From a3089e5b291a1aa946cbeb370f53b2b565146b3b Mon Sep 17 00:00:00 2001
From: Yann Collet <yann.collet.73@gmail.com>
Date: Wed, 2 Jul 2014 14:38:16 +0100
Subject: stronger fuzzer tests

---
 programs/fuzzer.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/programs/fuzzer.c b/programs/fuzzer.c
index 9c39c5a..28516a8 100644
--- a/programs/fuzzer.c
+++ b/programs/fuzzer.c
@@ -220,9 +220,9 @@ int FUZ_Issue134()
         free(buffers[i]);
       return 0;
     }
-    if ((size_t)buffers[nbBuff] > (size_t) 0x80000000)
+    if ((size_t)buffers[nbBuff] > 0) // (size_t) 0x80000000)
     {
-      printf("Found high memory buffer : %X \n", (U32)(size_t)(buffers[nbBuff]));
+      printf("Testing memory buffer address %X , ", (U32)(size_t)(buffers[nbBuff]));
       printf("Creating a payload designed to fail\n");
       buffers[++nbBuff] = (char*)malloc(64 MB);
       if (buffers[nbBuff]==NULL)
@@ -236,13 +236,18 @@ int FUZ_Issue134()
         char* input = buffers[nbBuff-1];
         char* output = buffers[nbBuff];
         int r;
-        input[0] = 0x0F;
+        input[0] = 0x0F;   // Match length overflow
         input[1] = 0x00;
         input[2] = 0x00;
-        for(i = 3; (size_t)i <= nbOf255; i++) input[i] = 0xff;
-        r = LZ4_decompress_safe(input, output, 64 MB, 64 MB);
+        for(i = 3; (size_t)i <= nbOf255+3; i++) input[i] = 0xff;
+        r = LZ4_decompress_safe(input, output, nbOf255+64, 64 MB);
         printf(" Passed (return = %i < 0)\n",r);
-        break;
+        input[0] = 0xF0;   // Literal length overflow
+        input[1] = 0xFF;
+        input[2] = 0xFF;
+        r = LZ4_decompress_safe(input, output, nbOf255+64, 64 MB);
+        printf(" Passed (return = %i < 0)\n",r);
+        free (buffers[nbBuff]); nbBuff--;
       }
     }
   }
-- 
cgit v0.12