From fd51d0567b640541e5d4290488bf4ed02c6d6990 Mon Sep 17 00:00:00 2001
From: Yann Collet <yann.collet.73@gmail.com>
Date: Sat, 5 Jul 2014 12:50:05 +0100
Subject: updated fuzzer, faster and cleaner overflow tests

---
 Makefile          |   2 +-
 NEWS              |   2 +-
 programs/Makefile |   2 +-
 programs/fuzzer.c | 107 ++++++++++++++++++++++++++++--------------------------
 4 files changed, 59 insertions(+), 54 deletions(-)

diff --git a/Makefile b/Makefile
index c931d1e..8013903 100644
--- a/Makefile
+++ b/Makefile
@@ -31,7 +31,7 @@
 # ################################################################
 
 # Version numbers
-export RELEASE=r119
+export RELEASE=rc120
 LIBVER_MAJOR=1
 LIBVER_MINOR=2
 LIBVER_PATCH=0
diff --git a/NEWS b/NEWS
index ff2cd53..2adeab3 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,5 @@
 r119:
-Fix : overflow address, 32-bits mode (issue 134)
+Fix : Issue 134 : extended malicious address space overflow in 32-bits mode for some specific configurations
 
 r118:
 New : LZ4 Streaming API (Fast version), special thanks to Takayuki Matsuoka
diff --git a/programs/Makefile b/programs/Makefile
index a3e01a4..3d7aadf 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -30,7 +30,7 @@
 # fullbench32: Same as fullbench, but forced to compile in 32-bits mode
 # ################################################################
 
-RELEASE=r119
+RELEASE=rc120
 DESTDIR=
 PREFIX=/usr
 CC:=$(CC)
diff --git a/programs/fuzzer.c b/programs/fuzzer.c
index b745be9..f78e72d 100644
--- a/programs/fuzzer.c
+++ b/programs/fuzzer.c
@@ -28,6 +28,7 @@
 #define _CRT_SECURE_NO_WARNINGS   // fgets
 #ifdef _MSC_VER    /* Visual Studio */
 #  pragma warning(disable : 4127)        /* disable: C4127: conditional expression is constant */
+#  pragma warning(disable : 4146)        /* disable: C4146: minus unsigned expression */
 #endif
 
 
@@ -172,6 +173,7 @@ void FUZ_fillCompressibleNoiseBuffer(void* buffer, int bufferSize, double proba,
 }
 
 
+// No longer useful; included into issue 134
 int FUZ_Issue52()
 {
   char* output;
@@ -185,8 +187,7 @@ int FUZ_Issue52()
   input[0] = 0x0F;
   input[1] = 0x00;
   input[2] = 0x00;
-  for(i = 3; i < 16840000; i++)
-    input[i] = 0xff;
+  for(i = 3; i < 16840000; i++) input[i] = 0xff;
   r = LZ4_decompress_safe(input, output, 20<<20, 20<<20);
 
   free(input);
@@ -197,46 +198,48 @@ int FUZ_Issue52()
 
 
 #define MAX_NB_BUFF_I134 150
-#define BLOCKSIZE_I134 64 MB
+#define BLOCKSIZE_I134   (32 MB)
 int FUZ_Issue134()
 {
   char* buffers[MAX_NB_BUFF_I134+1] = {0};
-  int i, nbBuff;
+  int i, nbBuff=0;
+  int highAddress = 0;
 
-  printf("Overflow test issue 134 : ");
+  printf("Overflow tests : ");
 
   // Only possible in 32-bits
   if (sizeof(void*)==8)
   {
-    printf("64 bits mode : not applicable \n");
+    printf("64 bits mode : no overflow \n");
+    fflush(stdout);
     return 0;
   }
 
-  printf("    ");
-  for (nbBuff=0; nbBuff < MAX_NB_BUFF_I134; nbBuff++)
+  buffers[0] = (char*)malloc(BLOCKSIZE_I134);
+  buffers[1] = (char*)malloc(BLOCKSIZE_I134);
+  if ((!buffers[0]) || (!buffers[1]))
   {
-    printf("\b\b\b\b%3i ", nbBuff);
+    printf("not enough memory for tests \n");
+    return 0;
+  }
+  for (nbBuff=2; nbBuff < MAX_NB_BUFF_I134; nbBuff++)
+  {
+    printf("%3i \b\b\b\b", nbBuff);
     buffers[nbBuff] = (char*)malloc(BLOCKSIZE_I134);
-    if (buffers[nbBuff]==NULL)
+    //printf("%08X ", (U32)(size_t)(buffers[nbBuff]));
+    fflush(stdout);
+
+    if (((size_t)buffers[nbBuff] > (size_t)0x80000000) && (!highAddress))
     {
-      printf(" : unable to allocate more memory\n");
-      for (i=0 ; i<nbBuff; i++) free(buffers[i]);
-      return 0;
+        printf("high address detected : ");
+        fflush(stdout);
+        highAddress=1;
     }
-    if ((size_t)buffers[nbBuff] > 0) // (size_t) 0x80000000)
+    if (buffers[nbBuff]==NULL) goto _endOfTests;
+
     {
-      printf("Testing memory buffer address %X , ", (U32)(size_t)(buffers[nbBuff]));
-      printf("Creating a payload designed to fail\n");
-      buffers[++nbBuff] = (char*)malloc(BLOCKSIZE_I134);
-      if (buffers[nbBuff]==NULL)
-      {
-        printf("failed to test (no more memory)\n");
-        for (i=0 ; i<nbBuff; i++) free(buffers[i]);
-        return 0;
-      }
-      {
         size_t sizeToGenerateOverflow = (size_t)(- ((size_t)buffers[nbBuff-1]) + 512);
-        size_t nbOf255 = (sizeToGenerateOverflow / 255) + 1;
+        int nbOf255 = (int)((sizeToGenerateOverflow / 255) + 1);
         char* input = buffers[nbBuff-1];
         char* output = buffers[nbBuff];
         int r;
@@ -244,40 +247,42 @@ int FUZ_Issue134()
         input[1] = 0xFF;
         input[2] = 0xFF;
         input[3] = 0xFF;
-        for(i = 3; (size_t)i <= nbOf255+4; i++) input[i] = 0xff;
+        for(i = 4; i <= nbOf255+4; i++) input[i] = 0xff;
         r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
-        printf(" Literal overflow detected (return = %i < 0)\n",r);
+        if (r>0) goto _overflowError;
         input[0] = 0x1F;   // Match length overflow
         input[1] = 0x01;
         input[2] = 0x01;
         input[3] = 0x00;
         r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
-        printf(" Match overflow detected (return = %i < 0)\n",r);
-        if (nbBuff>=2)
-        {
-            output = buffers[nbBuff-2];
-            memset(input, 0, BLOCKSIZE_I134);
-            input[0] = 0xF0;   // Literal length overflow
-            input[1] = 0xFF;
-            input[2] = 0xFF;
-            input[3] = 0xFF;
-            r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
-            printf(" Literal overflow detected (return = %i < 0)\n",r);
-            input[0] = 0x1F;   // Match length overflow
-            input[1] = 0x01;
-            input[2] = 0x01;
-            input[3] = 0x00;
-            r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
-            printf(" Match overflow detected (return = %i < 0)\n",r);
-        }
-      }
-      free (buffers[nbBuff]); nbBuff--;
+        if (r>0) goto _overflowError;
+
+        output = buffers[nbBuff-2];   // Reverse in/out pointer order
+        input[0] = 0xF0;   // Literal length overflow
+        input[1] = 0xFF;
+        input[2] = 0xFF;
+        input[3] = 0xFF;
+        r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
+        if (r>0) goto _overflowError;
+        input[0] = 0x1F;   // Match length overflow
+        input[1] = 0x01;
+        input[2] = 0x01;
+        input[3] = 0x00;
+        r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
+        if (r>0) goto _overflowError;
     }
   }
 
+  nbBuff++;
+_endOfTests:
   for (i=0 ; i<nbBuff; i++) free(buffers[i]);
-  printf("\n");
+  if (!highAddress) printf("high address not possible \n");
+  else printf("all overflows correctly detected \n");
   return 0;
+
+_overflowError:
+  printf("Address space overflow error !! \n");
+  exit(1);
 }
 
 
@@ -319,8 +324,8 @@ int FUZ_test(U32 seed, int nbCycles, int startCycle, double compressibility) {
         switch(displayLevel)
         {
         case 0: displayRefresh = nbCycles+1; break;
-        case 1: displayRefresh=FUZ_MAX(1, nbCycles / 100); break;
-        case 2: displayRefresh=89; break;
+        case 1: displayRefresh = FUZ_MAX(1, nbCycles / 100); break;
+        case 2: displayRefresh = 89; break;
         default : displayRefresh=1;
         }
 
@@ -757,7 +762,7 @@ int main(int argc, char** argv) {
     printf("Seed = %u\n", seed);
     if (proba!=FUZ_COMPRESSIBILITY_DEFAULT) printf("Compressibility : %i%%\n", proba);
 
-    FUZ_Issue52();
+    //FUZ_Issue52();
     FUZ_Issue134();
 
     if (nbTests<=0) nbTests=1;
-- 
cgit v0.12