← All libraries
Compression · C++
How to fuzz Snappy
Google's speed-first compressor — used in LevelDB, Cassandra, and Hadoop.
Snappy's design trades compression ratio for decode speed, minimising safety checks. Its variable-length integer encoding for literal and copy lengths can produce values that overflow the output buffer when the decompressed-size header is forged, affecting databases and distributed systems that trust Snappy's framing.
Common bug classes
- •Heap buffer overflow in copy operation with crafted offset+length
- •Integer overflow in varint literal-length accumulation
- •Out-of-bounds read in incremental decompressor look-back
- •Assertion failure on declared decompressed size mismatch
- •Integer wraparound in framing-format chunk size field
Recommended setup
Fuzzers
- → AFL++
- → libFuzzer
Sanitizers
- → ASan
- → UBSan
Harness scaffold
#include <stdint.h>
#include <stddef.h>
#include <string>
#include <snappy.h>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
std::string output;
snappy::Uncompress(reinterpret_cast<const char *>(data), size, &output);
/* Also exercise framing format */
snappy::UncompressAsMuchAsPossible(
reinterpret_cast<const char *>(data), size, &output);
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Push the harness above + a Dockerfile. First month 50% off.