All tests should give some portion of data to the producer and use the rest.

diff --git a/tests/fuzz/block_round_trip.c b/tests/fuzz/block_round_trip.c
index 326d5b2474656b6fe2fd6dafc69cdc6a78925cc5..9ead57a5af150c384e283a113763bc603ec9e6f5 100644 (file)
--- a/tests/fuzz/block_round_trip.c
+++ b/tests/fuzz/block_round_trip.c
@@ -52,9 +52,13 @@ static size_t roundTripTest(void *result, size_t resultCapacity,
 
 int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 {
+    /* Give a random portion of src data to the producer, to use for
+    parameter generation. The rest will be used for (de)compression */
     FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
+    size_t producerSliceSize = FUZZ_dataProducer_uint32Range(producer, 0, size);
+    size = FUZZ_dataProducer_contract(producer, producerSliceSize);
+
     int cLevel = FUZZ_dataProducer_uint32(producer) % kMaxClevel;
-    size = FUZZ_dataProducer_remainingBytes(producer);
 
     size_t neededBufSize = size;
     if (size > ZSTD_BLOCKSIZE_MAX)

diff --git a/tests/fuzz/dictionary_decompress.c b/tests/fuzz/dictionary_decompress.c
index 5f660ac52a5cb231e6d673ee25d3574c246ef04a..54903f1f65e672ca0d20cd39697496254553f752 100644 (file)
--- a/tests/fuzz/dictionary_decompress.c
+++ b/tests/fuzz/dictionary_decompress.c
@@ -24,7 +24,12 @@ static ZSTD_DCtx *dctx = NULL;
 
 int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 {
+    /* Give a random portion of src data to the producer, to use for
+    parameter generation. The rest will be used for (de)compression */
     FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
+    size_t producerSliceSize = FUZZ_dataProducer_uint32Range(producer, 0, size);
+    size = FUZZ_dataProducer_contract(producer, producerSliceSize);
+
     FUZZ_dict_t dict;
     ZSTD_DDict* ddict = NULL;
     int i;
@@ -43,8 +48,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
                 (ZSTD_dictLoadMethod_e)FUZZ_dataProducer_uint32Range(producer, 0, 1),
                 (ZSTD_dictContentType_e)FUZZ_dataProducer_uint32Range(producer, 0, 2)));
     }
-    /* Run it 10 times over 10 output sizes. Reuse the context and dict. */
-    for (i = 0; i < 10; ++i) {
+
+    {
         size_t const bufSize = FUZZ_dataProducer_uint32Range(producer, 0, 2 * size);
         void* rBuf = malloc(bufSize);
         FUZZ_ASSERT(rBuf);

diff --git a/tests/fuzz/dictionary_round_trip.c b/tests/fuzz/dictionary_round_trip.c
index fe0a217b28d3c11fb2f81a919dfef45cb5eb8c45..cd1ca38f799a0adb20a4d1a3d29a8072496d83f5 100644 (file)
--- a/tests/fuzz/dictionary_round_trip.c
+++ b/tests/fuzz/dictionary_round_trip.c
@@ -68,13 +68,16 @@ static size_t roundTripTest(void *result, size_t resultCapacity,
 
 int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 {
+    /* Give a random portion of src data to the producer, to use for
+    parameter generation. The rest will be used for (de)compression */
+    FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
+    size_t producerSliceSize = FUZZ_dataProducer_uint32Range(producer, 0, size);
+    size = FUZZ_dataProducer_contract(producer, producerSliceSize);
+
     size_t const rBufSize = size;
     void* rBuf = malloc(rBufSize);
     size_t cBufSize = ZSTD_compressBound(size);
-    void* cBuf;
-
-    FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
-
+    void *cBuf;
     /* Half of the time fuzz with a 1 byte smaller output size.
      * This will still succeed because we force the checksum to be disabled,
      * giving us 4 bytes of overhead.

diff --git a/tests/fuzz/simple_compress.c b/tests/fuzz/simple_compress.c
index 29de4701f34d549084e8f4fd03fde80d6fbf9ff0..b8c6394cba315e4c6ddc15ec85452e3a231958a9 100644 (file)
--- a/tests/fuzz/simple_compress.c
+++ b/tests/fuzz/simple_compress.c
@@ -24,14 +24,17 @@ static ZSTD_CCtx *cctx = NULL;
 
 int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 {
+    /* Give a random portion of src data to the producer, to use for
+    parameter generation. The rest will be used for (de)compression */
     FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
+    size_t producerSliceSize = FUZZ_dataProducer_uint32Range(producer, 0, size);
+    size = FUZZ_dataProducer_contract(producer, producerSliceSize);
 
-    int const level = (int)FUZZ_dataProducer_uint32Range(
-                                producer, 0, 19 + 3) - 3; /* [-3, 19] */
     size_t const maxSize = ZSTD_compressBound(size);
     size_t const bufSize = FUZZ_dataProducer_uint32Range(producer, 0, maxSize);
 
-    size = FUZZ_dataProducer_remainingBytes(producer);
+    int const level = (int)FUZZ_dataProducer_uint32Range(
+      producer, 0, 19 + 3) - 3; /* [-3, 19] */
 
     if (!cctx) {
         cctx = ZSTD_createCCtx();

diff --git a/tests/fuzz/simple_decompress.c b/tests/fuzz/simple_decompress.c
index 0ab634fa076a02871378957a18f046dd513f3485..5c7680bf00053d83edfedae08361b66939bf96b3 100644 (file)
--- a/tests/fuzz/simple_decompress.c
+++ b/tests/fuzz/simple_decompress.c
@@ -23,25 +23,25 @@ static ZSTD_DCtx *dctx = NULL;
 
 int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 {
-  FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
+    /* Give a random portion of src data to the producer, to use for
+    parameter generation. The rest will be used for (de)compression */
+    FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
+    size_t producerSliceSize = FUZZ_dataProducer_uint32Range(producer, 0, size);
+    size = FUZZ_dataProducer_contract(producer, producerSliceSize);
 
-  if (!dctx) {
-      dctx = ZSTD_createDCtx();
-      FUZZ_ASSERT(dctx);
-  }
+    if (!dctx) {
+        dctx = ZSTD_createDCtx();
+        FUZZ_ASSERT(dctx);
+    }
 
-  size_t const bufSize = FUZZ_dataProducer_uint32Range(producer, 0, 10 * size);
-  void *rBuf = malloc(bufSize);
-  FUZZ_ASSERT(rBuf);
+    size_t const bufSize = FUZZ_dataProducer_uint32Range(producer, 0, 10 * size);
+    void *rBuf = malloc(bufSize);
+    FUZZ_ASSERT(rBuf);
 
-  /* Restrict to remaining data. If we run out of data while generating params,
-   we should still continue and let decompression happen on empty data. */
-   size = FUZZ_dataProducer_remainingBytes(producer);
+    ZSTD_decompressDCtx(dctx, rBuf, bufSize, src, size);
+    free(rBuf);
 
-  ZSTD_decompressDCtx(dctx, rBuf, bufSize, src, size);
-  free(rBuf);
-
-  FUZZ_dataProducer_free(producer);
+    FUZZ_dataProducer_free(producer);
 
 #ifndef STATEFUL_FUZZING
     ZSTD_freeDCtx(dctx); dctx = NULL;

diff --git a/tests/fuzz/simple_round_trip.c b/tests/fuzz/simple_round_trip.c
index b88d404f975cfcf788e2bd0bd0c87aef63a5198f..f19e37a35a51942bc0c109403f4bd6d69386ad6b 100644 (file)
--- a/tests/fuzz/simple_round_trip.c
+++ b/tests/fuzz/simple_round_trip.c
@@ -52,12 +52,19 @@ int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
     size_t cBufSize = ZSTD_compressBound(size);
     void* cBuf;
 
+    /* Give a random portion of src data to the producer, to use for
+    parameter generation. The rest will be used for (de)compression */
     FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
+    size_t producerSliceSize = FUZZ_dataProducer_uint32Range(producer, 0, size);
+    size = FUZZ_dataProducer_contract(producer, producerSliceSize);
+
     /* Half of the time fuzz with a 1 byte smaller output size.
      * This will still succeed because we don't use a dictionary, so the dictID
      * field is empty, giving us 4 bytes of overhead.
      */
     cBufSize -= FUZZ_dataProducer_uint32Range(producer, 0, 1);
+    size = FUZZ_dataProducer_remainingBytes(producer);
+
     cBuf = malloc(cBufSize);
 
     FUZZ_ASSERT(cBuf && rBuf);

diff --git a/tests/fuzz/stream_round_trip.c b/tests/fuzz/stream_round_trip.c
index 4569222f1985a4f0c73652a95d016252312f641b..02bb26daaf4c8450f603f263d9f55aec8751cf59 100644 (file)
--- a/tests/fuzz/stream_round_trip.c
+++ b/tests/fuzz/stream_round_trip.c
@@ -125,15 +125,15 @@ static size_t compress(uint8_t *dst, size_t capacity,
 
 int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 {
-    size_t neededBufSize;
-    neededBufSize = ZSTD_compressBound(size) * 5;
-
     /* Give a random portion of src data to the producer, to use for
     parameter generation. The rest will be used for (de)compression */
     FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
     size_t producerSliceSize = FUZZ_dataProducer_uint32Range(producer, 0, size);
     size = FUZZ_dataProducer_contract(producer, producerSliceSize);
 
+    size_t neededBufSize;
+    neededBufSize = ZSTD_compressBound(size) * 5;
+
     /* Allocate all buffers and contexts if not already allocated */
     if (neededBufSize > bufSize) {
         free(cBuf);

diff --git a/tests/fuzz/zstd_frame_info.c b/tests/fuzz/zstd_frame_info.c
index 7512d5f493b4c5222490ef7908e0c49b4585e123..359cf128f5b8563a2e879ac8128716cae3e26b28 100644 (file)
--- a/tests/fuzz/zstd_frame_info.c
+++ b/tests/fuzz/zstd_frame_info.c
@@ -21,10 +21,6 @@
 int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 {
     ZSTD_frameHeader zfh;
-    /* Consume the seed to be compatible with the corpora of other decompression
-     * fuzzers.
-     */
-    FUZZ_seed(&src, &size);
     /* You can fuzz any helper functions here that are fast, and take zstd
      * compressed data as input. E.g. don't expect the input to be a dictionary,
      * so don't fuzz ZSTD_getDictID_fromDict().