From 1411c2b6740b92cbe258465a20f43e8de6098a8f Mon Sep 17 00:00:00 2001 From: Yann Collet Date: Wed, 2 Jul 2014 04:36:56 +0100 Subject: Quickfix of issue 134 (untested) --- Makefile | 2 +- lz4.c | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 9fcc4a9..b6343a7 100644 --- a/Makefile +++ b/Makefile @@ -31,7 +31,7 @@ # ################################################################ # Version numbers -export RELEASE=r118 +export RELEASE=rc119 LIBVER_MAJOR=1 LIBVER_MINOR=2 LIBVER_PATCH=0 diff --git a/lz4.c b/lz4.c index a1475dc..c0b6c1a 100644 --- a/lz4.c +++ b/lz4.c @@ -922,7 +922,9 @@ FORCE_INLINE int LZ4_decompress_generic( length += s; } while (likely((endOnInput)?ipLZ4_MAX_INPUT_SIZE)) goto _output_error; /* overflow detection */ + //if ((sizeof(void*)==4) && unlikely(length>LZ4_MAX_INPUT_SIZE)) goto _output_error; /* overflow detection */ + if ((sizeof(void*)==4) && unlikely(op+lengthLZ4_MAX_INPUT_SIZE)) goto _output_error; /* overflow detection */ + //if ((sizeof(void*)==4) && unlikely(length>LZ4_MAX_INPUT_SIZE)) goto _output_error; /* overflow detection */ + if ((sizeof(void*)==4) && unlikely(op+length Date: Wed, 2 Jul 2014 09:38:34 +0100 Subject: New fuzzer test (issue 134) --- programs/Makefile | 2 +- programs/fuzzer.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 73 insertions(+), 5 deletions(-) diff --git a/programs/Makefile b/programs/Makefile index 6ec2788..ff45903 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -30,7 +30,7 @@ # fullbench32: Same as fullbench, but forced to compile in 32-bits mode # ################################################################ -RELEASE=r118 +RELEASE=rc119 DESTDIR= PREFIX=/usr CC:=$(CC) diff --git a/programs/fuzzer.c b/programs/fuzzer.c index 82f6090..9c39c5a 100644 --- a/programs/fuzzer.c +++ b/programs/fuzzer.c @@ -75,6 +75,11 @@ #define PRIME2 2246822519U #define PRIME3 3266489917U +#define KB *(1U<<10) +#define MB *(1U<<20) +#define GB *(1U<<30) + + //************************************** // Macros @@ -164,7 +169,7 @@ void FUZ_fillCompressibleNoiseBuffer(void* buffer, int bufferSize, double proba, } -int FUZ_SecurityTest() +int FUZ_Issue52() { char* output; char* input; @@ -179,7 +184,7 @@ int FUZ_SecurityTest() input[2] = 0x00; for(i = 3; i < 16840000; i++) input[i] = 0xff; - r = LZ4_decompress_fast(input, output, 20<<20); + r = LZ4_decompress_safe(input, output, 20<<20, 20<<20); free(input); free(output); @@ -187,6 +192,69 @@ int FUZ_SecurityTest() return 0; } + +#define MAX_NB_BUFF_I134 36 +int FUZ_Issue134() +{ + char* buffers[MAX_NB_BUFF_I134+1] = {0}; + int i, nbBuff; + + printf("Overflow test issue 134 : "); + + // Only possible in 32-bits + if (sizeof(void*)==8) + { + printf("64 bits mode : not applicable \n"); + return 0; + } + + printf(" "); + for (nbBuff=0; nbBuff < MAX_NB_BUFF_I134; nbBuff++) + { + printf("\b\b\b\b%3i ", nbBuff); + buffers[nbBuff] = (char*)malloc(64 MB); + if (buffers[nbBuff]==NULL) + { + printf(" : unable to allocate memory above 0x80000000h \n"); + for (i=0 ; i (size_t) 0x80000000) + { + printf("Found high memory buffer : %X \n", (U32)(size_t)(buffers[nbBuff])); + printf("Creating a payload designed to fail\n"); + buffers[++nbBuff] = (char*)malloc(64 MB); + if (buffers[nbBuff]==NULL) + { + printf("failed to test (lack of memory)\n"); + return 0; + } + { + size_t sizeToGenerateOverflow = - ((size_t)buffers[nbBuff-1]) + 512; + size_t nbOf255 = (sizeToGenerateOverflow / 255) + 1; + char* input = buffers[nbBuff-1]; + char* output = buffers[nbBuff]; + int r; + input[0] = 0x0F; + input[1] = 0x00; + input[2] = 0x00; + for(i = 3; (size_t)i <= nbOf255; i++) input[i] = 0xff; + r = LZ4_decompress_safe(input, output, 64 MB, 64 MB); + printf(" Passed (return = %i < 0)\n",r); + break; + } + } + } + + for (i=0 ; ib?a:b) int FUZ_test(U32 seed, int nbCycles, int startCycle, double compressibility) { @@ -642,7 +710,6 @@ int main(int argc, char** argv) { default: ; } } - } } @@ -663,7 +730,8 @@ int main(int argc, char** argv) { printf("Seed = %u\n", seed); if (proba!=FUZ_COMPRESSIBILITY_DEFAULT) printf("Compressibility : %i%%\n", proba); - FUZ_SecurityTest(); + FUZ_Issue52(); + FUZ_Issue134(); if (nbTests<=0) nbTests=1; -- cgit v0.12 From a3089e5b291a1aa946cbeb370f53b2b565146b3b Mon Sep 17 00:00:00 2001 From: Yann Collet Date: Wed, 2 Jul 2014 14:38:16 +0100 Subject: stronger fuzzer tests --- programs/fuzzer.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/programs/fuzzer.c b/programs/fuzzer.c index 9c39c5a..28516a8 100644 --- a/programs/fuzzer.c +++ b/programs/fuzzer.c @@ -220,9 +220,9 @@ int FUZ_Issue134() free(buffers[i]); return 0; } - if ((size_t)buffers[nbBuff] > (size_t) 0x80000000) + if ((size_t)buffers[nbBuff] > 0) // (size_t) 0x80000000) { - printf("Found high memory buffer : %X \n", (U32)(size_t)(buffers[nbBuff])); + printf("Testing memory buffer address %X , ", (U32)(size_t)(buffers[nbBuff])); printf("Creating a payload designed to fail\n"); buffers[++nbBuff] = (char*)malloc(64 MB); if (buffers[nbBuff]==NULL) @@ -236,13 +236,18 @@ int FUZ_Issue134() char* input = buffers[nbBuff-1]; char* output = buffers[nbBuff]; int r; - input[0] = 0x0F; + input[0] = 0x0F; // Match length overflow input[1] = 0x00; input[2] = 0x00; - for(i = 3; (size_t)i <= nbOf255; i++) input[i] = 0xff; - r = LZ4_decompress_safe(input, output, 64 MB, 64 MB); + for(i = 3; (size_t)i <= nbOf255+3; i++) input[i] = 0xff; + r = LZ4_decompress_safe(input, output, nbOf255+64, 64 MB); printf(" Passed (return = %i < 0)\n",r); - break; + input[0] = 0xF0; // Literal length overflow + input[1] = 0xFF; + input[2] = 0xFF; + r = LZ4_decompress_safe(input, output, nbOf255+64, 64 MB); + printf(" Passed (return = %i < 0)\n",r); + free (buffers[nbBuff]); nbBuff--; } } } -- cgit v0.12 From 3a9427237dae41c0abd0a07d8ac862cbb9a037c3 Mon Sep 17 00:00:00 2001 From: Yann Collet Date: Wed, 2 Jul 2014 18:02:29 +0100 Subject: Stronger fuzzer tests Stronger fix 134 --- lz4.c | 8 ++++---- programs/fuzzer.c | 55 +++++++++++++++++++++++++++++++++++++------------------ 2 files changed, 41 insertions(+), 22 deletions(-) diff --git a/lz4.c b/lz4.c index c0b6c1a..482a8ed 100644 --- a/lz4.c +++ b/lz4.c @@ -923,8 +923,8 @@ FORCE_INLINE int LZ4_decompress_generic( } while (likely((endOnInput)?ipLZ4_MAX_INPUT_SIZE)) goto _output_error; /* overflow detection */ - if ((sizeof(void*)==4) && unlikely(op+length iend-LASTLITERALS)) goto _output_error; + if ((endOnInput) && (ip > iend-LASTLITERALS)) goto _output_error; s = *ip++; length += s; } while (s==255); //if ((sizeof(void*)==4) && unlikely(length>LZ4_MAX_INPUT_SIZE)) goto _output_error; /* overflow detection */ - if ((sizeof(void*)==4) && unlikely(op+length 0) // (size_t) 0x80000000) { printf("Testing memory buffer address %X , ", (U32)(size_t)(buffers[nbBuff])); printf("Creating a payload designed to fail\n"); - buffers[++nbBuff] = (char*)malloc(64 MB); + buffers[++nbBuff] = (char*)malloc(BLOCKSIZE_I134); if (buffers[nbBuff]==NULL) { - printf("failed to test (lack of memory)\n"); + printf("failed to test (no more memory)\n"); + for (i=0 ; i=2) + { + output = buffers[nbBuff-2]; + memset(input, 0, BLOCKSIZE_I134); + input[0] = 0xF0; // Literal length overflow + input[1] = 0xFF; + input[2] = 0xFF; + input[3] = 0xFF; + r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134); + printf(" Literal overflow passed (return = %i < 0)\n",r); + input[0] = 0x1F; // Match length overflow + input[1] = 0x01; + input[2] = 0x01; + input[3] = 0x00; + r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134); + printf(" Match overflow passed (return = %i < 0)\n",r); + } } + free (buffers[nbBuff]); nbBuff--; } } - for (i=0 ; i Date: Wed, 2 Jul 2014 22:03:58 +0100 Subject: update to r119 --- Makefile | 2 +- NEWS | 3 +++ programs/Makefile | 2 +- programs/fuzzer.c | 13 ++++++++----- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index b6343a7..c931d1e 100644 --- a/Makefile +++ b/Makefile @@ -31,7 +31,7 @@ # ################################################################ # Version numbers -export RELEASE=rc119 +export RELEASE=r119 LIBVER_MAJOR=1 LIBVER_MINOR=2 LIBVER_PATCH=0 diff --git a/NEWS b/NEWS index 5e5dbe1..ff2cd53 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,6 @@ +r119: +Fix : overflow address, 32-bits mode (issue 134) + r118: New : LZ4 Streaming API (Fast version), special thanks to Takayuki Matsuoka New : datagen : parametrable synthetic data generator for tests diff --git a/programs/Makefile b/programs/Makefile index ff45903..a3e01a4 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -30,7 +30,7 @@ # fullbench32: Same as fullbench, but forced to compile in 32-bits mode # ################################################################ -RELEASE=rc119 +RELEASE=r119 DESTDIR= PREFIX=/usr CC:=$(CC) diff --git a/programs/fuzzer.c b/programs/fuzzer.c index d5ff318..b745be9 100644 --- a/programs/fuzzer.c +++ b/programs/fuzzer.c @@ -26,6 +26,9 @@ Remove Visual warning messages **************************************/ #define _CRT_SECURE_NO_WARNINGS // fgets +#ifdef _MSC_VER /* Visual Studio */ +# pragma warning(disable : 4127) /* disable: C4127: conditional expression is constant */ +#endif /************************************** @@ -232,7 +235,7 @@ int FUZ_Issue134() return 0; } { - size_t sizeToGenerateOverflow = - ((size_t)buffers[nbBuff-1]) + 512; + size_t sizeToGenerateOverflow = (size_t)(- ((size_t)buffers[nbBuff-1]) + 512); size_t nbOf255 = (sizeToGenerateOverflow / 255) + 1; char* input = buffers[nbBuff-1]; char* output = buffers[nbBuff]; @@ -243,13 +246,13 @@ int FUZ_Issue134() input[3] = 0xFF; for(i = 3; (size_t)i <= nbOf255+4; i++) input[i] = 0xff; r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134); - printf(" Literal overflow passed (return = %i < 0)\n",r); + printf(" Literal overflow detected (return = %i < 0)\n",r); input[0] = 0x1F; // Match length overflow input[1] = 0x01; input[2] = 0x01; input[3] = 0x00; r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134); - printf(" Match overflow passed (return = %i < 0)\n",r); + printf(" Match overflow detected (return = %i < 0)\n",r); if (nbBuff>=2) { output = buffers[nbBuff-2]; @@ -259,13 +262,13 @@ int FUZ_Issue134() input[2] = 0xFF; input[3] = 0xFF; r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134); - printf(" Literal overflow passed (return = %i < 0)\n",r); + printf(" Literal overflow detected (return = %i < 0)\n",r); input[0] = 0x1F; // Match length overflow input[1] = 0x01; input[2] = 0x01; input[3] = 0x00; r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134); - printf(" Match overflow passed (return = %i < 0)\n",r); + printf(" Match overflow detected (return = %i < 0)\n",r); } } free (buffers[nbBuff]); nbBuff--; -- cgit v0.12