Tests: Add fuzz_decode_alone OSS-Fuzz target

This fuzz target that handles LZMA alone decoding. A new fuzz dictionary .dict was also created with common LZMA header values to help speed up the discovery of valid headers.
2023-12-04 17:23:24 +01:00 · 2023-12-04 17:23:24 +01:00 · 7ca8c9869d
parent 37581a77ad
commit 7ca8c9869d
3 changed files with 66 additions and 0 deletions
--- a/tests/ossfuzz/config/fuzz_decode_alone.options
+++ b/tests/ossfuzz/config/fuzz_decode_alone.options
@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 4096
+dict = fuzz_lzma.dict
--- a/tests/ossfuzz/config/fuzz_lzma.dict
+++ b/tests/ossfuzz/config/fuzz_lzma.dict
@ -0,0 +1,22 @@
+# first 5 header bytes of .lzma archives based on the info from
+# https://github.com/tukaani-project/xz/blob/master/doc/lzma-file-format.txt
+
+# byte 0 value (properties=0x5d) is created by encoding
+# common values (lc=3, lp=0, pb=2) using the algorithm,
+# described in the documentation above
+
+
+# compression preset 1    (dictionary size = 0x00100000)
+"\x5d\x00\x00\x10\x00"
+# compression preset 2    (dictionary size = 0x00200000)
+"\x5d\x00\x00\x20\x00"
+# compression preset 3, 4 (dictionary size = 0x00400000)
+"\x5d\x00\x00\x40\x00"
+# compression preset 5, 6 (dictionary size = 0x00800000)
+"\x5d\x00\x00\x80\x00"
+# compression preset 7    (dictionary size = 0x01000000)
+"\x5d\x00\x00\x00\x01"
+# compression preset 8    (dictionary size = 0x02000000)
+"\x5d\x00\x00\x00\x02"
+# compression preset 9    (dictionary size = 0x04000000)
+"\x5d\x00\x00\x00\x04"
--- a/tests/ossfuzz/fuzz_decode_alone.c
+++ b/tests/ossfuzz/fuzz_decode_alone.c
@ -0,0 +1,41 @@
+///////////////////////////////////////////////////////////////////////////////
+//
+/// \file       fuzz_decode_auto.c
+/// \brief      Fuzz test program for liblzma lzma_auto_decoder()
+//
+//  Author:     Maksym Vatsyk
+//
+//  Based on Lasse Collin's original fuzzer for liblzma
+//
+//  This file has been put into the public domain.
+//  You can do whatever you want with this file.
+//
+///////////////////////////////////////////////////////////////////////////////
+
+#include <inttypes.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include "lzma.h"
+#include "fuzz_common.h"
+
+
+extern int
+LLVMFuzzerTestOneInput(const uint8_t *inbuf, size_t inbuf_size)
+{
+	lzma_stream strm = LZMA_STREAM_INIT;
+	// Initialize a LZMA alone decoder using the memory usage limit
+	// defined in fuzz_common.h
+	if (lzma_alone_decoder(&strm, MEM_LIMIT) != LZMA_OK) {
+		// This should never happen unless the system has
+		// no free memory or address space to allow the small
+		// allocations that the initialization requires.
+		fprintf(stderr, "lzma_alone_decoder() failed\n");
+		abort();
+	}
+
+	fuzz_code(&strm, inbuf, inbuf_size);
+
+	// Free the allocated memory.
+	lzma_end(&strm);
+	return 0;
+}