Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/66ca64074454e98829343bb2156b07958570b722 (Add a fuzzer for zlib's deflate function).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Max, how do I use this test case to repro locally?

I am going to randomly guess it is because the input has 0 length (??). But I would like to run the test case locally and confirm the problem / solution.

One way is to use the reproduce tool (suggested on the CF page https://clusterfuzz.com/v2/testcase-detail/6442098504237056?noredirect=1):

You can reproduce this crash painlessly with our reproduce tool. For Googlers, install the required libraries and run prodaccess && /google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 6442098504237056. For non-Googlers, see the installation section. Report any issues at clusterfuzz-dev@chromium.org.


Another way is to build and run fuzzer manually, build instructions are described at: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md (referenced in the issue description)

Then you simply run the fuzzer:
./out/asan_debug/zlib_deflate_fuzzer ./crashy_input

The patch for this is here:
https://chromium-review.googlesource.com/#/c/chromium/src/+/766474

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0df464cb0780e6cd6ee6e6ad8a1718b5747efc19

commit 0df464cb0780e6cd6ee6e6ad8a1718b5747efc19
Author: Chris Blume <cblume@google.com>
Date: Mon Nov 13 21:14:36 2017

Handle zero-length inputs in zlib_deflate_fuzzer

zlib's deflate requires non-zero length inputs.
As a result, the deflate fuzzer was asserting on the error value
indicating an invalid input when the fuzzer provided a zero-length
input.

This change will exit early when the input is zero-length so it matches
the precondition required for deflate.

BUG= 784148 

Change-Id: I12558bb47c4bc5e5147d07707fe01a0e8feb314b
Reviewed-on: https://chromium-review.googlesource.com/766474
Commit-Queue: Chris Blume <cblume@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#516048}
[modify] https://crrev.com/0df464cb0780e6cd6ee6e6ad8a1718b5747efc19/third_party/zlib/contrib/tests/fuzzers/deflate_fuzzer.cc

ClusterFuzz has detected this issue as fixed in range 516022:516067.

Detailed report: https://clusterfuzz.com/testcase?key=6442098504237056

Fuzzer: libFuzzer_zlib_deflate_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  false
  _start
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=514044:514045
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=516022:516067

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6442098504237056

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

It appears that there is another variant of that crash and it's not fixed yet: https://clusterfuzz.com/v2/testcase-detail/6027945947955200

That looks like it should go into a separate bug. But I didn't get any notification about a new bug? I can manually create a bug but I'm being told clusterfuzz will do this for me and it isn't recommended to do it manually.

That new issue has a single byte input, 'J'. deflate_set_dictionary()'s documentation is a bit vague about how the input should be formatted. I'll create a patch that doesn't assert (since the input will be mutated) and also make a seed once I figure out what a good format looks like.

+cavalcantii@ if he is more familiar with zlib and can help fill my gaps

Oh, I found my mistake. I needed to call deflateInit() before deflateSetDictionary().

Is there a separate bug for this?

ClusterFuzz testcase 6442098504237056 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e69e4be87ec5639196a20ed99b2b3335f0fdc21e

commit e69e4be87ec5639196a20ed99b2b3335f0fdc21e
Author: Chris Blume <cblume@google.com>
Date: Wed Nov 15 22:43:10 2017

Initialize zlib fuzzer dictionary

A call to deflateSetDictionary() must happen immediately after a call to
deflateInit(). The zlib_deflate_set_dictionary_fuzzer is currently not
calling deflateInit() and thus the stream it wants to use is
uninitialized.

This patch fixes this by initializing the stream.

Bug:  784148 
Change-Id: I0bd726201bdf495fbf66bee9e763ca1baaf57ac6
Reviewed-on: https://chromium-review.googlesource.com/769155
Reviewed-by: Adenilson Cavalcanti <cavalcantii@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Commit-Queue: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#516870}
[modify] https://crrev.com/e69e4be87ec5639196a20ed99b2b3335f0fdc21e/third_party/zlib/contrib/tests/fuzzers/deflate_set_dictionary_fuzzer.cc