← All libraries
Archive · C++
How to fuzz p7zip
7-Zip's Linux port processes dozens of formats — each format reader is a distinct bug surface.
p7zip is the Unix port of 7-Zip and is used by many Linux archive managers and package tools. Its C++ codebase handles 7z, ZIP, RAR, ISO, CAB, and more with minimal memory-safety abstractions, and its LZMA and BCJ2 branch-converter stages are particularly dense with pointer arithmetic.
Common bug classes
- •Heap buffer overflow in LZMA2 properties block initialization
- •Integer overflow in 7z solid block combined sizes
- •Out-of-bounds read in BCJ2 branch converter lookup table
- •Use-after-free in multi-stream archive error unwind
- •Null dereference on missing 7z header signature
Recommended setup
Fuzzers
- → AFL++
- → libFuzzer
Sanitizers
- → ASan
- → UBSan
Harness scaffold
#include <stdint.h>
#include <stddef.h>
/* Use libarchive as a stable ABI to exercise p7zip's 7z reader */
#include <archive.h>
#include <archive_entry.h>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
struct archive *a = archive_read_new();
archive_read_support_format_7zip(a);
archive_read_support_filter_none(a);
if (archive_read_open_memory(a, data, size) == ARCHIVE_OK) {
struct archive_entry *entry;
while (archive_read_next_header(a, &entry) == ARCHIVE_OK)
archive_read_data_skip(a);
}
archive_read_free(a);
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Push the harness above + a Dockerfile. First month 50% off.