updates to OSS-Fuzz integration

adapt more fuzz targets from zlib, add zip fuzzer, zip dictionary. update uncompress_fuzzer to seed the buffer length separately.
2025-10-30 16:15:41 +01:00 · 2020-11-24 16:51:30 +01:00
parent cd65995953
commit b485d01faf
10 changed files with 466 additions and 7 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -217,6 +217,11 @@ if(BUILD_FUZZERS)
  set(CHECKSUM_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/checksum_fuzzer.c")
  set(FLUSH_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/flush_fuzzer.c")
  set(UNCOMPRESS_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/uncompress_fuzzer.c")
+  set(UNCOMPRESS2_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/uncompress2_fuzzer.c")
+  set(COMPRESS_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/compress_fuzzer.c")
+  set(SMALL_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/small_fuzzer.c")
+  set(LARGE_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/large_fuzzer.c")
+  set(ZIP_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/zip_fuzzer.c")

  add_executable(checksum_fuzzer ${CHECKSUM_FUZZER_SRC_LIST})
  target_link_libraries(checksum_fuzzer miniz)
@@ -226,6 +231,21 @@ if(BUILD_FUZZERS)

  add_executable(uncompress_fuzzer ${UNCOMPRESS_FUZZER_SRC_LIST})
  target_link_libraries(uncompress_fuzzer miniz)
+
+  add_executable(uncompress2_fuzzer ${UNCOMPRESS2_FUZZER_SRC_LIST})
+  target_link_libraries(uncompress2_fuzzer miniz)
+
+  add_executable(compress_fuzzer ${COMPRESS_FUZZER_SRC_LIST})
+  target_link_libraries(compress_fuzzer miniz)
+
+  add_executable(small_fuzzer ${SMALL_FUZZER_SRC_LIST})
+  target_link_libraries(small_fuzzer miniz)
+
+  add_executable(large_fuzzer ${LARGE_FUZZER_SRC_LIST})
+  target_link_libraries(large_fuzzer miniz)
+
+  add_executable(zip_fuzzer ${ZIP_FUZZER_SRC_LIST})
+  target_link_libraries(zip_fuzzer miniz)
 endif()

 set(INCLUDE_INSTALL_DIR "include")
--- a/tests/compress_fuzzer.c
+++ b/tests/compress_fuzzer.c
@@ -0,0 +1,88 @@
+/* Derived from zlib fuzzers at http://github.com/google/oss-fuzz/tree/master/projects/zlib,
+ * see ossfuzz.sh for full license text.
+*/
+
+#include <stdio.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+#include <assert.h>
+#include <stdlib.h>
+#include <inttypes.h>
+#include "miniz.h"
+
+static const uint8_t *data;
+static size_t dataLen;
+
+static void check_compress_level(uint8_t *compr, size_t comprLen,
+                                 uint8_t *uncompr, size_t uncomprLen,
+                                 int level)
+{
+    compress2(compr, &comprLen, data, dataLen, level);
+    uncompress(uncompr, &uncomprLen, compr, comprLen);
+
+    /* Make sure compress + uncompress gives back the input data. */
+    assert(dataLen == uncomprLen);
+    assert(0 == memcmp(data, uncompr, dataLen));
+}
+
+#define put_byte(s, i, c) {s[i] = (unsigned char)(c);}
+
+static void write_zlib_header(uint8_t *s)
+{
+    unsigned level_flags = 0; /* compression level (0..3) */
+    unsigned w_bits = 8; /* window size log2(w_size)  (8..16) */
+    unsigned int header = (Z_DEFLATED + ((w_bits-8)<<4)) << 8;
+    header |= (level_flags << 6);
+
+    header += 31 - (header % 31);
+
+    /* s is guaranteed to be longer than 2 bytes. */
+    put_byte(s, 0, (unsigned char)(header >> 8));
+    put_byte(s, 1, (unsigned char)(header & 0xff));
+}
+
+static void check_decompress(uint8_t *compr, size_t comprLen)
+{
+    /* We need to write a valid zlib header of size two bytes. Copy the input data
+        in a larger buffer. Do not modify the input data to avoid libFuzzer error:
+        fuzz target overwrites its const input. */
+    size_t copyLen = dataLen + 2;
+    uint8_t *copy = malloc(copyLen);
+    memcpy(copy + 2, data, dataLen);
+    write_zlib_header(copy);
+
+    uncompress(compr, &comprLen, copy, copyLen);
+    free(copy);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *d, size_t size)
+{
+    /* compressBound does not provide enough space for low compression levels. */
+    size_t comprLen = 100 + 2 * compressBound(size);
+    size_t uncomprLen = size;
+    uint8_t *compr, *uncompr;
+
+    /* Discard inputs larger than 1Mb. */
+    static size_t kMaxSize = 1024 * 1024;
+
+    if (size < 1 || size > kMaxSize)
+    return 0;
+
+    data = d;
+    dataLen = size;
+    compr = calloc(1, comprLen);
+    uncompr = calloc(1, uncomprLen);
+
+    check_compress_level(compr, comprLen, uncompr, uncomprLen, 1);
+    check_compress_level(compr, comprLen, uncompr, uncomprLen, 3);
+    check_compress_level(compr, comprLen, uncompr, uncomprLen, 6);
+    check_compress_level(compr, comprLen, uncompr, uncomprLen, 7);
+
+    check_decompress(compr, comprLen);
+
+    free(compr);
+    free(uncompr);
+
+    return 0;
+}
--- a/tests/flush_fuzzer.c
+++ b/tests/flush_fuzzer.c
@@ -32,7 +32,7 @@ void test_flush(unsigned char *compr, size_t *comprLen)

    c_stream.zalloc = zalloc;
    c_stream.zfree = zfree;
-    c_stream.opaque = (void *)0;
+    c_stream.opaque = NULL;

    err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION);
    CHECK_ERR(err, "deflateInit");
--- a/tests/large_fuzzer.c
+++ b/tests/large_fuzzer.c
@@ -0,0 +1,130 @@
+/* Derived from zlib fuzzers at http://github.com/google/oss-fuzz/tree/master/projects/zlib,
+ * see ossfuzz.sh for full license text.
+*/
+
+#include <stdio.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+#include <inttypes.h>
+
+#include "miniz.h"
+
+#define CHECK_ERR(err, msg) { \
+    if (err != Z_OK) { \
+        fprintf(stderr, "%s error: %d\n", msg, err); \
+        exit(1); \
+    } \
+}
+
+static const uint8_t *data;
+static size_t dataLen;
+static alloc_func zalloc = NULL;
+static free_func zfree = NULL;
+static unsigned int diff;
+
+/* Test deflate() with large buffers and dynamic change of compression level */
+void test_large_deflate(unsigned char *compr, size_t comprLen,
+                        unsigned char *uncompr, size_t uncomprLen)
+{
+    z_stream c_stream; /* compression stream */
+    int err;
+
+    c_stream.zalloc = zalloc;
+    c_stream.zfree = zfree;
+    c_stream.opaque = NULL;
+
+    err = deflateInit(&c_stream, Z_BEST_COMPRESSION);
+    CHECK_ERR(err, "deflateInit");
+
+    c_stream.next_out = compr;
+    c_stream.avail_out = (unsigned int)comprLen;
+
+    /* At this point, uncompr is still mostly zeroes, so it should compress
+    * very well:
+    */
+    c_stream.next_in = uncompr;
+    c_stream.avail_in = (unsigned int)uncomprLen;
+    err = deflate(&c_stream, Z_NO_FLUSH);
+    CHECK_ERR(err, "deflate large 1");
+
+    if (c_stream.avail_in != 0)
+    {
+        fprintf(stderr, "deflate not greedy\n");
+        exit(1);
+    }
+
+    /* Feed in already compressed data: */
+    c_stream.next_in = compr;
+    diff = (unsigned int)(c_stream.next_out - compr);
+    c_stream.avail_in = diff;
+
+    deflate(&c_stream, Z_NO_FLUSH);
+    err = deflate(&c_stream, Z_FINISH);
+
+    if (err != Z_STREAM_END)
+    {
+        fprintf(stderr, "deflate large should report Z_STREAM_END\n");
+        exit(1);
+    }
+    err = deflateEnd(&c_stream);
+    CHECK_ERR(err, "deflateEnd");
+}
+
+/* Test inflate() with large buffers */
+void test_large_inflate(unsigned char *compr, size_t comprLen,
+                        unsigned char *uncompr, size_t uncomprLen)
+{
+    int err;
+    z_stream d_stream; /* decompression stream */
+
+    d_stream.zalloc = zalloc;
+    d_stream.zfree = zfree;
+    d_stream.opaque = NULL;
+
+    d_stream.next_in = compr;
+    d_stream.avail_in = (unsigned int)comprLen;
+
+    err = inflateInit(&d_stream);
+    CHECK_ERR(err, "inflateInit");
+
+    for (;;)
+    {
+        d_stream.next_out = uncompr; /* discard the output */
+        d_stream.avail_out = (unsigned int)uncomprLen;
+        err = inflate(&d_stream, Z_NO_FLUSH);
+        if (err == Z_STREAM_END) break;
+
+        CHECK_ERR(err, "large inflate");
+    }
+
+    err = inflateEnd(&d_stream);
+    CHECK_ERR(err, "inflateEnd");
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *d, size_t size)
+{
+    size_t comprLen = 100 + 3 * size;
+    size_t uncomprLen = comprLen;
+    uint8_t *compr, *uncompr;
+
+    /* Discard inputs larger than 512Kb. */
+    static size_t kMaxSize = 512 * 1024;
+
+    if (size < 1 || size > kMaxSize)
+    return 0;
+
+    data = d;
+    dataLen = size;
+    compr = calloc(1, comprLen);
+    uncompr = calloc(1, uncomprLen);
+
+    test_large_deflate(compr, comprLen, uncompr, uncomprLen);
+    test_large_inflate(compr, comprLen, uncompr, uncomprLen);
+
+    free(compr);
+    free(uncompr);
+
+    return 0;
+}
--- a/tests/ossfuzz.sh
+++ b/tests/ossfuzz.sh
@@ -33,3 +33,10 @@ for f in $(find $SRC -name '*_fuzzer.c'); do
    rm -f /tmp/$b.o
    ln -sf $OUT/seed_corpus.zip $OUT/${b}_seed_corpus.zip
 done
+
+
+# Add .zip input file for the zip fuzzer
+rm -f $OUT/zip_fuzzer_seed_corpus.zip
+zip $OUT/zip_fuzzer_seed_corpus.zip $OUT/seed_corpus.zip
+
+cp tests/zip.dict $OUT/zip_fuzzer.dict
--- a/tests/small_fuzzer.c
+++ b/tests/small_fuzzer.c
@@ -0,0 +1,124 @@
+/* Derived from zlib fuzzers at http://github.com/google/oss-fuzz/tree/master/projects/zlib,
+ * see ossfuzz.sh for full license text.
+*/
+
+#include <stdio.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+#include <inttypes.h>
+
+#include "miniz.h"
+
+#define CHECK_ERR(err, msg) { \
+    if (err != Z_OK) { \
+        fprintf(stderr, "%s error: %d\n", msg, err); \
+        exit(1); \
+    } \
+}
+
+static const uint8_t *data;
+static size_t dataLen;
+static alloc_func zalloc = NULL;
+static free_func zfree = NULL;
+
+/* Test deflate() with small buffers */
+void test_deflate(unsigned char *compr, size_t comprLen)
+{
+    z_stream c_stream; /* compression stream */
+    int err;
+    unsigned long len = dataLen;
+
+    c_stream.zalloc = zalloc;
+    c_stream.zfree = zfree;
+    c_stream.opaque = NULL;
+
+    err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION);
+    CHECK_ERR(err, "deflateInit");
+
+    c_stream.next_in = (Bytef *)data;
+    c_stream.next_out = compr;
+
+    while (c_stream.total_in != len && c_stream.total_out < comprLen)
+    {
+        c_stream.avail_in = c_stream.avail_out = 1; /* force small buffers */
+        err = deflate(&c_stream, Z_NO_FLUSH);
+        CHECK_ERR(err, "deflate small 1");
+    }
+
+    /* Finish the stream, still forcing small buffers: */
+    for (;;)
+    {
+        c_stream.avail_out = 1;
+        err = deflate(&c_stream, Z_FINISH);
+        if (err == Z_STREAM_END)
+            break;
+        CHECK_ERR(err, "deflate small 2");
+    }
+
+    err = deflateEnd(&c_stream);
+    CHECK_ERR(err, "deflateEnd");
+}
+
+/* Test inflate() with small buffers */
+void test_inflate(unsigned char *compr, size_t comprLen, unsigned char *uncompr, size_t uncomprLen)
+{
+    int err;
+    z_stream d_stream; /* decompression stream */
+
+    d_stream.zalloc = zalloc;
+    d_stream.zfree = zfree;
+    d_stream.opaque = NULL;
+
+    d_stream.next_in = compr;
+    d_stream.avail_in = 0;
+    d_stream.next_out = uncompr;
+
+    err = inflateInit(&d_stream);
+    CHECK_ERR(err, "inflateInit");
+
+    while (d_stream.total_out < uncomprLen && d_stream.total_in < comprLen)
+    {
+        d_stream.avail_in = d_stream.avail_out = 1; /* force small buffers */
+        err = inflate(&d_stream, Z_NO_FLUSH);
+        if (err == Z_STREAM_END)
+            break;
+        CHECK_ERR(err, "inflate");
+    }
+
+    err = inflateEnd(&d_stream);
+    CHECK_ERR(err, "inflateEnd");
+
+    if (memcmp(uncompr, data, dataLen))
+    {
+        fprintf(stderr, "bad inflate\n");
+        exit(1);
+    }
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *d, size_t size)
+{
+    size_t comprLen = compressBound(size);
+    size_t uncomprLen = size;
+    uint8_t *compr, *uncompr;
+
+    /* Discard inputs larger than 1Mb. */
+    static size_t kMaxSize = 1024 * 1024;
+
+    if (size < 1 || size > kMaxSize)
+    return 0;
+
+    data = d;
+    dataLen = size;
+    compr = calloc(1, comprLen);
+    uncompr = calloc(1, uncomprLen);
+
+    test_deflate(compr, comprLen);
+    test_inflate(compr, comprLen, uncompr, uncomprLen);
+
+    free(compr);
+    free(uncompr);
+
+    return 0;
+}
--- a/tests/uncompress2_fuzzer.c
+++ b/tests/uncompress2_fuzzer.c
@@ -0,0 +1,20 @@
+/* Derived from zlib fuzzers at http://github.com/google/oss-fuzz/tree/master/projects/zlib,
+ * see ossfuzz.sh for full license text.
+*/
+
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "miniz.h"
+
+static unsigned char buffer[256 * 1024] = { 0 };
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    unsigned long int buffer_length = sizeof(buffer);
+
+    if (Z_OK != uncompress2(buffer, &buffer_length, data, &size)) return 0;
+    
+    return 0;
+}
--- a/tests/uncompress_fuzzer.c
+++ b/tests/uncompress_fuzzer.c
@@ -10,18 +10,21 @@

 int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
 {
-    unsigned long int buffer_length = 1;
+    unsigned long int buffer_length;
    unsigned char *buffer = NULL;
    int z_status = 0;

-    if (size > 0)
-        buffer_length *= data[0];
-    if (size > 1)
-        buffer_length *= data[1];
+    if(size > 4) return 0;
+
+    uint32_t n;
+    memcpy(&n, data, 4);
+    buffer_length = n;
+
+    if(buffer_length > (1024 * 256)) return 0;

    buffer = (unsigned char *)malloc(buffer_length);

-    z_status = uncompress(buffer, &buffer_length, data, size);
+    z_status = uncompress(buffer, &buffer_length, data + 4, size - 4);
    free(buffer);

    if (Z_OK != z_status)
--- a/tests/zip.dict
+++ b/tests/zip.dict
@@ -0,0 +1,9 @@
+# Fuzzing dictionary for .zip files
+
+header_lfh="\x50\x4b\x03\x04"
+header_cd="\x50\x4b\x01\x02"
+header_eocd="\x50\x4b\x05\x06"
+header_eocd64="\x50\x4b\x06\x06"
+data_descriptor="\x50\x4b\x07\x08"
+extra_data_sig="\x50\x4b\x06\x08"
+digital_sig="\x50\x4b\x05\x05"
--- a/tests/zip_fuzzer.c
+++ b/tests/zip_fuzzer.c
@@ -0,0 +1,58 @@
+#include <stdint.h>
+#include <inttypes.h>
+
+#include "miniz.h"
+
+static char filename[260];
+static unsigned char read_buf[1024 * 256];
+
+static const size_t filename_max = sizeof(filename);
+static const size_t read_buf_size = sizeof(read_buf);
+static const size_t data_max = 1024 * 256;
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    if(size > data_max) return 0;
+
+    int ret = 0;
+    mz_zip_archive zip;
+    mz_zip_zero_struct(&zip);
+
+    mz_uint flags = 0;
+
+    if(!mz_zip_reader_init_mem(&zip, data, size, flags)) return 0;
+
+    mz_uint i, files;
+
+    files = mz_zip_reader_get_num_files(&zip);
+
+    for(i=0; i < files; i++)
+    {
+        mz_zip_clear_last_error(&zip);
+
+        if(mz_zip_reader_is_file_a_directory(&zip, i)) continue;
+
+        mz_zip_validate_file(&zip, i, MZ_ZIP_FLAG_VALIDATE_HEADERS_ONLY);
+        mz_zip_validate_file(&zip, i, 0);
+
+        if(mz_zip_reader_is_file_encrypted(&zip, i)) continue;
+
+        mz_zip_clear_last_error(&zip);
+
+        mz_uint ret = mz_zip_reader_get_filename(&zip, i, filename, filename_max);
+
+        if(mz_zip_get_last_error(&zip)) continue;
+
+        mz_zip_archive_file_stat file_stat = {0};
+        mz_bool status = mz_zip_reader_file_stat(&zip, i, &file_stat) != 0;
+
+        if ((file_stat.m_method) && (file_stat.m_method != MZ_DEFLATED)) continue;
+
+        mz_zip_reader_extract_file_to_mem(&zip, file_stat.m_filename, read_buf, read_buf_size, 0);
+    }
+
+cleanup:
+    mz_zip_reader_end(&zip);
+
+    return ret;
+}