// Copyright 2015 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include <stddef.h> #include <stdint.h> #include <stdlib.h> #include <brotli/decode.h> // Entry point for LibFuzzer. int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { size_t addend = 0; if (size > 0) addend = data[size - 1] & 7; const uint8_t* next_in = data; const int kBufferSize = 1024; uint8_t* buffer = (uint8_t*) malloc(kBufferSize); if (!buffer) { // OOM is out-of-scope here. return 0; } /* The biggest "magic number" in brotli is 16MiB - 16, so no need to check the cases with much longer output. */ const size_t total_out_limit = (addend == 0) ? (1 << 26) : (1 << 24); size_t total_out = 0; BrotliDecoderState* state = BrotliDecoderCreateInstance(0, 0, 0); if (addend == 0) addend = size; /* Test both fast (addend == size) and slow (addend <= 7) decoding paths. */ for (size_t i = 0; i < size;) { size_t next_i = i + addend; if (next_i > size) next_i = size; size_t avail_in = next_i - i; i = next_i; BrotliDecoderResult result = BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT; while (result == BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT) { size_t avail_out = kBufferSize; uint8_t* next_out = buffer; result = BrotliDecoderDecompressStream( state, &avail_in, &next_in, &avail_out, &next_out, &total_out); if (total_out > total_out_limit) break; } if (total_out > total_out_limit) break; if (result != BROTLI_DECODER_RESULT_NEEDS_MORE_INPUT) break; } BrotliDecoderDestroyInstance(state); free(buffer); return 0; }