1*01826a49SYabin Cui /*
2*01826a49SYabin Cui * Copyright (c) Meta Platforms, Inc. and affiliates.
3*01826a49SYabin Cui * All rights reserved.
4*01826a49SYabin Cui *
5*01826a49SYabin Cui * This source code is licensed under both the BSD-style license (found in the
6*01826a49SYabin Cui * LICENSE file in the root directory of this source tree) and the GPLv2 (found
7*01826a49SYabin Cui * in the COPYING file in the root directory of this source tree).
8*01826a49SYabin Cui * You may select, at your option, one of the above-listed licenses.
9*01826a49SYabin Cui */
10*01826a49SYabin Cui
11*01826a49SYabin Cui /**
12*01826a49SYabin Cui * This fuzz target attempts to decompress the fuzzed data with the dictionary
13*01826a49SYabin Cui * decompression function to ensure the decompressor never crashes. It does not
14*01826a49SYabin Cui * fuzz the dictionary.
15*01826a49SYabin Cui */
16*01826a49SYabin Cui
17*01826a49SYabin Cui #include <stddef.h>
18*01826a49SYabin Cui #include <stdlib.h>
19*01826a49SYabin Cui #include <stdio.h>
20*01826a49SYabin Cui #include "fuzz_helpers.h"
21*01826a49SYabin Cui #include "zstd_helpers.h"
22*01826a49SYabin Cui #include "fuzz_data_producer.h"
23*01826a49SYabin Cui #include "fuzz_third_party_seq_prod.h"
24*01826a49SYabin Cui
25*01826a49SYabin Cui static ZSTD_DCtx *dctx = NULL;
26*01826a49SYabin Cui
LLVMFuzzerTestOneInput(const uint8_t * src,size_t size)27*01826a49SYabin Cui int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
28*01826a49SYabin Cui {
29*01826a49SYabin Cui FUZZ_SEQ_PROD_SETUP();
30*01826a49SYabin Cui
31*01826a49SYabin Cui /* Give a random portion of src data to the producer, to use for
32*01826a49SYabin Cui parameter generation. The rest will be used for (de)compression */
33*01826a49SYabin Cui FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
34*01826a49SYabin Cui size = FUZZ_dataProducer_reserveDataPrefix(producer);
35*01826a49SYabin Cui
36*01826a49SYabin Cui FUZZ_dict_t dict;
37*01826a49SYabin Cui ZSTD_DDict* ddict = NULL;
38*01826a49SYabin Cui
39*01826a49SYabin Cui if (!dctx) {
40*01826a49SYabin Cui dctx = ZSTD_createDCtx();
41*01826a49SYabin Cui FUZZ_ASSERT(dctx);
42*01826a49SYabin Cui }
43*01826a49SYabin Cui dict = FUZZ_train(src, size, producer);
44*01826a49SYabin Cui if (FUZZ_dataProducer_uint32Range(producer, 0, 1) == 0) {
45*01826a49SYabin Cui ddict = ZSTD_createDDict(dict.buff, dict.size);
46*01826a49SYabin Cui FUZZ_ASSERT(ddict);
47*01826a49SYabin Cui } else {
48*01826a49SYabin Cui if (FUZZ_dataProducer_uint32Range(producer, 0, 1) == 0)
49*01826a49SYabin Cui FUZZ_ZASSERT(ZSTD_DCtx_loadDictionary_advanced(
50*01826a49SYabin Cui dctx, dict.buff, dict.size,
51*01826a49SYabin Cui (ZSTD_dictLoadMethod_e)FUZZ_dataProducer_uint32Range(producer, 0, 1),
52*01826a49SYabin Cui (ZSTD_dictContentType_e)FUZZ_dataProducer_uint32Range(producer, 0, 2)));
53*01826a49SYabin Cui else
54*01826a49SYabin Cui FUZZ_ZASSERT(ZSTD_DCtx_refPrefix_advanced(
55*01826a49SYabin Cui dctx, dict.buff, dict.size,
56*01826a49SYabin Cui (ZSTD_dictContentType_e)FUZZ_dataProducer_uint32Range(producer, 0, 2)));
57*01826a49SYabin Cui }
58*01826a49SYabin Cui
59*01826a49SYabin Cui {
60*01826a49SYabin Cui size_t const bufSize = FUZZ_dataProducer_uint32Range(producer, 0, 10 * size);
61*01826a49SYabin Cui void* rBuf = FUZZ_malloc(bufSize);
62*01826a49SYabin Cui if (ddict) {
63*01826a49SYabin Cui ZSTD_decompress_usingDDict(dctx, rBuf, bufSize, src, size, ddict);
64*01826a49SYabin Cui } else {
65*01826a49SYabin Cui ZSTD_decompressDCtx(dctx, rBuf, bufSize, src, size);
66*01826a49SYabin Cui }
67*01826a49SYabin Cui free(rBuf);
68*01826a49SYabin Cui }
69*01826a49SYabin Cui free(dict.buff);
70*01826a49SYabin Cui FUZZ_dataProducer_free(producer);
71*01826a49SYabin Cui ZSTD_freeDDict(ddict);
72*01826a49SYabin Cui #ifndef STATEFUL_FUZZING
73*01826a49SYabin Cui ZSTD_freeDCtx(dctx); dctx = NULL;
74*01826a49SYabin Cui #endif
75*01826a49SYabin Cui FUZZ_SEQ_PROD_TEARDOWN();
76*01826a49SYabin Cui return 0;
77*01826a49SYabin Cui }
78