Skip to content

Results

Evan Nemerson edited this page Apr 8, 2016 · 26 revisions

Results

This page contains a list of known audits (generally, though not necessarily, fuzzing) of compression codecs, conducted both as part of this project and by others. It will probably never be exhaustive, but we will try to come as close as we can.

Possible values for the status column are:

  • Unknown — there is insufficient information available to come to a conclusion. You can think of it as a "TODO" item for us to fuzz, or "Help Wanted".
  • OK — the implementation has been tested and no issues were found. Note that this doesn't necessarily mean no issues were present, merely that we have no security-related grounds to recommend against using the codec.
  • Undisclosed — vulnerabilities exist, but have not yet been disclosed to anyone other than the author.
  • Vulnerable — vulnerabilities have been publicly disclosed, but the code has not been fixed yet.
  • Abandoned — there are known vulnerablities, but the project is no longer active and is unlikely to receive any security fixes.

Note that "OK" doesn't mean "no issues", it means there has been at least one attempt at fuzzing, and that there are currently no known issues.

<tr>
  <td><a href="http://balz.sourceforge.net/">BALZ</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/jibsen/brieflz">BriefLZ</a></td>
  <td>OK</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/google/brotli">Brotli</a></td>
  <td>OK</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://libbsc.com/">BSC</a></td>
  <td><em>Undisclosed</em></td>
  <td><a href="https://extrememoderate.wordpress.com/2015/11/16/fuzz-testing-compressors/">2015-11-16</a></td>
  <td>Yes</td>
  <td></td>
  <td>m^2</td>
</tr>

<tr>
  <td><a href="http://bzip.org/">bzip2</a></td>
  <td>OK</td>
  <td><a href="https://fuzzing-project.org/software.html">Unknown</a></td>
  <td>No</td>
  <td>N/A</td>
  <td>Hanno Böck</td>
</tr>

<tr>
  <td><a href="http://compressme.net/">CRUSH</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td rowspan="2"><a href="https://github.com/fusiyuan2010/CSC">CSC</a></td>
  <td rowspan="2"></td>
  <td><a href="https://github.com/fusiyuan2010/CSC/issues/7">2015-10-04</a></td>
  <td>Yes</td>
  <td><a href="https://github.com/fusiyuan2010/CSC/commit/3f0b586cb33216523cbb5130ba911c5d39940a15">2015-12-29</a></td>
  <td>Evan Nemerson</td>
</tr>

<tr>
  <td><a href="https://github.com/fusiyuan2010/CSC/issues/7#issuecomment-169407859">2016-01-06</a></td>
  <td>Yes</td>
  <td><a href="https://github.com/fusiyuan2010/CSC/commit/02052640b2b937b4457331837a773ebfca9d7dae">2016-01-11</a></td>
  <td>Evan Nemerson</td>
</tr>

<tr>
  <td><a href="https://github.com/ebiggers/libdeflate">libdeflate</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/centaurean/density">DENSITY</a></td>
  <td><strong>Vulnerable</strong></td>
  <td><a href="http://encode.ru/threads/1841-SHARC-DENSITY-news-and-updates?p=45468&viewfull=1#post45468">2015-11-03</a></td>
  <td>Yes</td>
  <td></td>
  <td>m^2</td>
</tr>

<tr>
  <td><a href="https://bitbucket.org/attila_afra/doboz">Doboz</a></td>
  <td><strong>Vulnerable</strong></td>
  <td>2015-11-21</td>
  <td>Yes</td>
  <td>None yet</td>
  <td>Evan Nemerson</td>
</tr>

<tr>
  <td><a href="https://github.com/davidcatt/FastARI">FastARI</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://fastlz.org/">FastLZ</a></td>
  <td>OK</td>
  <td>2015-11-20</td>
  <td>No</td>
  <td>N/A</td>
  <td>Evan Nemerson</td>
</tr>

<tr>
  <td><a href="http://freearc.org/Research.aspx">FreeArc</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/google/gipfeli">Gipfeli</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://encode.ru/threads/1909-Tree-alpha-v0-1-download">GLZA</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/atomicobject/heatshrink">Heatshrink</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://software.intel.com/en-us/articles/igzip-a-high-performance-deflate-compressor-with-optimizations-for-genomic-data">igzip</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://software.intel.com/en-us/node/503340">IPP</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://cyan4973.github.io/lz4/">LZ4</a></td>
  <td>OK</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td rowspan="2"><a href="https://github.com/inikep/lz5">LZ5</a></td>
  <td rowspan="2">OK</td>
  <td><a href="http://encode.ru/threads/2347-LZ5-a-modification-of-LZ4-which-gives-a-better-ratio-at-cost-of-slower-compression?p=45835&viewfull=1#post45835">2015-12-05</a></td>
  <td>Yes</td>
  <td><a href="https://github.com/inikep/lz5/commit/95b068ee0e3bdd5e81c9ab4ad29f506ba848da1f">2015-12-05</a></td>
  <td>m^3</td>
</tr>
<tr>
  <td><a href="https://github.com/anthrotype/lzcomp/tree/master/mtx">lzcomp</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://liblzf.plan9.de/">LZF</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://liblzg.bitsnbites.eu/">LZG</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/richgel999/lzham_codec/">LZHAM</a></td>
  <td><em>Undisclosed</em></td>
  <td><a href="http://encode.ru/threads/2384-Fuzz-testing?p=45742&viewfull=1#post45742">2015-11-25</a></td>
  <td>Yes</td>
  <td>No</td>
  <td>Evan Nemerson</td>
</tr>

<tr>
  <td><a href="http://www.matcode.com/lzmat.htm">LZMAT</a></td>
  <td><em><strong>Abandoned</strong></em></td>
  <td>2013-09-11</td>
  <td>Yes</td>
  <td></td>
  <td>Evan Nemerson</td>
</tr>

<tr>
  <td><a href="https://en.wikipedia.org/wiki/LZJB">LZJB</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/unwind/lzjb-stream/">lzjb-stream</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://tukaani.org/xz/">LZMA</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://www.oberhumer.com/opensource/lzo/">LZO</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://www.oberhumer.com/products/lzo-professional/">LZO Professional</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/ConorStokes/LZSSE">LZSSE</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://sites.google.com/site/powturbo/">LzTurbo</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/mathieuchartier/mcm">MCM</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/coderforlife/ms-compress/">ms-compress</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://ncompress.sourceforge.net/">ncompress</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://www.radgametools.com/oodle.htm">Oodle</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/johnezang/pithy">Pithy</a></td>
  <td><em><strong>Abandoned</strong></em></td>
  <td>2015-11-26</td>
  <td>Yes</td>
  <td></td>
  <td>Evan Nemerson</td>
</tr>

<tr>
  <td><a href="http://www.quicklz.com/">QuickLZ</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>
<tr>
  <td><a href="http://scz-compress.sourceforge.net/">SCZ</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://1wt.eu/projects/libslz/">SLZ</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://google.github.io/snappy/">Snappy</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://www.compressconsult.com/szip/">szip</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/ShaneWF/wflz">wfLZ</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://wimlib.net/">wimlib</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff552127%28v=vs.85%29.aspx">Windows API</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://bitbucket.org/tkatchev/yalz77">yalz77</a></td>
  <td>OK</td>
  <td>2015-09-18</td>
  <td>Yes</td>
  <td><a href="https://bitbucket.org/tkatchev/yalz77/commits/07b5d3df427e981ee5cfb25094af1b731b14ed44">2015-09-18</a></td>
  <td>Evan Nemerson</td>
</tr>

<tr>
  <td><a href="http://zlib.net/">zlib</a></td>
  <td>OK</td>
  <td><a href="https://fuzzing-project.org/software.html">Unknown</a></td>
  <td>No</td>
  <td>N/A</td>
  <td>Hanno Böck</td>
</tr>

<tr>
  <td><a href="https://github.com/Dead2/zlib-ng/">zlib-ng</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td><a href="https://github.com/richox/libzling">zling</a></td>
  <td>OK</td>
  <td><a href="https://github.com/richox/libzling/issues/10">2015-02-11</a></td>
  <td>Yes</td>
  <td><a href="https://github.com/richox/libzling/commit/3028e100e5983219998fd08f9df53ba80be47429">2015-12-24</a></td>
  <td>Evan Nemerson</td>
</tr>

<tr>
  <td><a href="https://github.com/google/zopfli">Zopfli</a></td>
  <td>Unknown</td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>

<tr>
  <td rowspan="2"><a href="http://mattmahoney.net/dc/zpaq.html">zpaq</a></td>
  <td rowspan="2"><em>Undisclosed</em></td>
  <td>2015-02-11</td>
  <td>Yes</td>
  <td><a href="https://github.com/zpaq/zpaq/commit/176df1f453a9bcebc794bb928e5aff1c9e9d5585">2015-02-18</a></td>
  <td>Evan Nemerson</td>
</tr>

<tr>
  <td>2015-11-17</td>
  <td>Yes</td>
  <td></td>
  <td>m^2</td>
</tr>

<tr>
  <td rowspan="2"><a href="https://github.com/Cyan4973/zstd">zstd</a></td>
  <td rowspan="2">OK</td>
  <td>2015-10-13</td>
  <td>Yes</td>
  <td><a href="https://github.com/Cyan4973/zstd/commit/8f86c700cdb9190901613124100c9be4c6e69827">2015-10-13</a></td>
  <td>Evan Nemerson</td>
</tr>

<tr>
  <td>2015-11-16</td>
  <td>Yes</td>
  <td>?</td>
  <td>m^2</td>
</tr>

<tr>
  <td><a href=""></a></td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
  <td></td>
</tr>
Codec Status Results
Reported Issues found? Fixed Credit
Apple API Unknown
2015-12-28 Yes 2016-01-04 m^3

[1] ZPAQ allows the user to embed a decompressor written in ZPAQL in the archive. This lets people experiment with new algorithms while maintaining compatibility with stock ZPAQ, but it means it is possible to create a decompressor with an infinite loop, and it is impossible for ZPAQ to detect.

Clone this wiki locally
You can’t perform that action at this time.