Tests: Add a fuzzing target for the multithreaded .xz decoder

It doesn't seem possible to trigger the CVE-2025-31115 bug with this fuzzing target at the moment. It's because the code in fuzz_common.h passes the whole input buffer to lzma_code() at once.
2025-04-15 04:00:50 +00:00 · 2025-04-03 14:34:43 +03:00 · 2025-04-03 14:34:43 +03:00 · 48440e24a2
commit 48440e24a2
parent 0c80045ab8
1 changed files with 47 additions and 0 deletions
--- a/tests/ossfuzz/fuzz_decode_stream_mt.c
+++ b/tests/ossfuzz/fuzz_decode_stream_mt.c
@ -0,0 +1,47 @@
+// SPDX-License-Identifier: 0BSD
+
+///////////////////////////////////////////////////////////////////////////////
+//
+/// \file       fuzz_decode_stream_mt.c
+/// \brief      Fuzz test program for multithreaded .xz decoding
+//
+//  Author:     Lasse Collin
+//
+///////////////////////////////////////////////////////////////////////////////
+
+#include <inttypes.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include "lzma.h"
+#include "fuzz_common.h"
+
+
+extern int
+LLVMFuzzerTestOneInput(const uint8_t *inbuf, size_t inbuf_size)
+{
+	lzma_stream strm = LZMA_STREAM_INIT;
+
+	lzma_mt mt = {
+		.flags = LZMA_CONCATENATED | LZMA_IGNORE_CHECK,
+		.threads = 2,
+		.timeout = 0,
+		.memlimit_threading = MEM_LIMIT / 2,
+		.memlimit_stop = MEM_LIMIT,
+	};
+
+	lzma_ret ret = lzma_stream_decoder_mt(&strm, &mt);
+
+	if (ret != LZMA_OK) {
+		// This should never happen unless the system has
+		// no free memory or address space to allow the small
+		// allocations that the initialization requires.
+		fprintf(stderr, "lzma_stream_decoder_mt() failed (%d)\n", ret);
+		abort();
+	}
+
+	fuzz_code(&strm, inbuf, inbuf_size);
+
+	lzma_end(&strm);
+
+	return 0;
+}