Fuzz zstd decompression
Categories
(Core :: Fuzzing, task, P2)
Tracking
()
People
(Reporter: jesup, Unassigned)
References
(Blocks 1 open bug)
Details
zstd content-encoding will need fuzzing. Should be moderately straightforward. We'll use a separate bug for zstd compression
Reporter | ||
Comment 1•2 months ago
|
||
After discussion with decoder, he suggested I detail external testing done on zstd and our usage:
We're using the API in a very simple way:
ZSTD_createDStream()
ZSTD_freeDStream(stream)
ZSTD_DCtx_setParameter(mDStream, ZSTD_d_windowLogMax, 23 /810241024/);
The windowLogMax setting is to comply with the RFC guidance; this is the same setting chrome uses: https://github.com/chromium/chromium/commit/25ee82ad28727052ff51df211736ee619ffee6d8
ZSTD_decompressStream()
ZSTD_isError()
These are the same APIs used in Chrome, in the same way.
Existing testing outside of firefox:
Fuzzing and testing within the project: https://github.com/facebook/zstd/blob/dev/tests/fuzz/README.md
OSS-Fuzz (example find from 2019): https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14368
Chrome, from their Intent to Experiment/Ship: "However, this is mitigated by the extensive fuzzing and security analysis done on zstd by Google and other community members." - while I can't see what they're doing internally, this and other statements imply fuzzing.
Meta/facebook uses this extensively; see this posting from 2018: https://engineering.fb.com/2018/12/19/core-infra/zstandard/
They test extensively.
decoder indicated he was ok with landing the code without internal Mozilla fuzzing, and asked I document the above and NI Freddy
This code runs in content processes.
Comment 2•2 months ago
|
||
Yes, this can land without fuzzing (and yes, this should be fuzzed).
I'm not removing the "blocks" relationship for the bugs to get a clear direction & connection between these initiatives, but this fuzz bug should not block zstd from happening :)
Description
•