Panic during transform inside fuse-fuzzer #40
Description
When running cargo run --bin harness -- zlib fuse-fuzzer I hit a panic during transformation of one of the generated programs:
fail to extract from "/root/promptfuzz/output/zlib/work/transform_check/id_000073/id_000073.transform.cc"
, /root/promptfuzz/output/zlib/work/transform_check/id_000073/id_000073.transform.cc:46:17: error: cannot initialize a variable of type 'const Bytef *' (aka 'const unsigned char *') with an lvalue of type 'const char *'
46 | const Bytef * fuzzer_var_crc32_7_1 = fuzz_char_array_1;
| ^ ~~~~~~~~~~~~~~~~~
1 error generated.
thread 'main' panicked at src/bin/harness.rs:399:78:
called `Result::unwrap()` on an `Err` value: Concurrent transform failed!
Location:
src/execution/mod.rs:536:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
id_000073.cc
#include <zlib.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <vector>
#include <fstream>
#include <iostream>
#include <sstream>
//<ID> 564
//<Prompt> []
/*<Combination>: [
*/
//<score> 16, nr_unique_branch: 1
//<Quality> {"density":8,"unique_branches":{"gzfread":[[400,12,400,15,0,0,4,1]]},"library_calls":["gzdopen","gzsetparams","gzfread","gzgets","gzdopen","gzputc","gzclose","crc32","crc32_z","inflateInit_","zlibVersion","deflateBound","inflate","inflateCopy","inflateEnd","inflateEnd","inflateBackEnd","gzclose"],"critical_calls":["gzdopen","gzsetparams","gzfread","gzgets","gzdopen","gzputc","gzclose","crc32","crc32_z","inflateInit_","zlibVersion","deflateBound","inflate","inflateCopy","inflateEnd","inflateEnd","inflateBackEnd","gzclose"],"visited":0}
/*Let's walk through how to achieve an event with the provided zlib APIs:
### Event Description:
The event that can be achieved with these APIs is:
**"Read zlib-compressed data from memory as if from a file, interact and modify parameters of the decompression stream, extract some lines of text and bytes, compute checksums with `crc32`/`crc32_z`, use streaming inflate APIs, and handle resource cleanup."**
Here's the breakdown and mapping of each API to steps:
1. Use `fmemopen` to treat the fuzz input as a file.
2. Use `gzdopen` to open this file descriptor as a gzipped stream for reading.
3. Use `gzsetparams` to adjust decompression parameters.
4. Use `gzfread` and `gzgets` to read data.
5. Use `gzputc` to write some data (here, to a real file, "output_file").
6. Use `crc32`/`crc32_z` to compute checksums on the read data.
7. Use inflate streaming API (create/init/inflate/copy/end).
8. Use `deflateBound` to estimate output buffer size.
9. Use `gzclose` to close the file.
10. Clean up all resources.
Below is the C++ fuzz driver, with all resource management and required API usage:
*/
// Fuzzer entry point
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
if (size == 0) return 0;
// 1. Open the input data as a memory file
FILE *in_file = fmemopen((void *)data, size, "rb");
if (!in_file) return 0;
// 2. Open with gzdopen for zlib reading
int fd = fileno(in_file);
gzFile gz_in = gzdopen(fd, "rb");
if (!gz_in) {
fclose(in_file);
return 0;
}
// 3. Adjust parameters (level/strategy) to random but valid values
int level = (data[0] % 10) - 1; // [-1, 8]
int strategy = data[0] % 4; // [0, 3]
gzsetparams(gz_in, level, strategy);
// 4. Read some bytes with gzfread
char byte_buf[128] = {0};
size_t to_read = (size > 0) ? (size % sizeof(byte_buf)) : 0;
gzfread(byte_buf, 1, to_read, gz_in);
// 5. Try to read a line with gzgets
char line_buf[64] = {0};
gzgets(gz_in, line_buf, sizeof(line_buf)-1);
// 6. Open output file to test gzputc (write a char)
FILE *out_file = fopen("output_file", "wb");
if (out_file) {
int out_fd = fileno(out_file);
gzFile gz_out = gzdopen(out_fd, "wb");
if (gz_out) {
for (int i = 0; i < 4 && i < (int)size; ++i) {
gzputc(gz_out, data[i]);
}
gzclose(gz_out); // closes out_file too
} else {
fclose(out_file);
}
}
// 7. Compute CRC on what we read
uLong crc1 = crc32(0L, (Bytef *)byte_buf, (uInt)to_read);
uLong crc2 = crc32_z(crc1, (Bytef *)line_buf, strlen(line_buf));
// 8. Use inflate API on the data (simulate streaming decompression)
z_stream strm1;
memset(&strm1, 0, sizeof(strm1));
inflateInit_(&strm1, zlibVersion(), sizeof(z_stream));
strm1.next_in = (Bytef *)data;
strm1.avail_in = (uInt)size;
// Allocate output
uLong bound = deflateBound(&strm1, (uLong)size);
Bytef *outbuf = new Bytef[bound + 32];
strm1.next_out = outbuf;
strm1.avail_out = (uInt)bound+32;
// Inflate
inflate(&strm1, Z_NO_FLUSH);
// 9. Copy the inflate stream (test inflateCopy)
z_stream strm2;
memset(&strm2, 0, sizeof(strm2));
inflateCopy(&strm2, &strm1);
// 10. End/clean up inflate
inflateEnd(&strm1);
inflateEnd(&strm2);
// 11. Try inflateBackEnd (no formal inits, API coverage)
inflateBackEnd(&strm2);
// 12. Close all resources
gzclose(gz_in); // also closes in_file
delete[] outbuf;
// suppress unused
(void)crc2;
return 0;
}id_000073.transform.cc
#include "FuzzedDataProvider.h"
#include <zlib.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <vector>
#include <fstream>
#include <iostream>
#include <sstream>
//<ID> 564
//<Prompt> []
/*<Combination>: [
*/
//<score> 16, nr_unique_branch: 1
//<Quality> {"density":8,"unique_branches":{"gzfread":[[400,12,400,15,0,0,4,1]]},"library_calls":["gzdopen","gzsetparams","gzfread","gzgets","gzdopen","gzputc","gzclose","crc32","crc32_z","inflateInit_","zlibVersion","deflateBound","inflate","inflateCopy","inflateEnd","inflateEnd","inflateBackEnd","gzclose"],"critical_calls":["gzdopen","gzsetparams","gzfread","gzgets","gzdopen","gzputc","gzclose","crc32","crc32_z","inflateInit_","zlibVersion","deflateBound","inflate","inflateCopy","inflateEnd","inflateEnd","inflateBackEnd","gzclose"],"visited":0}
/*Let's walk through how to achieve an event with the provided zlib APIs:
### Event Description:
The event that can be achieved with these APIs is:
**"Read zlib-compressed data from memory as if from a file, interact and modify parameters of the decompression stream, extract some lines of text and bytes, compute checksums with `crc32`/`crc32_z`, use streaming inflate APIs, and handle resource cleanup."**
Here's the breakdown and mapping of each API to steps:
1. Use `fmemopen` to treat the fuzz input as a file.
2. Use `gzdopen` to open this file descriptor as a gzipped stream for reading.
3. Use `gzsetparams` to adjust decompression parameters.
4. Use `gzfread` and `gzgets` to read data.
5. Use `gzputc` to write some data (here, to a real file, "output_file").
6. Use `crc32`/`crc32_z` to compute checksums on the read data.
7. Use inflate streaming API (create/init/inflate/copy/end).
8. Use `deflateBound` to estimate output buffer size.
9. Use `gzclose` to close the file.
10. Clean up all resources.
Below is the C++ fuzz driver, with all resource management and required API usage:
*/
// Fuzzer entry point
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* f_data, size_t f_size) {
//fuzzer vars shim {
FuzzedDataProvider fdp(f_data, f_size);
FDPConsumeRawBytes(const uint8_t *, data, size, fdp)
FDPConsumeCharArray(char, fuzz_char_array_1, fuzz_char_array_size_1, fdp);
const Bytef * fuzzer_var_crc32_7_1 = fuzz_char_array_1;
uInt fuzzer_size_crc32_7_1 = static_cast<uInt>(fuzz_char_array_size_1);//fuzzer shim end}
if (size == 0) return 0;
// 1. Open the input data as a memory file
FILE *in_file = fmemopen((void *)data, size, "rb");
if (!in_file) return 0;
// 2. Open with gzdopen for zlib reading
int fd = fileno(in_file);
gzFile gz_in = gzdopen(fd, "rb");
if (!gz_in) {
fclose(in_file);
return 0;
}
// 3. Adjust parameters (level/strategy) to random but valid values
int level = (data[0] % 10) - 1; // [-1, 8]
int strategy = data[0] % 4; // [0, 3]
gzsetparams(gz_in, level, strategy);
// 4. Read some bytes with gzfread
char byte_buf[128] = {0};
size_t to_read = (size > 0) ? (size % sizeof(byte_buf)) : 0;
gzfread(byte_buf, 1, to_read, gz_in);
// 5. Try to read a line with gzgets
char line_buf[64] = {0};
gzgets(gz_in, line_buf, sizeof(line_buf)-1);
// 6. Open output file to test gzputc (write a char)
FILE *out_file = fopen("output_file", "wb");
if (out_file) {
int out_fd = fileno(out_file);
gzFile gz_out = gzdopen(out_fd, "wb");
if (gz_out) {
for (int i = 0; i < 4 && i < (int)size; ++i) {
gzputc(gz_out, data[i]);
}
gzclose(gz_out); // closes out_file too
} else {
fclose(out_file);
}
}
// 7. Compute CRC on what we read
uLong crc1 = crc32(0L, fuzzer_var_crc32_7_1, fuzzer_size_crc32_7_1);
uLong crc2 = crc32_z(crc1, (Bytef *)line_buf, strlen(line_buf));
// 8. Use inflate API on the data (simulate streaming decompression)
z_stream strm1;
memset(&strm1, 0, sizeof(strm1));
inflateInit_(&strm1, zlibVersion(), sizeof(z_stream));
strm1.next_in = (Bytef *)data;
strm1.avail_in = (uInt)size;
// Allocate output
uLong bound = deflateBound(&strm1, (uLong)size);
Bytef *outbuf = new Bytef[bound + 32];
strm1.next_out = outbuf;
strm1.avail_out = (uInt)bound+32;
// Inflate
inflate(&strm1, Z_NO_FLUSH);
// 9. Copy the inflate stream (test inflateCopy)
z_stream strm2;
memset(&strm2, 0, sizeof(strm2));
inflateCopy(&strm2, &strm1);
// 10. End/clean up inflate
inflateEnd(&strm1);
inflateEnd(&strm2);
// 11. Try inflateBackEnd (no formal inits, API coverage)
inflateBackEnd(&strm2);
// 12. Close all resources
gzclose(gz_in); // also closes in_file
delete[] outbuf;
// suppress unused
(void)crc2;
return 0;
}