fuzzer: added tests to detect LZ4_decompress_fast() out of bound read

2019-04-17 13:31:24 -07:00 · 2019-04-17 13:31:24 -07:00 · 1ed69691a1
commit 1ed69691a1
parent b59fd652e8
1 changed files with 28 additions and 20 deletions
--- a/tests/fuzzer.c
+++ b/tests/fuzzer.c
@ -481,32 +481,40 @@ static int FUZ_test(U32 seed, U32 nbCycles, const U32 startCycle, const double c
        /* Test compression */
        FUZ_DISPLAYTEST("test LZ4_compress_default()");
        ret = LZ4_compress_default(block, compressedBuffer, blockSize, (int)compressedBufferSize);
-        FUZ_CHECKTEST(ret==0, "LZ4_compress_default() failed");
+        FUZ_CHECKTEST(ret<=0, "LZ4_compress_default() failed");
        compressedSize = ret;

        /* Decompression tests */

+        /* Test decompress_fast() with input buffer size exactly correct => must not read out of bound */
+        {   char* const cBuffer_exact = malloc((size_t)compressedSize);
+            assert(cBuffer_exact != NULL);
+            memcpy(cBuffer_exact, compressedBuffer, compressedSize);
+
            /* Test decoding with output size exactly correct => must work */
            FUZ_DISPLAYTEST("LZ4_decompress_fast() with exact output buffer");
-        ret = LZ4_decompress_fast(compressedBuffer, decodedBuffer, blockSize);
+            ret = LZ4_decompress_fast(cBuffer_exact, decodedBuffer, blockSize);
            FUZ_CHECKTEST(ret<0, "LZ4_decompress_fast failed despite correct space");
            FUZ_CHECKTEST(ret!=compressedSize, "LZ4_decompress_fast failed : did not fully read compressed data");
-        {   U32 const crcCheck = XXH32(decodedBuffer, blockSize, 0);
+            {   U32 const crcCheck = XXH32(decodedBuffer, (size_t)blockSize, 0);
                FUZ_CHECKTEST(crcCheck!=crcOrig, "LZ4_decompress_fast corrupted decoded data");
            }

            /* Test decoding with one byte missing => must fail */
            FUZ_DISPLAYTEST("LZ4_decompress_fast() with output buffer 1-byte too short");
            decodedBuffer[blockSize-1] = 0;
-        ret = LZ4_decompress_fast(compressedBuffer, decodedBuffer, blockSize-1);
+            ret = LZ4_decompress_fast(cBuffer_exact, decodedBuffer, blockSize-1);
            FUZ_CHECKTEST(ret>=0, "LZ4_decompress_fast should have failed, due to Output Size being too small");
            FUZ_CHECKTEST(decodedBuffer[blockSize-1], "LZ4_decompress_fast overrun specified output buffer");

            /* Test decoding with one byte too much => must fail */
            FUZ_DISPLAYTEST();
-        ret = LZ4_decompress_fast(compressedBuffer, decodedBuffer, blockSize+1);
+            ret = LZ4_decompress_fast(cBuffer_exact, decodedBuffer, blockSize+1);
            FUZ_CHECKTEST(ret>=0, "LZ4_decompress_fast should have failed, due to Output Size being too large");

+            free(cBuffer_exact);
+        }
+
        /* Test decoding with empty input */
        FUZ_DISPLAYTEST("LZ4_decompress_safe() with empty input");
        LZ4_decompress_safe(compressedBuffer, decodedBuffer, 0, blockSize);