 00752	_zip_read_local_ef
20	969	_zip_dirent_write	call site: 00969	_zip_ef_new
17	674	zip_source_buffer_with_attributes_create	call site: 00674	zip_discard
15	504	zip_discard	call site: 00504	zip_check_torrentzip
15	1046	_zip_string_write	call site: 01046	_zip_ef_write

Runtime coverage analysis

155

115

240

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

52.08%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
ossfuzz/zip_write_encrypt_pkware_file_fuzzer.c	1
lib/zip_open.c	18
lib/zip_error.c	10
lib/zip_source_file_stdio_named.c	1
lib/zip_source_file_common.c	3
lib/zip_stat_init.c	2
lib/zip_source_get_file_attributes.c	2
lib/zip_source_supports.c	3
lib/zip_source_function.c	3
lib/zip_source_seek.c	2
lib/zip_source_stat.c	1
lib/zip_source_error.c	1
lib/zip_source_call.c	1
lib/zip_new.c	1
lib/zip_hash.c	10
lib/zip_source_open.c	1
lib/zip_source_close.c	1
lib/zip_source_accept_empty.c	1
lib/zip_source_tell.c	1
lib/zip_buffer.c	22
lib/zip_io_util.c	4
lib/zip_source_read.c	2
lib/zip_dirent.c	25
lib/zip_entry.c	2
lib/zip_unchange_data.c	1
lib/zip_source_free.c	1
lib/zip_source_rollback_write.c	1
lib/zip_source_window.c	6
lib/zip_string.c	8
lib/zip_extra_field.c	11
lib/zip_utf-8.c	4
lib/zip_realloc.c	1
lib/zip_memdup.c	1
lib/zip_discard.c	1
lib/zip_progress.c	7
lib/zip_source_layered.c	2
lib/zip_file_get_offset.c	2
lib/zip_source_pass_to_lower_layer.c	1
lib/zip_source_crc.c	2
lib/zip_source_buffer.c	12
lib/zip_strerror.c	1
lib/zip_error_strerror.c	1
lib/zip_file_add.c	1
lib/zip_file_replace.c	1
lib/zip_name_locate.c	1
lib/zip_get_name.c	2
lib/zip_add_entry.c	1
lib/zip_set_name.c	1
lib/zip_extra_field_api.c	2
lib/zip_file_set_encryption.c	1
lib/zip_get_encryption_implementation.c	1
lib/zip_close.c	8
lib/zip_source_remove.c	1
lib/zip_source_begin_write_cloning.c	1
lib/zip_source_begin_write.c	1
lib/zip_source_tell_write.c	1
lib/zip_source_zip_new.c	2
lib/zip_stat_index.c	1
lib/zip_source_compress.c	8
lib/zip_source_get_dostime.c	1
lib/zip_source_write.c	1
lib/zip_source_seek_write.c	1
lib/zip_source_commit_write.c	1

Fuzzer: zip_write_encrypt_aes256_file_fuzzer

Call tree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 900 76.4%

gold [1:9] 0 0.0%

yellow [10:29] 1 0.08%

greenyellow [30:49] 0 0.0%

lawngreen 50+ 277 23.5%

All colors 1178 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	900	76.4%
gold	[1:9]	0	0.0%
yellow	[10:29]	1	0.08%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	277	23.5%
All colors	1178	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
154	336	_zip_ef_new	call site: 00336	_zip_checkcons
68	267	zip_realloc	call site: 00267	_zip_dirent_read
58	152	_zip_buffer_get	call site: 00152	_zip_read_eocd64
42	522	zip_source_layered_create	call site: 00522	window_read
41	225	_zip_entry_finalize	call site: 00225	_zip_cdir_free
38	831	zip_close	call site: 00831	zip_source_zip_file_create
30	96	zip_source_open	call site: 00096	_zip_open
25	1095	add_data	call site: 01095	_zip_dirent_write
23	128	zip_source_read	call site: 00128	_zip_read_cdir
22	752	zip_file_extra_field_delete	call site: 00752	_zip_read_local_ef
17	674	zip_source_buffer_with_attributes_create	call site: 00674	zip_discard
16	970	_zip_dirent_write	call site: 00970	_zip_ef_new

Runtime coverage analysis

166

111

240

53.75%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
ossfuzz/zip_write_encrypt_aes256_file_fuzzer.c	1
lib/zip_open.c	18
lib/zip_error.c	10
lib/zip_source_file_stdio_named.c	1
lib/zip_source_file_common.c	3
lib/zip_stat_init.c	2
lib/zip_source_get_file_attributes.c	2
lib/zip_source_supports.c	3
lib/zip_source_function.c	3
lib/zip_source_seek.c	2
lib/zip_source_stat.c	1
lib/zip_source_error.c	1
lib/zip_source_call.c	1
lib/zip_new.c	1
lib/zip_hash.c	10
lib/zip_source_open.c	1
lib/zip_source_close.c	1
lib/zip_source_accept_empty.c	1
lib/zip_source_tell.c	1
lib/zip_buffer.c	22
lib/zip_io_util.c	4
lib/zip_source_read.c	2
lib/zip_dirent.c	25
lib/zip_entry.c	2
lib/zip_unchange_data.c	1
lib/zip_source_free.c	1
lib/zip_source_rollback_write.c	1
lib/zip_source_window.c	6
lib/zip_string.c	8
lib/zip_extra_field.c	11
lib/zip_utf-8.c	4
lib/zip_realloc.c	1
lib/zip_memdup.c	1
lib/zip_discard.c	1
lib/zip_progress.c	7
lib/zip_source_layered.c	2
lib/zip_file_get_offset.c	2
lib/zip_source_pass_to_lower_layer.c	1
lib/zip_source_crc.c	2
lib/zip_source_buffer.c	12
lib/zip_strerror.c	1
lib/zip_error_strerror.c	1
lib/zip_file_add.c	1
lib/zip_file_replace.c	1
lib/zip_name_locate.c	1
lib/zip_get_name.c	2
lib/zip_add_entry.c	1
lib/zip_set_name.c	1
lib/zip_extra_field_api.c	2
lib/zip_file_set_encryption.c	1
lib/zip_get_encryption_implementation.c	1
lib/zip_close.c	8
lib/zip_source_remove.c	1
lib/zip_source_begin_write_cloning.c	1
lib/zip_source_begin_write.c	1
lib/zip_source_tell_write.c	1
lib/zip_source_zip_new.c	2
lib/zip_stat_index.c	1
lib/zip_source_compress.c	8
lib/zip_source_get_dostime.c	1
lib/zip_source_write.c	1
lib/zip_source_seek_write.c	1
lib/zip_source_commit_write.c	1

Fuzzer: zip_read_fuzzer

Call tree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 590 54.3%

gold [1:9] 13 1.19%

yellow [10:29] 15 1.38%

greenyellow [30:49] 3 0.27%

lawngreen 50+ 465 42.8%

All colors 1086 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	590	54.3%
gold	[1:9]	13	1.19%
yellow	[10:29]	15	1.38%
greenyellow	[30:49]	3	0.27%
lawngreen	50+	465	42.8%
All colors	1086	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
202	882	_zip_buffer_put_64	call site: 00882	write_cdir
61	820	zip_source_get_dos_time	call site: 00820	_zip_dirent_write
55	764	zip_close	call site: 00764	add_data
22	473	_zip_find_central_dir	call site: 00473	_zip_dirent_read
15	417	_zip_dirent_read	call site: 00417	_zip_buffer_new_from_source
10	59	read_data	call site: 00059	buffer_write
9	29	zip_source_buffer_fragment_with_attributes_create	call site: 00029	buffer_clone
8	564	window_read	call site: 00564	zip_source_seek
7	464	_zip_read_cdir	call site: 00464	_zip_cdir_free
6	14	buffer_grow_fragments	call site: 00014	buffer_free
6	91	_zip_source_call	call site: 00091	_zip_allocate_new
6	573	window_read	call site: 00573	zip_source_pass_to_lower_layer

Runtime coverage analysis

190

228

68.86%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
ossfuzz/zip_read_fuzzer.c	1
lib/zip_error.c	9
lib/zip_source_buffer.c	12
lib/zip_realloc.c	1
lib/zip_source_get_file_attributes.c	2
lib/zip_source_function.c	3
lib/zip_source_supports.c	3
lib/zip_source_seek.c	2
lib/zip_stat_init.c	2
lib/zip_open.c	16
lib/zip_source_stat.c	1
lib/zip_source_error.c	1
lib/zip_source_call.c	1
lib/zip_new.c	1
lib/zip_hash.c	8
lib/zip_source_open.c	1
lib/zip_source_close.c	1
lib/zip_source_accept_empty.c	1
lib/zip_source_tell.c	1
lib/zip_buffer.c	22
lib/zip_io_util.c	4
lib/zip_source_read.c	2
lib/zip_dirent.c	25
lib/zip_entry.c	2
lib/zip_unchange_data.c	1
lib/zip_source_free.c	1
lib/zip_source_rollback_write.c	1
lib/zip_source_window.c	6
lib/zip_string.c	8
lib/zip_extra_field.c	9
lib/zip_utf-8.c	4
lib/zip_memdup.c	1
lib/zip_discard.c	1
lib/zip_progress.c	7
lib/zip_source_layered.c	2
lib/zip_file_get_offset.c	2
lib/zip_source_pass_to_lower_layer.c	1
lib/zip_source_crc.c	2
ossfuzz/zip_read_fuzzer_common.h	1
lib/zip_error_strerror.c	1
lib/zip_set_default_password.c	1
lib/zip_get_num_entries.c	1
lib/zip_fopen_index.c	1
lib/zip_fopen_index_encrypted.c	2
lib/zip_source_zip_new.c	2
lib/zip_stat_index.c	1
lib/zip_get_name.c	2
lib/zip_get_encryption_implementation.c	1
lib/zip_source_compress.c	8
lib/zip_strerror.c	1
lib/zip_fread.c	1
lib/zip_fclose.c	1
lib/zip_close.c	8
lib/zip_source_remove.c	1
lib/zip_source_begin_write_cloning.c	1
lib/zip_source_begin_write.c	1
lib/zip_source_tell_write.c	1
lib/zip_source_get_dostime.c	1
lib/zip_source_write.c	1
lib/zip_source_seek_write.c	1
lib/zip_source_commit_write.c	1

Fuzzer: zip_read_file_fuzzer

Call tree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 629 55.1%

gold [1:9] 12 1.05%

yellow [10:29] 13 1.13%

greenyellow [30:49] 5 0.43%

lawngreen 50+ 482 42.2%

All colors 1141 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	629	55.1%
gold	[1:9]	12	1.05%
yellow	[10:29]	13	1.13%
greenyellow	[30:49]	5	0.43%
lawngreen	50+	482	42.2%
All colors	1141	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
202	937	_zip_buffer_put_64	call site: 00937	write_cdir
117	819	zip_close	call site: 00819	add_data
22	472	_zip_find_central_dir	call site: 00472	_zip_dirent_read
15	416	_zip_dirent_read	call site: 00416	_zip_buffer_new_from_source
12	729	read_data	call site: 00729	_zip_source_window_new
10	690	zip_source_buffer_fragment_with_attributes_create	call site: 00690	buffer_grow_fragments
10	705	zip_source_buffer_fragment_with_attributes_create	call site: 00705	buffer_clone
8	21	zip_source_file_create	call site: 00021	zip_error_set
8	562	window_read	call site: 00562	zip_source_seek
7	463	_zip_read_cdir	call site: 00463	_zip_cdir_free
6	90	_zip_source_call	call site: 00090	_zip_allocate_new
6	571	window_read	call site: 00571	zip_source_pass_to_lower_layer

Runtime coverage analysis

176

239