Compression · C

How to fuzz Brotli

Chrome ships brotli for HTTPS compression — a decode bug reaches every web user.

Brotli is mandatory in modern browsers for HTTP/2 and is the only compression format supported by WOFF2 fonts. Its prefix-code and context-modelling decoders involve complex bitstream reads; an adversarially crafted HTTP response or font file reaches the decoder on every page load.

Common bug classes

•Heap buffer overflow in prefix-code table decode lookahead
•Integer overflow in meta-block length declaration
•Out-of-bounds read in context-map postfix/NPOSTFIX computation
•Infinite loop on malformed empty meta-block sequence
•Null dereference on missing distance alphabet in sparse mode

Recommended setup

Fuzzers

→ AFL++
→ libFuzzer
→ Centipede

Sanitizers

→ ASan
→ UBSan

Harness scaffold

#include <stdint.h>
#include <stddef.h>
#include <stdlib.h>
#include <brotli/decode.h>

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  size_t decoded_size = size < 1024 * 1024 ? 1024 * 1024 : size * 4;
  uint8_t *out = malloc(decoded_size);
  if (!out) return 0;
  BrotliDecoderDecompress(size, data, &decoded_size, out);
  free(out);
  return 0;
}

Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.

Start fuzzing Brotli on Fuzze.rs →

Push the harness above + a Dockerfile. First month 50% off.