Utilities/cmlibarchive/libarchive/test/test_fuzz.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

/*-
 * Copyright (c) 2003-2007 Tim Kientzle
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
#include "test.h"
__FBSDID("$FreeBSD: src/lib/libarchive/test/test_fuzz.c,v 1.1 2008/12/06 07:08:08 kientzle Exp $");

/*
 * This was inspired by an ISO fuzz tester written by Michal Zalewski
 * and posted to the "vulnwatch" mailing list on March 17, 2005:
 *    http://seclists.org/vulnwatch/2005/q1/0088.html
 *
 * This test simply reads each archive image into memory, pokes
 * random values into it and runs it through libarchive.  It tries
 * to damage about 1% of each file and repeats the exercise 100 times
 * with each file.
 *
 * Unlike most other tests, this test does not verify libarchive's
 * responses other than to ensure that libarchive doesn't crash.
 *
 * Due to the deliberately random nature of this test, it may be hard
 * to reproduce failures.  Because this test deliberately attempts to
 * induce crashes, there's little that can be done in the way of
 * post-failure diagnostics.
 */

/* Because this works for any archive, I can just re-use the archives
 * developed for other tests.  I've not included all of the compressed
 * archives here, though; I don't want to spend all of my test time
 * testing zlib and bzlib. */
static const char *
files[] = {
    "test_fuzz_1.iso",
    "test_compat_bzip2_1.tbz",
    "test_compat_gtar_1.tar",
    "test_compat_tar_hardlink_1.tar",
    "test_compat_zip_1.zip",
    "test_read_format_gtar_sparse_1_17_posix10_modified.tar",
    "test_read_format_tar_empty_filename.tar",
    "test_read_format_zip.zip",
    NULL
};

#define UnsupportedCompress(r, a) \
        (r != ARCHIVE_OK && \
         (strcmp(archive_error_string(a), \
            "Unrecognized archive format") == 0 && \
          archive_compression(a) == ARCHIVE_COMPRESSION_NONE))

DEFINE_TEST(test_fuzz)
{
    const char **filep;
    const void *blk;
    size_t blk_size;
    off_t blk_offset;

    for (filep = files; *filep != NULL; ++filep) {
        struct archive_entry *ae;
        struct archive *a;
        char *rawimage, *image;
        size_t size;
        int i;

        extract_reference_file(*filep);
        rawimage = slurpfile(&size, *filep);
        assert(rawimage != NULL);
        image = malloc(size);
        assert(image != NULL);
        srand((unsigned)time(NULL));

        for (i = 0; i < 100; ++i) {
            FILE *f;
            int j, numbytes;

            /* Fuzz < 1% of the bytes in the archive. */
            memcpy(image, rawimage, size);
            numbytes = (int)(rand() % (size / 100));
            for (j = 0; j < numbytes; ++j)
                image[rand() % size] = (char)rand();

            /* Save the messed-up image to a file.
             * If we crash, that file will be useful. */
            f = fopen("after.test.failure.send.this.file."
                "to.libarchive.maintainers.with.system.details", "wb");
            fwrite(image, 1, (size_t)size, f);
            fclose(f);

            assert((a = archive_read_new()) != NULL);
            assertEqualIntA(a, ARCHIVE_OK,
                archive_read_support_compression_all(a));
            assertEqualIntA(a, ARCHIVE_OK,
                archive_read_support_format_all(a));

            if (0 == archive_read_open_memory(a, image, size)) {
                while(0 == archive_read_next_header(a, &ae)) {
                    while (0 == archive_read_data_block(a,
                        &blk, &blk_size, &blk_offset))
                        continue;
                }
                archive_read_close(a);
                archive_read_finish(a);
            }
        }
        free(image);
        free(rawimage);
    }
}