Skip to content

test(fuzz): seed varint decode corpus (FCV-19.b)#4757

Merged
oferchen merged 1 commit into
masterfrom
test/fcv-19b-varint-seeds
May 23, 2026
Merged

test(fuzz): seed varint decode corpus (FCV-19.b)#4757
oferchen merged 1 commit into
masterfrom
test/fcv-19b-varint-seeds

Conversation

@oferchen
Copy link
Copy Markdown
Owner

@oferchen oferchen commented May 22, 2026

Summary

Add 24 libfuzzer seed files for the varint_decode fuzz target so the
corpus exercises every wire-format boundary class of the upstream
read_varint / read_varlong codec instead of relying on libFuzzer to
synthesise them from the single pre-existing seed_basic blob.

Coverage matrix:

  • 1-byte forms (0xxxxxxx): 0x00, 0x01, 0x7F boundary
  • 2-byte continuation (10xxxxxx + 1): values 1, 128, and the 16383 boundary
  • 3-byte form (110xxxxx + 2): 16384 and the 2097151 boundary
  • 4-byte form (1110xxxx + 3): 2097152 and the 268435455 boundary
  • 5-byte form (11110xxx + 4): 268435456, i32::MAX, and the all-ones (-1) payload (largest legal read_varint form)
  • varlong-only leading tags 0xF8/0xFC/0xFE filled to 7-byte and 9-byte payloads, hitting the upstream sizeof u.b == 9 ceiling
  • Continuation-bit overflow: leading 0xFF with full 10-byte payload that trips read_varlong's overflow guard, plus a 16-byte run of 0xFF for the pathological streaming case
  • Truncation mid-field: one byte short of valid completion at each of the 2/3/4/5-byte length classes
  • Empty input and 16-byte all-zero input

Test plan

  • CI lint/fmt jobs pass (corpus files are binary blobs, no code touched)
  • Fuzz harness still builds (cargo +nightly fuzz build varint_decode covered by existing CI if wired)
  • Future libFuzzer runs pick up the new corpus entries from fuzz/corpus/varint_decode/

@github-actions github-actions Bot added the test label May 22, 2026
@oferchen oferchen force-pushed the test/fcv-19b-varint-seeds branch from 0e659af to 6adbdd7 Compare May 22, 2026 21:15
@oferchen oferchen mentioned this pull request May 22, 2026
Merged
2 tasks
@oferchen oferchen force-pushed the test/fcv-19b-varint-seeds branch 6 times, most recently from 09dd391 to f070773 Compare May 22, 2026 23:10
@oferchen
test(fuzz): seed varint decode corpus (FCV-19.b)
9337ea9 
Add 24 libfuzzer seed files covering the upstream rsync varint and
varlong wire-format boundary classes:

- 1-byte forms: zero, one, and the 0x7F maximum
- 2-byte continuation forms: low, mid, and 16383 boundary
- 3/4/5-byte forms at each prefix-byte boundary, including i32 max
- varlong-only leading tags 0xF8/0xFC/0xFE up to the 9-byte limit
- 0xFF overflow leading tag that trips read_varlong's sizeof(u.b) guard
- Continuation-bit pathology: 16 bytes of 0xFF
- Truncation mid-field at each length class (2/3/4/5-byte forms)
- Empty input and 16-byte all-zero input
@oferchen oferchen force-pushed the test/fcv-19b-varint-seeds branch from f070773 to 9337ea9 Compare May 23, 2026 00:00
@oferchen oferchen merged commit e541c05 into master May 23, 2026
43 of 45 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oferchen