From 3a9427237dae41c0abd0a07d8ac862cbb9a037c3 Mon Sep 17 00:00:00 2001
From: Yann Collet <yann.collet.73@gmail.com>
Date: Wed, 2 Jul 2014 18:02:29 +0100
Subject: Stronger fuzzer tests Stronger fix 134

---
 lz4.c             |  8 ++++----
 programs/fuzzer.c | 55 +++++++++++++++++++++++++++++++++++++------------------
 2 files changed, 41 insertions(+), 22 deletions(-)

diff --git a/lz4.c b/lz4.c
index c0b6c1a..482a8ed 100644
--- a/lz4.c
+++ b/lz4.c
@@ -923,8 +923,8 @@ FORCE_INLINE int LZ4_decompress_generic(
             }
             while (likely((endOnInput)?ip<iend-RUN_MASK:1) && (s==255));
             //if ((sizeof(void*)==4) && unlikely(length>LZ4_MAX_INPUT_SIZE)) goto _output_error;   /* overflow detection */
-            if ((sizeof(void*)==4) && unlikely(op+length<op)) goto _output_error;   /* quickfix issue 134 */
-            if (endOnInput && (sizeof(void*)==4) && unlikely(ip+length<ip)) goto _output_error;   /* quickfix issue 134 */
+            if ((sizeof(void*)==4) && unlikely((size_t)(op+length)<(size_t)(op))) goto _output_error;   /* quickfix issue 134 */
+            if ((endOnInput) && (sizeof(void*)==4) && unlikely((size_t)(ip+length)<(size_t)(ip))) goto _output_error;   /* quickfix issue 134 */
         }
 
         /* copy literals */
@@ -959,12 +959,12 @@ FORCE_INLINE int LZ4_decompress_generic(
             unsigned s;
             do
             {
-                if (endOnInput && (ip > iend-LASTLITERALS)) goto _output_error;
+                if ((endOnInput) && (ip > iend-LASTLITERALS)) goto _output_error;
                 s = *ip++;
                 length += s;
             } while (s==255);
             //if ((sizeof(void*)==4) && unlikely(length>LZ4_MAX_INPUT_SIZE)) goto _output_error;   /* overflow detection */
-            if ((sizeof(void*)==4) && unlikely(op+length<op)) goto _output_error;   /* quickfix issue 134 */
+            if ((sizeof(void*)==4) && unlikely((size_t)(op+length)<(size_t)op)) goto _output_error;   /* quickfix issue 134 */
         }
 
         /* check external dictionary */
diff --git a/programs/fuzzer.c b/programs/fuzzer.c
index 28516a8..d5ff318 100644
--- a/programs/fuzzer.c
+++ b/programs/fuzzer.c
@@ -193,7 +193,8 @@ int FUZ_Issue52()
 }
 
 
-#define MAX_NB_BUFF_I134 36
+#define MAX_NB_BUFF_I134 150
+#define BLOCKSIZE_I134 64 MB
 int FUZ_Issue134()
 {
   char* buffers[MAX_NB_BUFF_I134+1] = {0};
@@ -212,22 +213,22 @@ int FUZ_Issue134()
   for (nbBuff=0; nbBuff < MAX_NB_BUFF_I134; nbBuff++)
   {
     printf("\b\b\b\b%3i ", nbBuff);
-    buffers[nbBuff] = (char*)malloc(64 MB);
+    buffers[nbBuff] = (char*)malloc(BLOCKSIZE_I134);
     if (buffers[nbBuff]==NULL)
     {
-      printf(" : unable to allocate memory above 0x80000000h \n");
-      for (i=0 ; i<nbBuff; i++)
-        free(buffers[i]);
+      printf(" : unable to allocate more memory\n");
+      for (i=0 ; i<nbBuff; i++) free(buffers[i]);
       return 0;
     }
     if ((size_t)buffers[nbBuff] > 0) // (size_t) 0x80000000)
     {
       printf("Testing memory buffer address %X , ", (U32)(size_t)(buffers[nbBuff]));
       printf("Creating a payload designed to fail\n");
-      buffers[++nbBuff] = (char*)malloc(64 MB);
+      buffers[++nbBuff] = (char*)malloc(BLOCKSIZE_I134);
       if (buffers[nbBuff]==NULL)
       {
-        printf("failed to test (lack of memory)\n");
+        printf("failed to test (no more memory)\n");
+        for (i=0 ; i<nbBuff; i++) free(buffers[i]);
         return 0;
       }
       {
@@ -236,24 +237,42 @@ int FUZ_Issue134()
         char* input = buffers[nbBuff-1];
         char* output = buffers[nbBuff];
         int r;
-        input[0] = 0x0F;   // Match length overflow
-        input[1] = 0x00;
-        input[2] = 0x00;
-        for(i = 3; (size_t)i <= nbOf255+3; i++) input[i] = 0xff;
-        r = LZ4_decompress_safe(input, output, nbOf255+64, 64 MB);
-        printf(" Passed (return = %i < 0)\n",r);
         input[0] = 0xF0;   // Literal length overflow
         input[1] = 0xFF;
         input[2] = 0xFF;
-        r = LZ4_decompress_safe(input, output, nbOf255+64, 64 MB);
-        printf(" Passed (return = %i < 0)\n",r);
-        free (buffers[nbBuff]); nbBuff--;
+        input[3] = 0xFF;
+        for(i = 3; (size_t)i <= nbOf255+4; i++) input[i] = 0xff;
+        r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
+        printf(" Literal overflow passed (return = %i < 0)\n",r);
+        input[0] = 0x1F;   // Match length overflow
+        input[1] = 0x01;
+        input[2] = 0x01;
+        input[3] = 0x00;
+        r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
+        printf(" Match overflow passed (return = %i < 0)\n",r);
+        if (nbBuff>=2)
+        {
+            output = buffers[nbBuff-2];
+            memset(input, 0, BLOCKSIZE_I134);
+            input[0] = 0xF0;   // Literal length overflow
+            input[1] = 0xFF;
+            input[2] = 0xFF;
+            input[3] = 0xFF;
+            r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
+            printf(" Literal overflow passed (return = %i < 0)\n",r);
+            input[0] = 0x1F;   // Match length overflow
+            input[1] = 0x01;
+            input[2] = 0x01;
+            input[3] = 0x00;
+            r = LZ4_decompress_safe(input, output, nbOf255+64, BLOCKSIZE_I134);
+            printf(" Match overflow passed (return = %i < 0)\n",r);
+        }
       }
+      free (buffers[nbBuff]); nbBuff--;
     }
   }
 
-  for (i=0 ; i<nbBuff; i++)
-    free(buffers[i]);
+  for (i=0 ; i<nbBuff; i++) free(buffers[i]);
   printf("\n");
   return 0;
 }
-- 
cgit v0.12