From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Sat, 3 Dec 2022 22:47:56 +0000 (+1300)
Subject: fuzz: fix lzxpress plain round-trip fuzzer
X-Git-Tag: talloc-2.4.0~206
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7489be7be4d05a75a7d31275654260f84a64c79;p=thirdparty%2Fsamba.git

fuzz: fix lzxpress plain round-trip fuzzer

The 'compressed' string can be about 9/8 the size of the decompressed
string, but we didn't allow enough memory in the fuzz target for that.
Then when it failed, we didn't check.

Credit to OSSFuzz.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/lib/fuzzing/fuzz_lzxpress_round_trip.c b/lib/fuzzing/fuzz_lzxpress_round_trip.c
index a6173bb68c9..ac38368527e 100644
--- a/lib/fuzzing/fuzz_lzxpress_round_trip.c
+++ b/lib/fuzzing/fuzz_lzxpress_round_trip.c
@@ -27,7 +27,7 @@ int LLVMFuzzerInitialize(int *argc, char ***argv)
 
 int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len)
 {
-	static uint8_t compressed[1024 * 1024] = {0};
+	static uint8_t compressed[1024 * 1280] = {0};
 	static uint8_t decompressed[1024 * 1024] = {0};
 	ssize_t compressed_size;
 	ssize_t decompressed_size;
@@ -38,6 +38,9 @@ int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len)
 
 	compressed_size = lzxpress_compress(buf, len,
 					    compressed, sizeof(compressed));
+	if (compressed_size < 0) {
+		abort();
+	}
 
 	decompressed_size = lzxpress_decompress(compressed, compressed_size,
 						decompressed, sizeof(decompressed));