fuzzer: added tests to detect LZ4_decompress_fast() out of bound read
This commit is contained in:
parent
b59fd652e8
commit
1ed69691a1
@ -481,32 +481,40 @@ static int FUZ_test(U32 seed, U32 nbCycles, const U32 startCycle, const double c
|
|||||||
/* Test compression */
|
/* Test compression */
|
||||||
FUZ_DISPLAYTEST("test LZ4_compress_default()");
|
FUZ_DISPLAYTEST("test LZ4_compress_default()");
|
||||||
ret = LZ4_compress_default(block, compressedBuffer, blockSize, (int)compressedBufferSize);
|
ret = LZ4_compress_default(block, compressedBuffer, blockSize, (int)compressedBufferSize);
|
||||||
FUZ_CHECKTEST(ret==0, "LZ4_compress_default() failed");
|
FUZ_CHECKTEST(ret<=0, "LZ4_compress_default() failed");
|
||||||
compressedSize = ret;
|
compressedSize = ret;
|
||||||
|
|
||||||
/* Decompression tests */
|
/* Decompression tests */
|
||||||
|
|
||||||
|
/* Test decompress_fast() with input buffer size exactly correct => must not read out of bound */
|
||||||
|
{ char* const cBuffer_exact = malloc((size_t)compressedSize);
|
||||||
|
assert(cBuffer_exact != NULL);
|
||||||
|
memcpy(cBuffer_exact, compressedBuffer, compressedSize);
|
||||||
|
|
||||||
/* Test decoding with output size exactly correct => must work */
|
/* Test decoding with output size exactly correct => must work */
|
||||||
FUZ_DISPLAYTEST("LZ4_decompress_fast() with exact output buffer");
|
FUZ_DISPLAYTEST("LZ4_decompress_fast() with exact output buffer");
|
||||||
ret = LZ4_decompress_fast(compressedBuffer, decodedBuffer, blockSize);
|
ret = LZ4_decompress_fast(cBuffer_exact, decodedBuffer, blockSize);
|
||||||
FUZ_CHECKTEST(ret<0, "LZ4_decompress_fast failed despite correct space");
|
FUZ_CHECKTEST(ret<0, "LZ4_decompress_fast failed despite correct space");
|
||||||
FUZ_CHECKTEST(ret!=compressedSize, "LZ4_decompress_fast failed : did not fully read compressed data");
|
FUZ_CHECKTEST(ret!=compressedSize, "LZ4_decompress_fast failed : did not fully read compressed data");
|
||||||
{ U32 const crcCheck = XXH32(decodedBuffer, blockSize, 0);
|
{ U32 const crcCheck = XXH32(decodedBuffer, (size_t)blockSize, 0);
|
||||||
FUZ_CHECKTEST(crcCheck!=crcOrig, "LZ4_decompress_fast corrupted decoded data");
|
FUZ_CHECKTEST(crcCheck!=crcOrig, "LZ4_decompress_fast corrupted decoded data");
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Test decoding with one byte missing => must fail */
|
/* Test decoding with one byte missing => must fail */
|
||||||
FUZ_DISPLAYTEST("LZ4_decompress_fast() with output buffer 1-byte too short");
|
FUZ_DISPLAYTEST("LZ4_decompress_fast() with output buffer 1-byte too short");
|
||||||
decodedBuffer[blockSize-1] = 0;
|
decodedBuffer[blockSize-1] = 0;
|
||||||
ret = LZ4_decompress_fast(compressedBuffer, decodedBuffer, blockSize-1);
|
ret = LZ4_decompress_fast(cBuffer_exact, decodedBuffer, blockSize-1);
|
||||||
FUZ_CHECKTEST(ret>=0, "LZ4_decompress_fast should have failed, due to Output Size being too small");
|
FUZ_CHECKTEST(ret>=0, "LZ4_decompress_fast should have failed, due to Output Size being too small");
|
||||||
FUZ_CHECKTEST(decodedBuffer[blockSize-1], "LZ4_decompress_fast overrun specified output buffer");
|
FUZ_CHECKTEST(decodedBuffer[blockSize-1], "LZ4_decompress_fast overrun specified output buffer");
|
||||||
|
|
||||||
/* Test decoding with one byte too much => must fail */
|
/* Test decoding with one byte too much => must fail */
|
||||||
FUZ_DISPLAYTEST();
|
FUZ_DISPLAYTEST();
|
||||||
ret = LZ4_decompress_fast(compressedBuffer, decodedBuffer, blockSize+1);
|
ret = LZ4_decompress_fast(cBuffer_exact, decodedBuffer, blockSize+1);
|
||||||
FUZ_CHECKTEST(ret>=0, "LZ4_decompress_fast should have failed, due to Output Size being too large");
|
FUZ_CHECKTEST(ret>=0, "LZ4_decompress_fast should have failed, due to Output Size being too large");
|
||||||
|
|
||||||
|
free(cBuffer_exact);
|
||||||
|
}
|
||||||
|
|
||||||
/* Test decoding with empty input */
|
/* Test decoding with empty input */
|
||||||
FUZ_DISPLAYTEST("LZ4_decompress_safe() with empty input");
|
FUZ_DISPLAYTEST("LZ4_decompress_safe() with empty input");
|
||||||
LZ4_decompress_safe(compressedBuffer, decodedBuffer, 0, blockSize);
|
LZ4_decompress_safe(compressedBuffer, decodedBuffer, 0, blockSize);
|
||||||
|
Loading…
Reference in New Issue
Block a user