Compression · C

How to fuzz zlib

zlib is in everything — a single inflate bug surfaces in PNG, HTTP, Git, and thousands more.

zlib's inflate engine is the most widely deployed decompressor in existence, shipped inside PNG, HTTP/gzip, ZIP, Git packfiles, and countless proprietary formats. Its sliding window and Huffman state machine are carefully written but their correctness under adversarial DEFLATE streams is worth continuous verification.

Common bug classes

•Heap buffer overflow in inflate sliding-window back-reference
•Integer overflow in compressed block size declaration
•Out-of-bounds read in Huffman code-length table decode
•Infinite loop on pathological stored-block sequence
•Stack overflow via deeply chained zlib stream wrappers

Recommended setup

Fuzzers

→ AFL++
→ libFuzzer
→ Honggfuzz

Sanitizers

→ ASan
→ UBSan

Harness scaffold

#include <stdint.h>
#include <stddef.h>
#include <stdlib.h>
#include <zlib.h>

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  z_stream strm = {0};
  if (inflateInit(&strm) != Z_OK) return 0;
  strm.next_in  = (Bytef *)data;
  strm.avail_in = (uInt)size;
  uint8_t out[65536];
  do {
    strm.next_out  = out;
    strm.avail_out = sizeof(out);
    inflate(&strm, Z_NO_FLUSH);
  } while (strm.avail_in > 0 && strm.avail_out == 0);
  inflateEnd(&strm);
  return 0;
}

Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.

Notable CVEs found by fuzzing

→ CVE-2022-37434

Start fuzzing zlib on Fuzze.rs →

Push the harness above + a Dockerfile. First month 50% off.