[zlib] Rewrite deflate_fuzzer: cover more configs, stream the input

Zlib has a lot of parameters that can be used for deflate compression. This makes the fuzzer cover a much larger set of them. It also streams the input in an attempt to cover more interesting code paths. I have verified that this allows the fuzzer to hit the issues in the first two linked bugs. Let's see if it finds something else too :-) Bug: 1113142, 1113596, 708726 Change-Id: Ib345460c25787ee639b626cc37fc887017d65246 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2433344Reviewed-by: Max Moroz <mmoroz@chromium.org> Reviewed-by: Adenilson Cavalcanti <cavalcantii@chromium.org> Commit-Queue: Hans Wennborg <hans@chromium.org> Cr-Commit-Position: refs/heads/master@{#811613}

[zlib] Rewrite deflate_fuzzer: cover more configs, stream the input
Zlib has a lot of parameters that can be used for deflate compression. This makes the fuzzer cover a much larger set of them. It also streams the input in an attempt to cover more interesting code paths. I have verified that this allows the fuzzer to hit the issues in the first two linked bugs. Let's see if it finds something else too :-) Bug: 1113142, 1113596, 708726 Change-Id: Ib345460c25787ee639b626cc37fc887017d65246 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2433344Reviewed-by: Max Moroz <mmoroz@chromium.org> Reviewed-by: Adenilson Cavalcanti <cavalcantii@chromium.org> Commit-Queue: Hans Wennborg <hans@chromium.org> Cr-Commit-Position: refs/heads/master@{#811613}
a7d72757 · Hans Wennborg · Commit Bot · 3375cfe5 · a7d72757
Commit a7d72757 authored Sep 29, 2020 by Hans Wennborg Committed by Commit Bot Sep 29, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 51 additions and 24 deletions

third_party/zlib/contrib/tests/fuzzers/deflate_fuzzer.cc third_party/zlib/contrib/tests/fuzzers/deflate_fuzzer.cc +51 -24

No files found.
--- a/third_party/zlib/contrib/tests/fuzzers/deflate_fuzzer.cc
+++ b/third_party/zlib/contrib/tests/fuzzers/deflate_fuzzer.cc
@@ -2,46 +2,73 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
+#include <fuzzer/FuzzedDataProvider.h>
 #include <stddef.h>
 #include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
-#include <cassert>
 #include <vector>
 #include "third_party/zlib/zlib.h"
-static Bytef buffer[256 * 1024] = {0};
+// Fuzzer builds often have NDEBUG set, so roll our own assert macro.
+#define ASSERT(cond)                                                           \
+  do {                                                                         \
+    if (!(cond)) {                                                             \
+      fprintf(stderr, "%s:%d Assert failed: %s\n", __FILE__, __LINE__, #cond); \
+      exit(1);                                                                 \
+    }                                                                          \
+  } while (0)
-// Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  // zlib's deflate requires non-zero input sizes
+  FuzzedDataProvider fdp(data, size);
-  if (!size)
+  int level = fdp.PickValueInArray({0, 1, 2, 3, 4, 5, 6, 7, 8, 9});
-    return 0;
+  int windowBits = fdp.PickValueInArray({9, 10, 11, 12, 13, 14, 15});
+  int memLevel = fdp.PickValueInArray({1, 2, 3, 4, 5, 6, 7, 8, 9});
-  // We need to strip the 'const' for zlib.
+  int strategy = fdp.PickValueInArray(
-  std::vector<unsigned char> input_buffer{data, data+size};
+      {Z_DEFAULT_STRATEGY, Z_FILTERED, Z_HUFFMAN_ONLY, Z_RLE, Z_FIXED});
+  std::vector<uint8_t> src = fdp.ConsumeRemainingBytes<uint8_t>();
-  uLongf buffer_length = static_cast<uLongf>(sizeof(buffer));
  z_stream stream;
-  stream.next_in = input_buffer.data();
-  stream.avail_in = size;
-  stream.total_in = size;
-  stream.next_out = buffer;
-  stream.avail_out = buffer_length;
-  stream.total_out = buffer_length;
  stream.zalloc = Z_NULL;
  stream.zfree = Z_NULL;
-  if (Z_OK != deflateInit(&stream, Z_DEFAULT_COMPRESSION)) {
+  // Compress the data one byte at a time to exercise the streaming code.
-    deflateEnd(&stream);
+  int ret =
-    assert(false);
+      deflateInit2(&stream, level, Z_DEFLATED, windowBits, memLevel, strategy);
+  ASSERT(ret == Z_OK);
+  std::vector<uint8_t> compressed(src.size() * 2 + 1000);
+  stream.next_out = compressed.data();
+  stream.avail_out = compressed.size();
+  for (uint8_t b : src) {
+    stream.next_in = &b;
+    stream.avail_in = 1;
+    ret = deflate(&stream, Z_NO_FLUSH);
+    ASSERT(ret == Z_OK);
  }
+  stream.next_in = Z_NULL;
-  auto deflate_result = deflate(&stream, Z_NO_FLUSH);
+  stream.avail_in = 0;
+  ret = deflate(&stream, Z_FINISH);
+  ASSERT(ret == Z_STREAM_END);
+  compressed.resize(compressed.size() - stream.avail_out);
  deflateEnd(&stream);
-  if (Z_OK != deflate_result)
-    assert(false);
+  // Verify that the data decompresses correctly.
+  ret = inflateInit2(&stream, windowBits);
+  ASSERT(ret == Z_OK);
+  // Make room for at least one byte so it's never empty.
+  std::vector<uint8_t> decompressed(src.size() + 1);
+  stream.next_in = compressed.data();
+  stream.avail_in = compressed.size();
+  stream.next_out = decompressed.data();
+  stream.avail_out = decompressed.size();
+  ret = inflate(&stream, Z_FINISH);
+  ASSERT(ret == Z_STREAM_END);
+  decompressed.resize(decompressed.size() - stream.avail_out);
+  inflateEnd(&stream);
+  ASSERT(decompressed == src);
  return 0;
 }