From: Lasse Collin <lasse.collin@tukaani.org>
Date: Thu, 3 Apr 2025 11:34:43 +0000 (+0300)
Subject: Tests: Add a fuzzing target for the multithreaded .xz decoder
X-Git-Tag: v5.8.1~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48440e24a25911ae59e8518b67a1e0f6f1c293bf;p=thirdparty%2Fxz.git

Tests: Add a fuzzing target for the multithreaded .xz decoder

It doesn't seem possible to trigger the CVE-2025-31115 bug with this
fuzzing target at the moment. It's because the code in fuzz_common.h
passes the whole input buffer to lzma_code() at once.
---

diff --git a/tests/ossfuzz/fuzz_decode_stream_mt.c b/tests/ossfuzz/fuzz_decode_stream_mt.c
new file mode 100644
index 00000000..23ea9765
--- /dev/null
+++ b/tests/ossfuzz/fuzz_decode_stream_mt.c
@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: 0BSD
+
+///////////////////////////////////////////////////////////////////////////////
+//
+/// \file       fuzz_decode_stream_mt.c
+/// \brief      Fuzz test program for multithreaded .xz decoding
+//
+//  Author:     Lasse Collin
+//
+///////////////////////////////////////////////////////////////////////////////
+
+#include <inttypes.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include "lzma.h"
+#include "fuzz_common.h"
+
+
+extern int
+LLVMFuzzerTestOneInput(const uint8_t *inbuf, size_t inbuf_size)
+{
+	lzma_stream strm = LZMA_STREAM_INIT;
+
+	lzma_mt mt = {
+		.flags = LZMA_CONCATENATED | LZMA_IGNORE_CHECK,
+		.threads = 2,
+		.timeout = 0,
+		.memlimit_threading = MEM_LIMIT / 2,
+		.memlimit_stop = MEM_LIMIT,
+	};
+
+	lzma_ret ret = lzma_stream_decoder_mt(&strm, &mt);
+
+	if (ret != LZMA_OK) {
+		// This should never happen unless the system has
+		// no free memory or address space to allow the small
+		// allocations that the initialization requires.
+		fprintf(stderr, "lzma_stream_decoder_mt() failed (%d)\n", ret);
+		abort();
+	}
+
+	fuzz_code(&strm, inbuf, inbuf_size);
+
+	lzma_end(&strm);
+
+	return 0;
+}