From c4c3109e11d2f5d19ba303f420d44dc9846711ce Mon Sep 17 00:00:00 2001
From: Alexander Nasonov <alnsn@yandex.ru>
Date: Sat, 30 Jan 2016 15:10:20 +0000
Subject: [PATCH 1/2] Add smaz_fuzz.c for fuzzing.

---
 smaz_fuzz.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 smaz_fuzz.c

diff --git a/smaz_fuzz.c b/smaz_fuzz.c
new file mode 100644
index 0000000..716773a
--- /dev/null
+++ b/smaz_fuzz.c
@@ -0,0 +1,48 @@
+/*
+ * Read fuzzed input from mmaped file and compress/uncompress it.
+ * First byte of the file is input's len.
+ *
+ * afl-gcc -O2 smaz_fuzz.c smaz.c
+ */
+
+#include <assert.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+
+#include "smaz.h"
+
+int main(int argc, char *argv[])
+{
+	const size_t pagesz = 4096;
+	const int prot  = PROT_READ|PROT_WRITE;
+	const int flags = MAP_FILE|MAP_PRIVATE;
+	char *buf, *in, *out;
+	unsigned int inlen, outlen, compressed, decompressed;
+	int fd;
+
+	fd = open(argv[1], O_RDONLY);
+	buf = mmap(NULL, 2 * pagesz, prot, flags, fd, 0);
+	close(fd);
+
+	in = buf + 1;
+	inlen = *((const uint8_t *)buf);
+	out = buf + 1 + inlen;
+	outlen = pagesz - inlen - 1;
+
+#if 0 /* Valid inputs. */
+	compressed = smaz_compress(in, inlen, out, outlen);
+	assert(compressed <= outlen);
+	decompressed = smaz_decompress(out, compressed, in, inlen);
+	assert(decompressed == inlen);
+#else /* Malicious inputs. */
+	decompressed = smaz_decompress(in, inlen, out, outlen);
+	assert(decompressed <= outlen + 1);
+#endif
+
+	return EXIT_SUCCESS;
+}

From 2ce43d10480090f4fe9c1fb090be5a1e8f7bcb1c Mon Sep 17 00:00:00 2001
From: Alexander Nasonov <alnsn@yandex.ru>
Date: Sat, 30 Jan 2016 15:15:51 +0000
Subject: [PATCH 2/2] Don't map two pages, one is enough.

---
 smaz_fuzz.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/smaz_fuzz.c b/smaz_fuzz.c
index 716773a..8127c57 100644
--- a/smaz_fuzz.c
+++ b/smaz_fuzz.c
@@ -2,7 +2,7 @@
  * Read fuzzed input from mmaped file and compress/uncompress it.
  * First byte of the file is input's len.
  *
- * afl-gcc -O2 smaz_fuzz.c smaz.c
+ * afl-gcc -O2 -g smaz_fuzz.c smaz.c
  */
 
 #include <assert.h>
@@ -26,7 +26,7 @@ int main(int argc, char *argv[])
 	int fd;
 
 	fd = open(argv[1], O_RDONLY);
-	buf = mmap(NULL, 2 * pagesz, prot, flags, fd, 0);
+	buf = mmap(NULL, pagesz, prot, flags, fd, 0);
 	close(fd);
 
 	in = buf + 1;