# libFuzzer dictionary for decode_arbitrary. # # Without a dictionary, libFuzzer has to discover the 16-bit sync word # 0x1ACC by chance before any input exercises the decoder beyond the # first-two-byte reject. Seeding the dict with the sync word plus the # field-boundary constants cuts the cold-start exploration time from # hours to seconds. Pass via: # # cargo +nightly fuzz run decode_arbitrary -- -dict=dict/decode_arbitrary.dict # # Not used by the CI regression path (-runs=0), which only replays the # persisted corpus; this is purely for guided exploration on fresh # fuzzing sessions. # ─── Sync word (big-endian on the wire) ────────────────────────────── sync_word="\x1a\xcc" # ─── prediction_order boundary values ──────────────────────────────── # 0 (verbatim), 1 (minimal LPC), 32 (maximum), 33 (first invalid). order_zero="\x00" order_one="\x01" order_max="\x20" order_invalid="\x21" # ─── partition_order boundary values ───────────────────────────────── # Legal range 0..=7; 8 is the first invalid value. part_zero="\x00" part_max="\x07" part_invalid="\x08" # ─── coefficient_shift boundary values ─────────────────────────────── # Legal range 0..=5; 6 is the first invalid value. shift_zero="\x00" shift_max="\x05" shift_invalid="\x06" # ─── Rice k boundary values (5-bit field) ──────────────────────────── # Packed MSB-first at the start of each partition's bitstream. Legal # range 0..=23, so 24..=31 trigger the "invalid k" rejection path. # These are single-byte convenience entries; the real bit-field lives # at an arbitrary bit offset inside the rice bitstream and libFuzzer # will re-align naturally. rice_k_zero="\x00" rice_k_max="\x17" rice_k_invalid="\x18" # ─── Common frame_sample_count values (u16 BE) ─────────────────────── # Voice-grade (160, 320 @ 16 kHz; 480 @ 48 kHz), full-band (1024, 2048, # 4096). A prime length (509) forces partition_order = 0. fsc_160="\x00\xa0" fsc_320="\x01\x40" fsc_480="\x01\xe0" fsc_509="\x01\xfd" fsc_1024="\x04\x00" fsc_2048="\x08\x00" fsc_4096="\x10\x00" # ─── Minimal-header templates ──────────────────────────────────────── # Full 7-byte headers with common field combinations, so libFuzzer can # splice them as a unit and probe behaviour past the header check # without re-deriving a valid prefix. header_order0_p0_n320="\x1a\xcc\x00\x00\x00\x01\x40" header_order1_p0_n320="\x1a\xcc\x01\x00\x00\x01\x40" header_order4_p2_n320="\x1a\xcc\x04\x02\x00\x01\x40" header_order32_p7_n1024="\x1a\xcc\x20\x07\x00\x04\x00"