initial commit

Signed-off-by: Kamal Tufekcic <kamal@lo.sh>
2026-04-23 14:58:32 +03:00 · 2026-04-23 14:58:32 +03:00 · 7862cb1d9d
commit 7862cb1d9d
2884 changed files with 16797 additions and 0 deletions
--- a/fuzz/dict/decode_arbitrary.dict
+++ b/fuzz/dict/decode_arbitrary.dict
@ -0,0 +1,65 @@
+# libFuzzer dictionary for decode_arbitrary.
+#
+# Without a dictionary, libFuzzer has to discover the 16-bit sync word
+# 0x1ACC by chance before any input exercises the decoder beyond the
+# first-two-byte reject. Seeding the dict with the sync word plus the
+# field-boundary constants cuts the cold-start exploration time from
+# hours to seconds. Pass via:
+#
+#     cargo +nightly fuzz run decode_arbitrary -- -dict=dict/decode_arbitrary.dict
+#
+# Not used by the CI regression path (-runs=0), which only replays the
+# persisted corpus; this is purely for guided exploration on fresh
+# fuzzing sessions.
+
+# ─── Sync word (big-endian on the wire) ──────────────────────────────
+sync_word="\x1a\xcc"
+
+# ─── prediction_order boundary values ────────────────────────────────
+# 0 (verbatim), 1 (minimal LPC), 32 (maximum), 33 (first invalid).
+order_zero="\x00"
+order_one="\x01"
+order_max="\x20"
+order_invalid="\x21"
+
+# ─── partition_order boundary values ─────────────────────────────────
+# Legal range 0..=7; 8 is the first invalid value.
+part_zero="\x00"
+part_max="\x07"
+part_invalid="\x08"
+
+# ─── coefficient_shift boundary values ───────────────────────────────
+# Legal range 0..=5; 6 is the first invalid value.
+shift_zero="\x00"
+shift_max="\x05"
+shift_invalid="\x06"
+
+# ─── Rice k boundary values (5-bit field) ────────────────────────────
+# Packed MSB-first at the start of each partition's bitstream. Legal
+# range 0..=23, so 24..=31 trigger the "invalid k" rejection path.
+# These are single-byte convenience entries; the real bit-field lives
+# at an arbitrary bit offset inside the rice bitstream and libFuzzer
+# will re-align naturally.
+rice_k_zero="\x00"
+rice_k_max="\x17"
+rice_k_invalid="\x18"
+
+# ─── Common frame_sample_count values (u16 BE) ───────────────────────
+# Voice-grade (160, 320 @ 16 kHz; 480 @ 48 kHz), full-band (1024, 2048,
+# 4096). A prime length (509) forces partition_order = 0.
+fsc_160="\x00\xa0"
+fsc_320="\x01\x40"
+fsc_480="\x01\xe0"
+fsc_509="\x01\xfd"
+fsc_1024="\x04\x00"
+fsc_2048="\x08\x00"
+fsc_4096="\x10\x00"
+
+# ─── Minimal-header templates ────────────────────────────────────────
+# Full 7-byte headers with common field combinations, so libFuzzer can
+# splice them as a unit and probe behaviour past the header check
+# without re-deriving a valid prefix.
+header_order0_p0_n320="\x1a\xcc\x00\x00\x00\x01\x40"
+header_order1_p0_n320="\x1a\xcc\x01\x00\x00\x01\x40"
+header_order4_p2_n320="\x1a\xcc\x04\x02\x00\x01\x40"
+header_order32_p7_n1024="\x1a\xcc\x20\x07\x00\x04\x00"
--- a/fuzz/dict/roundtrip_arbitrary.dict
+++ b/fuzz/dict/roundtrip_arbitrary.dict
@ -0,0 +1,42 @@
+# libFuzzer dictionary for roundtrip_arbitrary.
+#
+# roundtrip_arbitrary reads little-endian i32 chunks as PCM samples.
+# The interesting values are the boundary magnitudes the codec has
+# explicit handling for: zero, ±1 (sign-flip test), the 8/16/20/24-bit
+# ceilings, and the full 24-bit contract limits. Seeding these as
+# 4-byte LE words lets libFuzzer splice them directly into sample
+# positions without having to discover the bit patterns by luck.
+#
+# Pass via:
+#
+#     cargo +nightly fuzz run roundtrip_arbitrary -- -dict=dict/roundtrip_arbitrary.dict
+
+# ─── Zero and unit samples ──────────────────────────────────────────
+sample_zero="\x00\x00\x00\x00"
+sample_pos_one="\x01\x00\x00\x00"
+sample_neg_one="\xff\xff\xff\xff"
+
+# ─── 8-bit PCM ceilings ──────────────────────────────────────────────
+sample_pos_127="\x7f\x00\x00\x00"
+sample_neg_128="\x80\xff\xff\xff"
+
+# ─── 16-bit PCM ceilings ─────────────────────────────────────────────
+sample_pos_32767="\xff\x7f\x00\x00"
+sample_neg_32768="\x00\x80\xff\xff"
+
+# ─── 20-bit ceilings (studio-mastered material) ──────────────────────
+sample_pos_524287="\xff\xff\x07\x00"
+sample_neg_524288="\x00\x00\xf8\xff"
+
+# ─── 24-bit ceilings — LAC's contract limit ─────────────────────────
+# |sample| ≤ 2^23 − 1. Values at exactly +8388607 and −8388607 exercise
+# the autocorrelation accumulator's worst case.
+sample_pos_8388607="\xff\xff\x7f\x00"
+sample_neg_8388607="\x01\x00\x80\xff"
+
+# ─── Out-of-contract values (clamped by the fuzz target) ─────────────
+# Included so libFuzzer has the bit patterns handy if the encoder's
+# magnitude guard ever regresses; the clamp in the harness keeps these
+# from reaching encode_frame in steady state.
+sample_i32_max="\xff\xff\xff\x7f"
+sample_i32_min="\x00\x00\x00\x80"