From d055f7d17b89a355cb0b4f15cb9f70f9d2382b3c Mon Sep 17 00:00:00 2001 From: Mike Jensen Date: Wed, 27 Nov 2024 11:44:19 -0700 Subject: [PATCH] Add fuzz testing that was used to find previous fixes This fuzz testing and seed corpus helped validate for protocol flaws in decoding TDF's. This testing is time consuming, and Jazzer sometimes has some weird IO blocking behavior that is not actually indicative of a flaw. For that reason this is not part of CI, and instead is run through `fuzz.sh` when needed. --- sdk/fuzz.sh | 11 ++ sdk/pom.xml | 124 +++++++++++++++++- .../java/io/opentdf/platform/sdk/Fuzzing.java | 69 ++++++++++ .../io/opentdf/platform/sdk/NanoTDFTest.java | 2 +- .../opentdf/platform/sdk/ZipReaderTest.java | 38 ++++-- .../sdk/FuzzingInputs/fuzzNanoTDF/sample.ntdf | Bin 0 -> 361 bytes .../fuzzTDF/crash-InvalidManifest-1 | Bin 0 -> 2017 bytes .../fuzzTDF/crash-InvalidManifest-2 | Bin 0 -> 2017 bytes .../fuzzTDF/crash-InvalidManifest-3 | Bin 0 -> 2017 bytes .../fuzzTDF/crash-InvalidManifest-4 | Bin 0 -> 2017 bytes .../crash-InvalidManifest-NullKeyAccessObj | Bin 0 -> 2017 bytes .../fuzzTDF/crash-InvalidManifest-NullSegment | Bin 0 -> 2017 bytes .../sdk/FuzzingInputs/fuzzTDF/sample.tdf | Bin 0 -> 2017 bytes .../fuzzZipRead/crash-NullSignature | Bin 0 -> 1371 bytes ...h-f39ad8416aef7cf275f84683aaa0efd15f24272a | Bin 0 -> 99 bytes .../FuzzingInputs/fuzzZipRead/sample.txt.tdf | Bin 0 -> 1754 bytes 16 files changed, 230 insertions(+), 14 deletions(-) create mode 100755 sdk/fuzz.sh create mode 100644 sdk/src/test/java/io/opentdf/platform/sdk/Fuzzing.java create mode 100644 sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzNanoTDF/sample.ntdf create mode 100644 sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/crash-InvalidManifest-1 create mode 100644 sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/crash-InvalidManifest-2 create mode 100644 sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/crash-InvalidManifest-3 create mode 100644 sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/crash-InvalidManifest-4 create mode 100644 sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/crash-InvalidManifest-NullKeyAccessObj create mode 100644 sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/crash-InvalidManifest-NullSegment create mode 100644 sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/sample.tdf create mode 100644 sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzZipRead/crash-NullSignature create mode 100644 sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzZipRead/crash-f39ad8416aef7cf275f84683aaa0efd15f24272a create mode 100644 sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzZipRead/sample.txt.tdf diff --git a/sdk/fuzz.sh b/sdk/fuzz.sh new file mode 100755 index 00000000..88a803ae --- /dev/null +++ b/sdk/fuzz.sh @@ -0,0 +1,11 @@ +#!/bin/bash +set -e + +tests=("fuzzNanoTDF", "fuzzTDF", "fuzzZipRead") +base_seed_dir="src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/" + +for test in "${tests[@]}"; do + seed_dir="${base_seed_dir}${test}" + echo "Running $test fuzzing with seeds from $seed_dir" + mvn verify -P fuzz -Djazzer.testDir=$seed_dir +done diff --git a/sdk/pom.xml b/sdk/pom.xml index 678c78b0..6685f513 100644 --- a/sdk/pom.xml +++ b/sdk/pom.xml @@ -9,6 +9,10 @@ 0.7.5 jar + + 0.22.1 + https://github.com/CodeIntelligenceTesting/jazzer/releases/download/v${jazzer.version} + @@ -121,6 +125,18 @@ 4.13.2 test + + com.code-intelligence + jazzer-api + ${jazzer.version} + test + + + com.code-intelligence + jazzer-junit + ${jazzer.version} + test + org.apache.commons commons-compress @@ -307,4 +323,110 @@ - \ No newline at end of file + + + + fuzz + + false + + + true + + + + + + org.apache.maven.plugins + maven-antrun-plugin + 3.1.0 + + + download-and-unpack-jazzer + process-test-classes + + + + + + + + + + + + + + + + + + + run + + + + + + + + org.apache.maven.plugins + maven-dependency-plugin + 3.4.0 + + + copy-dependencies + process-test-classes + + copy-dependencies + + + ${project.build.directory}/dependency-jars + test + + + + + + + + org.apache.maven.plugins + maven-antrun-plugin + 3.1.0 + + + run-jazzer-fuzzing + verify + + + + + + + + + + + + + + + + + + + + + + + + run + + + + + + + + + diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/Fuzzing.java b/sdk/src/test/java/io/opentdf/platform/sdk/Fuzzing.java new file mode 100644 index 00000000..776a107e --- /dev/null +++ b/sdk/src/test/java/io/opentdf/platform/sdk/Fuzzing.java @@ -0,0 +1,69 @@ +package io.opentdf.platform.sdk; + +import java.io.IOException; +import java.io.OutputStream; +import java.nio.ByteBuffer; +import java.security.NoSuchAlgorithmException; +import java.text.ParseException; + +import org.apache.commons.codec.DecoderException; +import org.apache.commons.compress.utils.SeekableInMemoryByteChannel; + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import com.code_intelligence.jazzer.junit.FuzzTest; +import com.google.gson.JsonParseException; +import com.nimbusds.jose.JOSEException; + +import io.opentdf.platform.sdk.TDF.FailedToCreateGMAC; +import io.opentdf.platform.sdk.TDF.Reader; + +public class Fuzzing { + private static final String testDuration = "600s"; + private static final OutputStream ignoreOutputStream = new OutputStream() { + @Override + public void write(int b) { + // ignored + } + + @Override + public void write(byte b[], int off, int len) { + // ignored + } + }; + + @FuzzTest(maxDuration=testDuration) + public void fuzzNanoTDF(FuzzedDataProvider data) throws IOException { + byte[] fuzzBytes = data.consumeRemainingAsBytes(); + NanoTDF nanoTDF = new NanoTDF(); + nanoTDF.readNanoTDF(ByteBuffer.wrap(fuzzBytes), ignoreOutputStream, NanoTDFTest.kas); + } + + @FuzzTest(maxDuration=testDuration) + public void fuzzTDF(FuzzedDataProvider data) throws FailedToCreateGMAC, NoSuchAlgorithmException, IOException, JOSEException, ParseException, DecoderException { + byte[] fuzzBytes = data.consumeRemainingAsBytes(); + byte[] key = new byte[32]; // use consistent zero key for performance and so fuzz can relate to seed + var assertionVerificationKeys = new Config.AssertionVerificationKeys(); + assertionVerificationKeys.defaultKey = new AssertionConfig.AssertionKey(AssertionConfig.AssertionKeyAlg.HS256, key); + Config.TDFReaderConfig readerConfig = Config.newTDFReaderConfig( + Config.withAssertionVerificationKeys(assertionVerificationKeys)); + TDF tdf = new TDF(); + + try { + Reader reader = tdf.loadTDF(new SeekableInMemoryByteChannel(fuzzBytes), TDFTest.kas, readerConfig); + + reader.readPayload(ignoreOutputStream); + } catch (SDKException | InvalidZipException | JsonParseException | IOException | IllegalArgumentException e) { + // expected failure cases + } + } + + @FuzzTest(maxDuration=testDuration) + public void fuzzZipRead(FuzzedDataProvider data) { + byte[] fuzzBytes = data.consumeRemainingAsBytes(); + try { + ZipReaderTest.testReadingZipChannel(new SeekableInMemoryByteChannel(fuzzBytes), false); + } catch (InvalidZipException | IllegalArgumentException | JsonParseException | IOException e) { + // cases which are expected with invalid fuzzed inputs + } + } +} diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/NanoTDFTest.java b/sdk/src/test/java/io/opentdf/platform/sdk/NanoTDFTest.java index 87bae33b..cd4c056d 100644 --- a/sdk/src/test/java/io/opentdf/platform/sdk/NanoTDFTest.java +++ b/sdk/src/test/java/io/opentdf/platform/sdk/NanoTDFTest.java @@ -37,7 +37,7 @@ public class NanoTDFTest { private static final String KID = "r1"; - private static SDK.KAS kas = new SDK.KAS() { + protected static SDK.KAS kas = new SDK.KAS() { @Override public void close() throws Exception { } diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/ZipReaderTest.java b/sdk/src/test/java/io/opentdf/platform/sdk/ZipReaderTest.java index 5c47710c..29769b2b 100644 --- a/sdk/src/test/java/io/opentdf/platform/sdk/ZipReaderTest.java +++ b/sdk/src/test/java/io/opentdf/platform/sdk/ZipReaderTest.java @@ -12,9 +12,13 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; +import java.io.File; import java.io.IOException; import java.io.RandomAccessFile; +import java.nio.channels.SeekableByteChannel; import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; import java.util.HashMap; import java.util.Map; import java.util.Random; @@ -32,21 +36,31 @@ public class ZipReaderTest { public void testReadingExistingZip() throws Exception { try (RandomAccessFile raf = new RandomAccessFile("src/test/resources/sample.txt.tdf", "r")) { var fileChannel = raf.getChannel(); - var zipReader = new ZipReader(fileChannel); - var entries = zipReader.getEntries(); + ZipReaderTest.testReadingZipChannel(fileChannel, true); + } + } + + protected static void testReadingZipChannel(SeekableByteChannel fileChannel, boolean test) throws IOException { + var zipReader = new ZipReader(fileChannel); + var entries = zipReader.getEntries(); + if (test) { assertThat(entries.size()).isEqualTo(2); - for (var entry: entries) { - var stream = new ByteArrayOutputStream(); - if (entry.getName().endsWith(".json")) { - entry.getData().transferTo(stream); - var data = stream.toString(StandardCharsets.UTF_8); - var gson = new GsonBuilder() - .registerTypeAdapter(Manifest.class, new ManifestDeserializer()) - .create(); - var map = gson.fromJson(data, Map.class); - + } + for (var entry: entries) { + var stream = new ByteArrayOutputStream(); + if (entry.getName().endsWith(".json")) { + entry.getData().transferTo(stream); + var data = stream.toString(StandardCharsets.UTF_8); + var gson = new GsonBuilder() + .registerTypeAdapter(Manifest.class, new ManifestDeserializer()) + .create(); + var map = gson.fromJson(data, Map.class); + + if (test) { assertThat(map.get("encryptionInformation")).isNotNull(); } + } else if (!test) { + entry.getData().transferTo(stream); // still invoke getData logic } } } diff --git a/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzNanoTDF/sample.ntdf b/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzNanoTDF/sample.ntdf new file mode 100644 index 0000000000000000000000000000000000000000..7dd6dcbbb707ad930cfd8ac55f7c0e161df50c1a GIT binary patch literal 361 zcmV-v0hazuF-#E?VQ^_KWq4t2aBO8RV{dIQYhiP8F#rJq0S6vI?zpV-5A$o9H~hf> z5o5XkqDq=e5VP{lU_k`b@%q&1b&H|C`^^;qA@Zi}e!KLw)!YoehT+CBHGGG1UUe~n zSvv{ViMOExD^~BBlG(zv<-h4*CkILl)c>a*u#}LR^Xt{L?j_ZQMBO4o z)vl|6ccp}%F}}ZZR#}d4;LKH3a!&GhdH7X<>*u-7u0i{vv`*sh;W69If?W?SNq4*t zVT>)8y#Yqx=83kN5M+PM<`NAOOz9pgWt6#yP5# z0UU4s5$q$M6k!OYDH8*-haxv3wlfWW)*p38SE!kvyEwgJ?E&6C;9uMXzFO-c^8)w& zFoDm%b3rbh=(T-e6!3)V7w#;Fzhk!KTD9FpE{gyF7v$mPUYH8j2dV*CFAn)_Q!y-g H4Rd`h994Bd;xS8qn+CvX2SKE<<9=0=+0}=?mK(fFR(8&SAN-SC)g0(PoGW`m@ zrXMIDC6^xh5!zh@vc_$8M%v~7+TZ`R|M}#bZ!ej%GluzOd@>la{wde@z9?)F={O9D#3r!tLky0W6c<@&LkR3pYD}f`@ z?Pg`8ka7tM8WwXUW~R1H4bOz8=K99UbcyR7(^tINYD9QEr+AyrOuK!5gj!fA-Jx)a zA({|^^9boDldp>1+S za|wRCqpTLL>^YvHxybOgZQ_qV6A&ak&frAiAMsZZA5G!5HPhtIOc;2kw(t~RY{~x8 zn`w8ssSS{PlFC}`m`rkO6o)vpLqwyvwUU$IusDloOxQHGq6j#rtcSQza50YF)$1s< zE#!s?e%I}^TU`B_ol<`SGHT5kx8_b_>#O~AU-ur=?et2NUDQUKsoGnQZbT4DoQ=B* zP}BK#?$;rZ2i-UmZaoR?OpL=RdgOM!{xX8wdM^wmr#`@uA&&<2E32~@XycZ29=4}x zTF<3!KH4lfelE^u=TdYvTcANEE8}(0)x7JztEFJl+pTp`pF&q#b`#AU;AG`F%bTv* zp6K^eaE+yCtM{TiK2eeH*~0jSYwY7)5Vf2==A?A(^Kh{;`m+8Q?C!+=PU&oyx;)NO zdq1@Bo-@ZPUx$yLFpJ^ixf~J`-J3~08}Q95LEo&sbw_Wj(@bsX8_Try#NqqB`}1(q zL-Vw|=kI$lpY2ACC2abMyf73&Js)VOnXN<}HHT4__0yA1ElTynp-osHU^jG5ijWpy zNFFTLr^(<&^^!a&mr`Fork90@ieq5;);*&6$MFNGnvR8gs)oZH1lP^s6q{SD%;twz zqH2#r{Zl!Rjp04F=#0GRYUD3mM;i2;;UcqECca8@Y{Vl9-w#BBs!D$!nJ>{?e5>1FmmLEK2XI3Qi&f zF$GybWXp*`5LT~vOFTUDq{>enW_{=bt!x9*1f;Kv_rD(67~spK2vc?0X(#0{s>l_F z7_31|rU|GRWe*((Sb^`&$NA*N%S+~I;L$PmH1K|=v#VT`denZw{B)dh)wHVwE0at) zL!ZyRN{(Tsmpg7#g(t^A=o G!~6?Y?=yV> literal 0 HcmV?d00001 diff --git a/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/crash-InvalidManifest-2 b/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/crash-InvalidManifest-2 new file mode 100644 index 0000000000000000000000000000000000000000..de7914cd21fc577ab43fae901c0934eb6431f1d1 GIT binary patch literal 2017 zcmZ`)$&#B!7{*RwPh6GCHHRD&uCqu&%gngS2P6>M0F7WIAmsxCEzzi11U=F~%9U5h z)p;O4iZ40j5t42M8kG}w73x<1OMm}9n|$-_C3AMhFdxm2CPUUg<@%nS8&|QNp~!ZJ z0HNrjwvQ6z{xX}qKKuOX^ItzucCxB{R_LNPRM(%M^ug{G!_e;ckhl+3k{_?6fRLj z143{fA$=%M?~A>30=oej?>Hbmg@4G0LS-Bw=wv+@x-g`{c_tCNz7j`5scbRzb*|_h z!S8gG<=m5f*Ee+!nf|6t>K|V+*N?K zpKWGA9RhjKO)}xmm%!G-IGUm-ZrkfGVz{aIqDXS<100+3Xi&elJM)1)Zb|1+d%EA( zbE%t;)(eiGi8J+Fim%l<8f3CEUWHxVzv+AW9!z@Ml_45a=;@1Ys#^n`E`4`#+qK#g z<6#PJuoQ2MUVP7|8VYM2G1}TR(;CLwwj3jM`F`)=JX-hA zY~S7S550uXwxh-ZHiJ~2n~I>F4|LSbmZE{0!#K;QK)&?u;?9e5u z@;Kx_N!X^bGI zAPb0WIWY*rs*AV8Lz^dAerhlqzyRoF8IU3%bzSuTdgNe$FVn(J)nliXl*72Xt}rBE z1rjn%Kt(8P=s3U%d~ZI?CNExIGS35#jD27|9?hH3uOzs6}hB)CP-`E3c5M zoF)%6r##18a>yej-9o~|6<^a;qMQD=@89|#55D^Pj5$7Lm`}zhgCXnhe0@vKmGj6- zQD`|`fKYf^+JrH3K8y$Nj=y~V^5=JyovdOXXS(PO)%E*lt-XHBF!cML+*QtfD}W1- z;BzktgP-4*N-PNMIE^q2gI=%*W8b1j_PRuggbV`=mNCTXe^H;sfun+@4+5;hEfB%N zdO(;csaEQjjY|DA(?z)BFeDtyz`_qP*c-_VS!hWv*sjX)4Ym*`zM`!}4cuRhy-QMh>W*TyL zXkLgSnh=6>59ujCea!Ye2G?^cXZO_yup5jY2 z*`InN?QUyoZ6qJ0vQ*k9lUR-75Qlb%XcSjgau6IArxA?_yNRtR0?r}nA9m_pcamDOe%0wr zx8#1Vs~c!`5Gm*>&i?C_q!&!9*6bFJU>_=)T$4qF6@Ti=oBFmlEz1>S6F+c35Truqm#zG~N&(MF*y`zGS>_hUsn1bWM+qb7V3&mBeH~FF1f6f2@ dMTRL|MD88kf60CshME}2<(*o3if(NFeGjS>kN1{iE(h_nBrK8gcJ1zR5kScN$dz{a{q zm?&vB+E?91`&FTfaK~XtIJSX>?_+Q>QW&z(mK?AnmFslbN`QzYusByZqiK2*WUR%u z!il-!*_@KwEhXPRDAFxwN@7#-$8AMWTvHo&%(c-`1e=>nLLZr$ zLF8_7g@5~&Eup=yOtQ(*k&%_S{1KBR^MezlivC|mJH77bN)qDI&!vT08B*%)7XnAP z+s#Tx!R7vuxHK&0TFgvsml~c4P0jU@<=Eyi755O z(6+gvxdgx6QPxXW_8ia9Tx58=Hu1-w3kVV#XK*6%kN7Ky52kR_nrm`rE(|?WTY8Ew zwq$?h&9&Ry)P_htOJ%KgN+z)y#UT#u5K+rJD>(}ei?fKvgiT{Bihy%Yx{nJ17vtzn zy^ccLLT;GgH!ZH$?AAZiQ_4?4MzuMU*1}0_eSMf6>fXJ&oApH5MQya5sr}9PS_GlQ z*|@6!HC^l$ejNgN*o`yc#*@I_#5kOx2X5aVtRlFp_rp+f>O&kE@_1P9S)Jujo3x~h zusuuDdM8{O*C_eleOop zuDfP?s^87P6_%o%-j8niL`A-53zKWEaftUp)N&4(lhTdP!{yo-$ofODzZD02rL$Y< z@+3>`!^px1&YY-x9X@!%JcbV!a!6Ekuc!5F$Txd}zTJ46j^0*hncC2|mTBvW!w>p* z7vUE57issv-}PfY+m9P7*z^;5X()nvG1O2qTZ=ksj-o6Zq-UL4lZs?G> zS4Bt*FeDe2>(gZLqIyX#luKzKpVG_1M8z?%eCrO;{Nwl@R87ai0~Nzz4uY%ZXok%l zR_2T2Em5_{vHmF^$R_ZPTXx1?)EoOt*O7*OXSB?$^`z-YtDKzQ>1qm136X+c;o@I! zB;#P!wAMFp4ku920nYGyJ0wxCx2(4Ara0lgqQ0RR91 literal 0 HcmV?d00001 diff --git a/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/crash-InvalidManifest-NullKeyAccessObj b/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/crash-InvalidManifest-NullKeyAccessObj new file mode 100644 index 0000000000000000000000000000000000000000..d55d907b34a1658970daf36f31943291eeb7b40b GIT binary patch literal 2017 zcmZ`)$&#B!7{*RwJFZIQnnMmURXNR!C81@ODj$$QXah8Yk${vB475a}W)bvA11VQt zAy?;t{3yQUkViJ`I$G(VaQS^t#ldvb2PjqMCY zwmSp}Md!7Blpy!bZ1VEe=TD#i`hkj*RqeCF7Nt;Ie}2*jyB7>Ye?Jmh<85Gva0OEQ z)=#7Gx7W2A3qmK!Vhp2j6t1Equ<4P#sZl0j!w`dY0&(_#+%M|D)xbIcA=Y3H1hBFn z5GF>NjrLWy(LOJ15$Pm~h{QUy@k0WRmlPM-XiW(0P~$pXwo)J}DJ@@>Pj{}I5Mx~)JRHP`n9~FR)&;%`<1{E z>2|ZSQAl|N1r3X}6f;ZT>`mW-mhJ`S((;Jw9V<|LbvYtDo>TmFN7ZlN9ibK$N_Qw+ zVu&V$;5|F12W!mKzf9KehQwABLtnS2SXQzG&zS-p|=sgzLH16seCc@ zb*|_h!S8gG<=m5f*Ee+!nf|6t{0US6LBiuqP9**je+BW;5^h_nE_YO6;9L6KR|2sm z2Mb@-?{Z5YAo(Pfwc0V6#?AGFQ%Qj|T^M(e58TaB(o5J{Ya zy9&_uv&}51Lm&^jNhaL-64+W8M^p63ZF~Ji3^(;&6iIGL>dVLUvM|+f0_?!PM>PL9c>q<@v2aJ#aFm1asyUouYl9Va zc6cSK_Bhl(l>^xr-gEQL$d4~a!Q6ADLC+n|GkZC1y3!&i^m{|wLrX%WpclCKHX7+D zTr}XyW!^uDU# zG)53pkOf4xoEQXQ^@_K|!!u8+{M2DKfC13UHXuzv`nq`k>yd*2zDRNMiyc&#opw?V zFg>Or5?4PF+UxrTs7?~ z!OA34&d{fGuaaY!DLFowg0sns7w4q}#Z|56<)PaDD8K(E!;~(f_mb|v7yk_Nte|~Y La4Uc4&M^N1MAtJ( literal 0 HcmV?d00001 diff --git a/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/crash-InvalidManifest-NullSegment b/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/crash-InvalidManifest-NullSegment new file mode 100644 index 0000000000000000000000000000000000000000..4537beda55a232f533c1c62532548e2c2f789d19 GIT binary patch literal 2017 zcmZ`)$&#B!7{*RwJFZIQnnMl>*YQ{qT4r(ifCNHF0%-&z0Vy9CXo*J6BIuC@Qm(v0 zuFeDbQGCfEkC1dD&?u9ntE6uJt-pWke>VQ=>vQJSD~9=Geli)d{wmkE% zcL)%Q-qiL{g4~~G<2lt|cc%Ky`y^r6_xAg~*d@s0!15`KaBP!EO4I6~0LdN6chNR#u(B8dMd zk0-vE`Z`y2kKlJY>T>QWzU!O1hfIIdCjJCd0YSp!Oim>J5q|~o!4hs-Q(fsyg@JGB zb6*X_mJ%%dseYSV`T!{>sU%)K#*mGZ2uDtYXcRYgdJ-HKXEBWlyHD&m2JR{AJ}DGD zjN|Ki9Yv0fyeP%j-A=p3)t}fY^~WHi*4$BR=BAFZ+)Z|M|6bcnE=0vcZM2?fy_I|= zf=J>V+*N_LpKWGA9Rg+0O)}xem%!G-IGUgbZrkfGVz{aIqDXS<100)*Jg8sTo%ui? zwWPDCJ=yQ;xzx?&^@8JP;%s^*#TU~#8f1z(T7_NRzwCSZ9*le2l_44v=;@1Ys#^n` zE`4`#)wSAV<8A^ju@rBNUVO`^8VYsIc-j8&4m5Wl3+RvCDj#I9h zc9mddk|}5C)45m4G0cP@*T+J7s*|0KhdE~596?!OlQ4D+m@ NeN%8Nf9TFIe*;(}GuQwC literal 0 HcmV?d00001 diff --git a/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/sample.tdf b/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzTDF/sample.tdf new file mode 100644 index 0000000000000000000000000000000000000000..cc27081a3c3c30eb85308bda48c3e8c15736604f GIT binary patch literal 2017 zcmZ`)OLLn>94Bd;xS8qn+CvX2SKE<<9=0=+0}=?mK(fFR(8&SAN-SC)g0(PoGW`m@ zrXMIDC6^xh5!zh@vc_$8M%v~7+TZ`R|M}#bZ!ej%GluzOd@>la{wde@z9?)F={O9D#3r!tLky0W6c<@&LkR3pYD}f`@ z?Pg`8ka7tM8WwXUW~R1H4bOz8=K99UbcyR7(^tINYD9QEr+AyrOuK!5gj!fA-Jx)a zA({|^^9boDldp>1+S za|wRCqpTLL>^YvHxybOgZQ_qV6A&ak&frAiAMsZZA5G!5HPhtIOc;2kw(t~RY{~x8 zn`w8ssSS{PlFC}`m`rkO6o)vpLqwyvwUU$IusDloOxQHGq6j#rtcSQza50YF)$1s< zE#!s?e%I}^TU`B_ol<`SGHT5kx8_b_>#O~AU-ur=?et2NUDQUKsoGnQZbT4DoQ=B* zP}BK#?$;rZ2i-UmZaoR?OpL=RdgOM!{xX8wdM^wmr#`@uA&&<2E32~@XycZ29=4}x zTF<3!KH4lfelE^u=TdYvTcANEE8}(0)x7JztEFJl+pTp`pF&q#b`#AU;AG`F%bTv* zp6K^eaE+yCtM{TiK2eeH*~0jSYwY7)5Vf2==A?A(^Kh{;`m+8Q?C!+=PU&oyx;)NO zdq1@Bo-@ZPUx$yLFpJ^ixf~J`-J3~08}Q95LEo&sbw_Wj(@bsX8_Try#NqqB`}1(q zL-Vw|=kI$lpY2ACC2abMyf73&Js)VOnXN<}HHT4__0yA1ElTynp-osHU^jG5ijWpy zNFFTLr^(<&^^!a&mr`Fork90@ieq5;);*&6$MFNGnvR8gs)oZH1lP^s6q{SD%;twz zqH2#r{Zl!Rjp04F=#0GRYUD3mM;i2;;UcqECca8@Y{Vl9-w#BBs!D$!nJ>{?e5>1FmmLEK2XI3Qi&f zF$GybWXp*`5LT~vA|9T3Qst)(vp)2JR<;3Y0@ByT`(F=j4De-AgsHmhw3BieRpbgo z4Avkf(*#tEvWJcXtibo?<9zbs+i|jgaoMfDr^YEOu@Y<7j?6Ey(PagKN z1vL^4zW@qaYDy$TLBWsU5727ezWLtsy+-|apB@!n6bgllq_gDL{d%86 zKYyl%-Pet;J{a|%zes+6 z{)xcF@-sRp&b8%=fBWH2`;TXZLViBtxbkseg?NP$cI+ilcqLd#f?|fFFcF$BFNy*R z?Kq`5LJL<>99TIhG_M34GPI5{OW(lX3Ls~S)&UCH6lX|5D{DiT&^(c-aQ@Q8*?y?_I}m_OH|&hVDe$xm80(6z5ZClHSvTe$ zR6zxLE`jQJ4}u;BMr$`TW>v75Nzfn!E_%Kmj5#lH;rjGcxaJmayz5$t+d7z5LF+uX z{1&e(Ww~BGsofLv&|KX`=FvxmrX&{ymn-G&LvP{%!_Rbayyss@fiiKS*Oqm~7NIeg zp~t^u=pInpr;jZQ&D!+^chW~`%eGN+V~|D!+vyn&9USK2fyyj}UJvW)xXeQ&nVv1d zz}!PcD+7*$hA-+1NX*4N01MrPL0f{}SOkj>HpOujWHS+XpsK4qf2g$ho9{e4MS;de z7TFQuR(vbr2$oWwCSey_lp=>CHgQgL8KccoiA1(V+$dqqT2+?Bl0|XpM($Rik5bMZ z?{saivfVksC$Q(Q%9L&!BEa-ZqV>=E^%l(*)P6N{2OaXNC(r7MSz5wqqp%rGktESx zcY9uGPl+WvRWR8{R6g4Vz%%A*XIl@L;W z#uOWDAa=@5SKE%oy=zN4g#q!*<%C{}^41ADiL;n(jj5Js!GzkxSxmMFWUp50xHjVXuVDREGY^JO23{1=NkSBh?3kw9} zbhsExJfW_c_8Jd)N+`iBFZ0{6acJ12ebdW4e@zx|P*DhQfQ*~W^1SluI&^m_vKeAW z35$^x9Eu^jD~1fy2O}|Bp_sQjx-Wp{%q;2Yy>)PMF~&hUh9#_!SL^&jZ6t_c7D literal 0 HcmV?d00001 diff --git a/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzZipRead/crash-f39ad8416aef7cf275f84683aaa0efd15f24272a b/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzZipRead/crash-f39ad8416aef7cf275f84683aaa0efd15f24272a new file mode 100644 index 0000000000000000000000000000000000000000..2fc1da228a64d5718fd2608a080af9c93529bc53 GIT binary patch literal 99 gcmWH@D$dUf@MdLW;0*9)XJBF|VW1ueU;~*20A$VtC;$Ke literal 0 HcmV?d00001 diff --git a/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzZipRead/sample.txt.tdf b/sdk/src/test/resources/io/opentdf/platform/sdk/FuzzingInputs/fuzzZipRead/sample.txt.tdf new file mode 100644 index 0000000000000000000000000000000000000000..2bb81265469ccc3b2065a5bb778e88aa3f13fa65 GIT binary patch literal 1754 zcmZ`)Kab-?6kp(uI}j2=LW0@_658Ec$9A%th$}X6;y;O!|+oO*eYF2-fz2n+j?fBR4|L}f)cyv^MA5tFsBz6}8DV>||#$vS9Vy)6mucGTx3zbSUHw|4x zfgLJ>ZZ1Mc(i%<}AV)HGTC76Nyxfk>c~i6IykjEdSZbul2GvD@vw8ZIxuFpbyOZ5K zxZH=9w98%{`G0oZJa63z>(V@bS((=oWjZ`fE}%~7_MLDVYGzdFoUx;+l$tmVoUkwG zqQ^O=AvhsT$<#wl>OXxwGSg|@JfoY8KzZqTAU_1eDS}?vg^3T7x;&0JFP%_@x@54l zM7$k(yc63yM^spi@*Febbjv}uwTLxK51hEqJE6g8)&Sa^(bTFrr-fQmm(*x1UQ(LA zb$L!0oTVi7QbeOfZcZ7b#Ppb$ZRTPOe9E}aYGFVK?wp;W)N@gg=A_eV3Osk_Vt972 zyEPbsl4@sLUD-)w+e7f&QKL1Bana^9h>wvn><%w3ab;oeY95RR=t>pl7rA}5bkb{) z%y9{L9;)BE!8ZJ zvz!et%yU^c+J==Pr6KR{GX-i4NRaxsP)aEmRO^J|10t{WACQiUsS+EhY(uEf*8mj+#5o|dkqHhgJO zQT~eR1oyl-978pw^wz7=V#F;3+iGlA()`-y+GNBHSYK8OgWCljuVW`hp}m~q6(<4&6*f1>U8!C9V#?{J zQE9Lpcv4i<`n8=WFW`(@&^)N0q~VWxYUD2U%CT5DM#Nvww$NWLu+vjoN*D=ttO&Nb z*^Nw!UDG4F)UUJ|D~u`bMikdtY?Ncm;3=L0yHwlvFv&53WM9KW*WUNbynkq=6h615 zk6{eV1F$HpD7g2{^(^%WAgB5Mq^QqVuvkHSA0z{7kkM`nDC>a6yD7ok+)RdVy?uIg rKT%#C3H3yI{kgMzX;zE>YhK)&*>w5F^q34EzFRB2OxBM>{ literal 0 HcmV?d00001