Skip to content

[zlib] Fix minigzip_fuzzer: compression level never varies from default#15099

Open
OwenSanzas wants to merge 1 commit intogoogle:masterfrom
OwenSanzas:fix-zlib-minigzip-compression-level
Open

[zlib] Fix minigzip_fuzzer: compression level never varies from default#15099
OwenSanzas wants to merge 1 commit intogoogle:masterfrom
OwenSanzas:fix-zlib-minigzip-compression-level

Conversation

@OwenSanzas
Copy link
Contributor

@OwenSanzas OwenSanzas commented Mar 6, 2026

Summary

minigzip_fuzzer.c encodes the compression level as a raw integer (0x00–0x09) instead of an ASCII digit ('0'–'9'). Since gzopen() parses the mode string looking for characters in the range '0''9' (0x30–0x39), control characters 0x00–0x09 never match, and the compression level always falls back to Z_DEFAULT_COMPRESSION (level 6). The fuzzer's intent to test all 10 compression levels is completely defeated.

Bug (line 468):

outmode[2] = data[0] % 10;    // produces 0x00–0x09, not '0'–'9'

Fix:

outmode[2] = '0' + data[0] % 10;

In zlib's gz_open(), the level is parsed as:

while (*plevel) {
    if (*plevel >= '0' && *plevel <= '9') {
        level = *plevel - '0';
        break;
    }
    plevel++;
}

Since 0x00–0x09 don't satisfy >= '0' (0x30), the loop never matches.

Also fixes two resource leaks on error paths:

  • file_compress(): FILE *in leaked when gzopen() fails
  • file_uncompress(): gzFile in leaked when fopen() fails

Evidence

Coverage comparison (ASan, 60-second runs from seed corpus):

Metric Original Fixed Change
INITED edges (same seed corpus) 815 866 +6.3% (+51 edges)
Final edges (after 60s) 870 968 +11.3% (+98 edges)

The fixed version reaches 51 more edges just from replaying the same seed corpus, because different compression levels exercise different code paths in zlib's deflate implementation.

@OwenSanzas
[zlib] Fix minigzip_fuzzer: compression level encoding bug + resource…
4e62cfc 
… leaks

The compression level is encoded as a raw integer (0x00-0x09) instead
of an ASCII digit ('0'-'9'), so gzopen() always falls back to the
default compression level 6. Levels 0-5 and 7-9 are never tested.

Fix: outmode[2] = '0' + data[0] % 10;

Also fix two resource leaks:
- file_compress(): close FILE *in when gzopen() fails
- file_uncompress(): close gzFile in when fopen() fails

Coverage improvement (ASan, 60s runs):
- INITED edges: 815 -> 866 (+6.3%)
- Final edges:  870 -> 968 (+11.3%)
@OwenSanzas OwenSanzas mentioned this pull request Mar 6, 2026
Open
@github-actions
Copy link

github-actions bot commented Mar 6, 2026

OwenSanzas is a new contributor to projects/zlib. The PR must be approved by known contributors before it can be merged. The past contributors are: hunsche, evverx, serge-sans-paille, vitaliset, fanquake, conNULL, hkctkuy, jvoisin, inferno-chromium, cvediver, Dor1s, gcp1304 (unverified), ProgramMax (unverified), sebpop (unverified)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@OwenSanzas