summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYann Collet <yann.collet.73@gmail.com>2014-07-05 11:50:05 (GMT)
committerYann Collet <yann.collet.73@gmail.com>2014-07-05 11:50:05 (GMT)
commitfd51d0567b640541e5d4290488bf4ed02c6d6990 (patch)
treee4004c556de68acba2ff68380e26939e06cf86fb
parentbdb5bcefff1c09592e2a85e38eac8e9c493ecef9 (diff)
downloadlz4-fd51d0567b640541e5d4290488bf4ed02c6d6990.zip
lz4-fd51d0567b640541e5d4290488bf4ed02c6d6990.tar.gz
lz4-fd51d0567b640541e5d4290488bf4ed02c6d6990.tar.bz2
updated fuzzer, faster and cleaner overflow tests
-rw-r--r--Makefile2
-rw-r--r--NEWS2
-rw-r--r--programs/Makefile2
-rw-r--r--programs/fuzzer.c107
4 files changed, 59 insertions, 54 deletions
diff --git a/Makefile b/Makefile
index c931d1e..8013903 100644
--- a/Makefile
+++ b/Makefile
@@ -31,7 +31,7 @@
# ################################################################
# Version numbers
-export RELEASE=r119
+export RELEASE=rc120
LIBVER_MAJOR=1
LIBVER_MINOR=2
LIBVER_PATCH=0
diff --git a/NEWS b/NEWS
index ff2cd53..2adeab3 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,5 @@
r119:
-Fix : overflow address, 32-bits mode (issue 134)
+Fix : Issue 134 : extended malicious address space overflow in 32-bits mode for some specific configurations
r118:
New : LZ4 Streaming API (Fast version), special thanks to Takayuki Matsuoka
diff --git a/programs/Makefile b/programs/Makefile
index a3e01a4..3d7aadf 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -30,7 +30,7 @@
# fullbench32: Same as fullbench, but forced to compile in 32-bits mode
# ################################################################
-RELEASE=r119
+RELEASE=rc120
DESTDIR=
PREFIX=/usr
CC:=$(CC)
diff --git a/programs/fuzzer.c b/programs/fuzzer.c
index b745be9..f78e72d 100644
--- a/programs/fuzzer.c
+++ b/programs/fuzzer.c
@@ -28,6 +28,7 @@
#define _CRT_SECURE_NO_WARNINGS // fgets
#ifdef _MSC_VER /* Visual Studio */
# pragma warning(disable : 4127) /* disable: C4127: conditional expression is constant */
+# pragma warning(disable : 4146) /* disable: C4146: minus unsigned expression */
#endif
@@ -172,6 +173,7 @@ void FUZ_fillCompressibleNoiseBuffer(void* buffer, int bufferSize, double proba,
}
+// No longer useful; included into issue 134
int FUZ_Issue52()
{
char* output;
@@ -185,8 +187,7 @@ int FUZ_Issue52()
input[0] = 0x0F;
input[1] = 0x00;
input[2] = 0x00;
- for(i = 3; i < 16840000; i++)
- input[i] = 0xff;
+ for(i = 3; i < 16840000; i++) input[i] = 0xff;
r = LZ4_decompress_safe(input, output, 20<<20, 20<<20);
free(input);
@@ -197,46 +198,48 @@ int FUZ_Issue52()
#define MAX_NB_BUFF_I134 150
-#define BLOCKSIZE_I134 64 MB
+#define BLOCKSIZE_I134 (32 MB)
int FUZ_Issue134()
{
char* buffers[MAX_NB_BUFF_I134+1] = {0};
- int i, nbBuff;
+ int i, nbBuff=0;
+ int highAddress = 0;
- printf("Overflow test issue 134 : ");
+ printf("Overflow tests : ");
// Only possible in 32-bits
if (sizeof(void*)==8)
{
- printf("64 bits mode : not applicable \n");
+ printf("64 bits mode : no overflow \n");
+ fflush(stdout);
return 0;
}
- printf(" ");
- for (nbBuff=0; nbBuff < MAX_NB_BUFF_I134; nbBuff++)
+ buffers[0] = (char*)malloc(BLOCKSIZE_I134);
+ buffers[1] = (char*)malloc(BLOCKSIZE_I134);
+ if ((!buffers[0]) || (!buffers[1]))
{
- printf("\b\b\b\b%3i ", nbBuff);
+ printf("not enough memory for tests \n");
+ return 0;
+ }
+ for (nbBuff=2; nbBuff < MAX_NB_BUFF_I134; nbBuff++)
+ {
+ printf("%3i \b\b\b\b", nbBuff);
buffers[nbBuff] = (char*)malloc(BLOCKSIZE_I134);
- if (buffers[nbBuff]==NULL)
+ //printf("%08X ", (U32)(size_t)(buffers[nbBuff]));
+ fflush(stdout);
+
+ if (((size_t)buffers[nbBuff] > (size_t)0x80000000) && (!highAddress))
{
- printf(" : unable to allocate more memory\n");
- for (i=0 ; i<nbBuff; i++) free(buffers[i]);
- return 0;
+ printf("high address detected : ");
+ fflush(stdout);
+ highAddress=1;
}
- if ((size_t)buffers[nbBuff] > 0) // (size_t) 0x80000000)
+ if (buffers[nbBuff]==NULL) goto _endOfTests;
+
{
- printf("Testing memory buffer address %X , ", (U32)(size_t)(buffers[nbBuff]));
- printf("Creating a payload designed to fail\n");
- buffers[++nbBuff] = (char*)malloc(BLOCKSIZE_I134);
- if (buffers[nbBuff]==NULL)
- {
- printf("failed to test (no more memory)\n");
- for (i=0 ; i<nbBuff; i++) free(buffers[i]);
- return 0;
- }
- {
size_t sizeToGenerateOverflow = (size_t)(- ((size_t)buffers[nbBuff-1]) + 512);
- size_t nbOf255 = (sizeToGenerateOverflow / 255) + 1;
+ int nbOf255 = (int)((sizeToGenerateOverflow / 255) + 1);
char* input = buffers[nbBuff-1];
char* output = buffers[nbBuff];
int r;
@@ -244,40 +247,42 @@ int FUZ_Issue134()
input[1] = 0xFF;
input[2] = 0xFF;
input[3] = 0xFF;
- for(i = 3; (size_t)i <= nbOf255+4; i++) input[i] = 0xff;
+ for(i = 4; i <= nbOf255+4; i++) input[i] = 0xff;
r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
- printf(" Literal overflow detected (return = %i < 0)\n",r);
+ if (r>0) goto _overflowError;
input[0] = 0x1F; // Match length overflow
input[1] = 0x01;
input[2] = 0x01;
input[3] = 0x00;
r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
- printf(" Match overflow detected (return = %i < 0)\n",r);
- if (nbBuff>=2)
- {
- output = buffers[nbBuff-2];
- memset(input, 0, BLOCKSIZE_I134);
- input[0] = 0xF0; // Literal length overflow
- input[1] = 0xFF;
- input[2] = 0xFF;
- input[3] = 0xFF;
- r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
- printf(" Literal overflow detected (return = %i < 0)\n",r);
- input[0] = 0x1F; // Match length overflow
- input[1] = 0x01;
- input[2] = 0x01;
- input[3] = 0x00;
- r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
- printf(" Match overflow detected (return = %i < 0)\n",r);
- }
- }
- free (buffers[nbBuff]); nbBuff--;
+ if (r>0) goto _overflowError;
+
+ output = buffers[nbBuff-2]; // Reverse in/out pointer order
+ input[0] = 0xF0; // Literal length overflow
+ input[1] = 0xFF;
+ input[2] = 0xFF;
+ input[3] = 0xFF;
+ r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
+ if (r>0) goto _overflowError;
+ input[0] = 0x1F; // Match length overflow
+ input[1] = 0x01;
+ input[2] = 0x01;
+ input[3] = 0x00;
+ r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
+ if (r>0) goto _overflowError;
}
}
+ nbBuff++;
+_endOfTests:
for (i=0 ; i<nbBuff; i++) free(buffers[i]);
- printf("\n");
+ if (!highAddress) printf("high address not possible \n");
+ else printf("all overflows correctly detected \n");
return 0;
+
+_overflowError:
+ printf("Address space overflow error !! \n");
+ exit(1);
}
@@ -319,8 +324,8 @@ int FUZ_test(U32 seed, int nbCycles, int startCycle, double compressibility) {
switch(displayLevel)
{
case 0: displayRefresh = nbCycles+1; break;
- case 1: displayRefresh=FUZ_MAX(1, nbCycles / 100); break;
- case 2: displayRefresh=89; break;
+ case 1: displayRefresh = FUZ_MAX(1, nbCycles / 100); break;
+ case 2: displayRefresh = 89; break;
default : displayRefresh=1;
}
@@ -757,7 +762,7 @@ int main(int argc, char** argv) {
printf("Seed = %u\n", seed);
if (proba!=FUZ_COMPRESSIBILITY_DEFAULT) printf("Compressibility : %i%%\n", proba);
- FUZ_Issue52();
+ //FUZ_Issue52();
FUZ_Issue134();
if (nbTests<=0) nbTests=1;