lo/lac
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
lac/fuzz/dict/decode_arbitrary.dict
Kamal Tufekcic 7862cb1d9d
All checks were successful
CI / lint (push) Successful in 5s
Details
CI / fuzz-regression (push) Successful in 14s
Details
CI / build (push) Successful in 4s
Details
CI / test (push) Successful in 6m54s
Details
CI / publish (push) Successful in 8s
Details
initial commit 
Signed-off-by: Kamal Tufekcic <kamal@lo.sh>
2026-04-23 14:58:32 +03:00

65 lines
2.9 KiB
Text
Raw Permalink Blame History

# libFuzzer dictionary for decode_arbitrary.
#
# Without a dictionary, libFuzzer has to discover the 16-bit sync word
# 0x1ACC by chance before any input exercises the decoder beyond the
# first-two-byte reject. Seeding the dict with the sync word plus the
# field-boundary constants cuts the cold-start exploration time from
# hours to seconds. Pass via:
#
# cargo +nightly fuzz run decode_arbitrary -- -dict=dict/decode_arbitrary.dict
#
# Not used by the CI regression path (-runs=0), which only replays the
# persisted corpus; this is purely for guided exploration on fresh
# fuzzing sessions.
# ─── Sync word (big-endian on the wire) ──────────────────────────────
sync_word="\x1a\xcc"
# ─── prediction_order boundary values ────────────────────────────────
# 0 (verbatim), 1 (minimal LPC), 32 (maximum), 33 (first invalid).
order_zero="\x00"
order_one="\x01"
order_max="\x20"
order_invalid="\x21"
# ─── partition_order boundary values ─────────────────────────────────
# Legal range 0..=7; 8 is the first invalid value.
part_zero="\x00"
part_max="\x07"
part_invalid="\x08"
# ─── coefficient_shift boundary values ───────────────────────────────
# Legal range 0..=5; 6 is the first invalid value.
shift_zero="\x00"
shift_max="\x05"
shift_invalid="\x06"
# ─── Rice k boundary values (5-bit field) ────────────────────────────
# Packed MSB-first at the start of each partition's bitstream. Legal
# range 0..=23, so 24..=31 trigger the "invalid k" rejection path.
# These are single-byte convenience entries; the real bit-field lives
# at an arbitrary bit offset inside the rice bitstream and libFuzzer
# will re-align naturally.
rice_k_zero="\x00"
rice_k_max="\x17"
rice_k_invalid="\x18"
# ─── Common frame_sample_count values (u16 BE) ───────────────────────
# Voice-grade (160, 320 @ 16 kHz; 480 @ 48 kHz), full-band (1024, 2048,
# 4096). A prime length (509) forces partition_order = 0.
fsc_160="\x00\xa0"
fsc_320="\x01\x40"
fsc_480="\x01\xe0"
fsc_509="\x01\xfd"
fsc_1024="\x04\x00"
fsc_2048="\x08\x00"
fsc_4096="\x10\x00"
# ─── Minimal-header templates ────────────────────────────────────────
# Full 7-byte headers with common field combinations, so libFuzzer can
# splice them as a unit and probe behaviour past the header check
# without re-deriving a valid prefix.
header_order0_p0_n320="\x1a\xcc\x00\x00\x00\x01\x40"
header_order1_p0_n320="\x1a\xcc\x01\x00\x00\x01\x40"
header_order4_p2_n320="\x1a\xcc\x04\x02\x00\x01\x40"
header_order32_p7_n1024="\x1a\xcc\x20\x07\x00\x04\x00"
Reference in a new issue View git blame Copy permalink