From b485d01faff54c337db972da9dee2d54d2db2a52 Mon Sep 17 00:00:00 2001 From: Randy Date: Tue, 24 Nov 2020 16:51:30 +0100 Subject: [PATCH] updates to OSS-Fuzz integration adapt more fuzz targets from zlib, add zip fuzzer, zip dictionary. update uncompress_fuzzer to seed the buffer length separately. --- CMakeLists.txt | 20 ++++++ tests/compress_fuzzer.c | 88 +++++++++++++++++++++++++ tests/flush_fuzzer.c | 2 +- tests/large_fuzzer.c | 130 +++++++++++++++++++++++++++++++++++++ tests/ossfuzz.sh | 7 ++ tests/small_fuzzer.c | 124 +++++++++++++++++++++++++++++++++++ tests/uncompress2_fuzzer.c | 20 ++++++ tests/uncompress_fuzzer.c | 15 +++-- tests/zip.dict | 9 +++ tests/zip_fuzzer.c | 58 +++++++++++++++++ 10 files changed, 466 insertions(+), 7 deletions(-) create mode 100644 tests/compress_fuzzer.c create mode 100644 tests/large_fuzzer.c create mode 100644 tests/small_fuzzer.c create mode 100644 tests/uncompress2_fuzzer.c create mode 100644 tests/zip.dict create mode 100644 tests/zip_fuzzer.c diff --git a/CMakeLists.txt b/CMakeLists.txt index 69feef9..9b4873e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -217,6 +217,11 @@ if(BUILD_FUZZERS) set(CHECKSUM_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/checksum_fuzzer.c") set(FLUSH_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/flush_fuzzer.c") set(UNCOMPRESS_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/uncompress_fuzzer.c") + set(UNCOMPRESS2_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/uncompress2_fuzzer.c") + set(COMPRESS_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/compress_fuzzer.c") + set(SMALL_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/small_fuzzer.c") + set(LARGE_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/large_fuzzer.c") + set(ZIP_FUZZER_SRC_LIST "${FUZZ_MAIN_SRC}" "${CMAKE_CURRENT_SOURCE_DIR}/tests/zip_fuzzer.c") add_executable(checksum_fuzzer ${CHECKSUM_FUZZER_SRC_LIST}) target_link_libraries(checksum_fuzzer miniz) @@ -226,6 +231,21 @@ if(BUILD_FUZZERS) add_executable(uncompress_fuzzer ${UNCOMPRESS_FUZZER_SRC_LIST}) target_link_libraries(uncompress_fuzzer miniz) + + add_executable(uncompress2_fuzzer ${UNCOMPRESS2_FUZZER_SRC_LIST}) + target_link_libraries(uncompress2_fuzzer miniz) + + add_executable(compress_fuzzer ${COMPRESS_FUZZER_SRC_LIST}) + target_link_libraries(compress_fuzzer miniz) + + add_executable(small_fuzzer ${SMALL_FUZZER_SRC_LIST}) + target_link_libraries(small_fuzzer miniz) + + add_executable(large_fuzzer ${LARGE_FUZZER_SRC_LIST}) + target_link_libraries(large_fuzzer miniz) + + add_executable(zip_fuzzer ${ZIP_FUZZER_SRC_LIST}) + target_link_libraries(zip_fuzzer miniz) endif() set(INCLUDE_INSTALL_DIR "include") diff --git a/tests/compress_fuzzer.c b/tests/compress_fuzzer.c new file mode 100644 index 0000000..980b94c --- /dev/null +++ b/tests/compress_fuzzer.c @@ -0,0 +1,88 @@ +/* Derived from zlib fuzzers at http://github.com/google/oss-fuzz/tree/master/projects/zlib, + * see ossfuzz.sh for full license text. +*/ + +#include +#include +#include +#include +#include +#include +#include +#include "miniz.h" + +static const uint8_t *data; +static size_t dataLen; + +static void check_compress_level(uint8_t *compr, size_t comprLen, + uint8_t *uncompr, size_t uncomprLen, + int level) +{ + compress2(compr, &comprLen, data, dataLen, level); + uncompress(uncompr, &uncomprLen, compr, comprLen); + + /* Make sure compress + uncompress gives back the input data. */ + assert(dataLen == uncomprLen); + assert(0 == memcmp(data, uncompr, dataLen)); +} + +#define put_byte(s, i, c) {s[i] = (unsigned char)(c);} + +static void write_zlib_header(uint8_t *s) +{ + unsigned level_flags = 0; /* compression level (0..3) */ + unsigned w_bits = 8; /* window size log2(w_size) (8..16) */ + unsigned int header = (Z_DEFLATED + ((w_bits-8)<<4)) << 8; + header |= (level_flags << 6); + + header += 31 - (header % 31); + + /* s is guaranteed to be longer than 2 bytes. */ + put_byte(s, 0, (unsigned char)(header >> 8)); + put_byte(s, 1, (unsigned char)(header & 0xff)); +} + +static void check_decompress(uint8_t *compr, size_t comprLen) +{ + /* We need to write a valid zlib header of size two bytes. Copy the input data + in a larger buffer. Do not modify the input data to avoid libFuzzer error: + fuzz target overwrites its const input. */ + size_t copyLen = dataLen + 2; + uint8_t *copy = malloc(copyLen); + memcpy(copy + 2, data, dataLen); + write_zlib_header(copy); + + uncompress(compr, &comprLen, copy, copyLen); + free(copy); +} + +int LLVMFuzzerTestOneInput(const uint8_t *d, size_t size) +{ + /* compressBound does not provide enough space for low compression levels. */ + size_t comprLen = 100 + 2 * compressBound(size); + size_t uncomprLen = size; + uint8_t *compr, *uncompr; + + /* Discard inputs larger than 1Mb. */ + static size_t kMaxSize = 1024 * 1024; + + if (size < 1 || size > kMaxSize) + return 0; + + data = d; + dataLen = size; + compr = calloc(1, comprLen); + uncompr = calloc(1, uncomprLen); + + check_compress_level(compr, comprLen, uncompr, uncomprLen, 1); + check_compress_level(compr, comprLen, uncompr, uncomprLen, 3); + check_compress_level(compr, comprLen, uncompr, uncomprLen, 6); + check_compress_level(compr, comprLen, uncompr, uncomprLen, 7); + + check_decompress(compr, comprLen); + + free(compr); + free(uncompr); + + return 0; +} diff --git a/tests/flush_fuzzer.c b/tests/flush_fuzzer.c index d0d1c61..fc12fca 100644 --- a/tests/flush_fuzzer.c +++ b/tests/flush_fuzzer.c @@ -32,7 +32,7 @@ void test_flush(unsigned char *compr, size_t *comprLen) c_stream.zalloc = zalloc; c_stream.zfree = zfree; - c_stream.opaque = (void *)0; + c_stream.opaque = NULL; err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION); CHECK_ERR(err, "deflateInit"); diff --git a/tests/large_fuzzer.c b/tests/large_fuzzer.c new file mode 100644 index 0000000..ad5213d --- /dev/null +++ b/tests/large_fuzzer.c @@ -0,0 +1,130 @@ +/* Derived from zlib fuzzers at http://github.com/google/oss-fuzz/tree/master/projects/zlib, + * see ossfuzz.sh for full license text. +*/ + +#include +#include +#include +#include +#include +#include + +#include "miniz.h" + +#define CHECK_ERR(err, msg) { \ + if (err != Z_OK) { \ + fprintf(stderr, "%s error: %d\n", msg, err); \ + exit(1); \ + } \ +} + +static const uint8_t *data; +static size_t dataLen; +static alloc_func zalloc = NULL; +static free_func zfree = NULL; +static unsigned int diff; + +/* Test deflate() with large buffers and dynamic change of compression level */ +void test_large_deflate(unsigned char *compr, size_t comprLen, + unsigned char *uncompr, size_t uncomprLen) +{ + z_stream c_stream; /* compression stream */ + int err; + + c_stream.zalloc = zalloc; + c_stream.zfree = zfree; + c_stream.opaque = NULL; + + err = deflateInit(&c_stream, Z_BEST_COMPRESSION); + CHECK_ERR(err, "deflateInit"); + + c_stream.next_out = compr; + c_stream.avail_out = (unsigned int)comprLen; + + /* At this point, uncompr is still mostly zeroes, so it should compress + * very well: + */ + c_stream.next_in = uncompr; + c_stream.avail_in = (unsigned int)uncomprLen; + err = deflate(&c_stream, Z_NO_FLUSH); + CHECK_ERR(err, "deflate large 1"); + + if (c_stream.avail_in != 0) + { + fprintf(stderr, "deflate not greedy\n"); + exit(1); + } + + /* Feed in already compressed data: */ + c_stream.next_in = compr; + diff = (unsigned int)(c_stream.next_out - compr); + c_stream.avail_in = diff; + + deflate(&c_stream, Z_NO_FLUSH); + err = deflate(&c_stream, Z_FINISH); + + if (err != Z_STREAM_END) + { + fprintf(stderr, "deflate large should report Z_STREAM_END\n"); + exit(1); + } + err = deflateEnd(&c_stream); + CHECK_ERR(err, "deflateEnd"); +} + +/* Test inflate() with large buffers */ +void test_large_inflate(unsigned char *compr, size_t comprLen, + unsigned char *uncompr, size_t uncomprLen) +{ + int err; + z_stream d_stream; /* decompression stream */ + + d_stream.zalloc = zalloc; + d_stream.zfree = zfree; + d_stream.opaque = NULL; + + d_stream.next_in = compr; + d_stream.avail_in = (unsigned int)comprLen; + + err = inflateInit(&d_stream); + CHECK_ERR(err, "inflateInit"); + + for (;;) + { + d_stream.next_out = uncompr; /* discard the output */ + d_stream.avail_out = (unsigned int)uncomprLen; + err = inflate(&d_stream, Z_NO_FLUSH); + if (err == Z_STREAM_END) break; + + CHECK_ERR(err, "large inflate"); + } + + err = inflateEnd(&d_stream); + CHECK_ERR(err, "inflateEnd"); +} + +int LLVMFuzzerTestOneInput(const uint8_t *d, size_t size) +{ + size_t comprLen = 100 + 3 * size; + size_t uncomprLen = comprLen; + uint8_t *compr, *uncompr; + + /* Discard inputs larger than 512Kb. */ + static size_t kMaxSize = 512 * 1024; + + if (size < 1 || size > kMaxSize) + return 0; + + data = d; + dataLen = size; + compr = calloc(1, comprLen); + uncompr = calloc(1, uncomprLen); + + test_large_deflate(compr, comprLen, uncompr, uncomprLen); + test_large_inflate(compr, comprLen, uncompr, uncomprLen); + + free(compr); + free(uncompr); + + return 0; +} diff --git a/tests/ossfuzz.sh b/tests/ossfuzz.sh index 6e43b7c..c437988 100755 --- a/tests/ossfuzz.sh +++ b/tests/ossfuzz.sh @@ -33,3 +33,10 @@ for f in $(find $SRC -name '*_fuzzer.c'); do rm -f /tmp/$b.o ln -sf $OUT/seed_corpus.zip $OUT/${b}_seed_corpus.zip done + + +# Add .zip input file for the zip fuzzer +rm -f $OUT/zip_fuzzer_seed_corpus.zip +zip $OUT/zip_fuzzer_seed_corpus.zip $OUT/seed_corpus.zip + +cp tests/zip.dict $OUT/zip_fuzzer.dict \ No newline at end of file diff --git a/tests/small_fuzzer.c b/tests/small_fuzzer.c new file mode 100644 index 0000000..500881a --- /dev/null +++ b/tests/small_fuzzer.c @@ -0,0 +1,124 @@ +/* Derived from zlib fuzzers at http://github.com/google/oss-fuzz/tree/master/projects/zlib, + * see ossfuzz.sh for full license text. +*/ + +#include +#include +#include +#include +#include +#include + +#include "miniz.h" + +#define CHECK_ERR(err, msg) { \ + if (err != Z_OK) { \ + fprintf(stderr, "%s error: %d\n", msg, err); \ + exit(1); \ + } \ +} + +static const uint8_t *data; +static size_t dataLen; +static alloc_func zalloc = NULL; +static free_func zfree = NULL; + +/* Test deflate() with small buffers */ +void test_deflate(unsigned char *compr, size_t comprLen) +{ + z_stream c_stream; /* compression stream */ + int err; + unsigned long len = dataLen; + + c_stream.zalloc = zalloc; + c_stream.zfree = zfree; + c_stream.opaque = NULL; + + err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION); + CHECK_ERR(err, "deflateInit"); + + c_stream.next_in = (Bytef *)data; + c_stream.next_out = compr; + + while (c_stream.total_in != len && c_stream.total_out < comprLen) + { + c_stream.avail_in = c_stream.avail_out = 1; /* force small buffers */ + err = deflate(&c_stream, Z_NO_FLUSH); + CHECK_ERR(err, "deflate small 1"); + } + + /* Finish the stream, still forcing small buffers: */ + for (;;) + { + c_stream.avail_out = 1; + err = deflate(&c_stream, Z_FINISH); + if (err == Z_STREAM_END) + break; + CHECK_ERR(err, "deflate small 2"); + } + + err = deflateEnd(&c_stream); + CHECK_ERR(err, "deflateEnd"); +} + +/* Test inflate() with small buffers */ +void test_inflate(unsigned char *compr, size_t comprLen, unsigned char *uncompr, size_t uncomprLen) +{ + int err; + z_stream d_stream; /* decompression stream */ + + d_stream.zalloc = zalloc; + d_stream.zfree = zfree; + d_stream.opaque = NULL; + + d_stream.next_in = compr; + d_stream.avail_in = 0; + d_stream.next_out = uncompr; + + err = inflateInit(&d_stream); + CHECK_ERR(err, "inflateInit"); + + while (d_stream.total_out < uncomprLen && d_stream.total_in < comprLen) + { + d_stream.avail_in = d_stream.avail_out = 1; /* force small buffers */ + err = inflate(&d_stream, Z_NO_FLUSH); + if (err == Z_STREAM_END) + break; + CHECK_ERR(err, "inflate"); + } + + err = inflateEnd(&d_stream); + CHECK_ERR(err, "inflateEnd"); + + if (memcmp(uncompr, data, dataLen)) + { + fprintf(stderr, "bad inflate\n"); + exit(1); + } +} + +int LLVMFuzzerTestOneInput(const uint8_t *d, size_t size) +{ + size_t comprLen = compressBound(size); + size_t uncomprLen = size; + uint8_t *compr, *uncompr; + + /* Discard inputs larger than 1Mb. */ + static size_t kMaxSize = 1024 * 1024; + + if (size < 1 || size > kMaxSize) + return 0; + + data = d; + dataLen = size; + compr = calloc(1, comprLen); + uncompr = calloc(1, uncomprLen); + + test_deflate(compr, comprLen); + test_inflate(compr, comprLen, uncompr, uncomprLen); + + free(compr); + free(uncompr); + + return 0; +} diff --git a/tests/uncompress2_fuzzer.c b/tests/uncompress2_fuzzer.c new file mode 100644 index 0000000..98fe81f --- /dev/null +++ b/tests/uncompress2_fuzzer.c @@ -0,0 +1,20 @@ +/* Derived from zlib fuzzers at http://github.com/google/oss-fuzz/tree/master/projects/zlib, + * see ossfuzz.sh for full license text. +*/ + +#include +#include +#include + +#include "miniz.h" + +static unsigned char buffer[256 * 1024] = { 0 }; + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + unsigned long int buffer_length = sizeof(buffer); + + if (Z_OK != uncompress2(buffer, &buffer_length, data, &size)) return 0; + + return 0; +} diff --git a/tests/uncompress_fuzzer.c b/tests/uncompress_fuzzer.c index 933ff69..96015bc 100644 --- a/tests/uncompress_fuzzer.c +++ b/tests/uncompress_fuzzer.c @@ -10,18 +10,21 @@ int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - unsigned long int buffer_length = 1; + unsigned long int buffer_length; unsigned char *buffer = NULL; int z_status = 0; - if (size > 0) - buffer_length *= data[0]; - if (size > 1) - buffer_length *= data[1]; + if(size > 4) return 0; + + uint32_t n; + memcpy(&n, data, 4); + buffer_length = n; + + if(buffer_length > (1024 * 256)) return 0; buffer = (unsigned char *)malloc(buffer_length); - z_status = uncompress(buffer, &buffer_length, data, size); + z_status = uncompress(buffer, &buffer_length, data + 4, size - 4); free(buffer); if (Z_OK != z_status) diff --git a/tests/zip.dict b/tests/zip.dict new file mode 100644 index 0000000..43ff7d1 --- /dev/null +++ b/tests/zip.dict @@ -0,0 +1,9 @@ +# Fuzzing dictionary for .zip files + +header_lfh="\x50\x4b\x03\x04" +header_cd="\x50\x4b\x01\x02" +header_eocd="\x50\x4b\x05\x06" +header_eocd64="\x50\x4b\x06\x06" +data_descriptor="\x50\x4b\x07\x08" +extra_data_sig="\x50\x4b\x06\x08" +digital_sig="\x50\x4b\x05\x05" diff --git a/tests/zip_fuzzer.c b/tests/zip_fuzzer.c new file mode 100644 index 0000000..7b8af0f --- /dev/null +++ b/tests/zip_fuzzer.c @@ -0,0 +1,58 @@ +#include +#include + +#include "miniz.h" + +static char filename[260]; +static unsigned char read_buf[1024 * 256]; + +static const size_t filename_max = sizeof(filename); +static const size_t read_buf_size = sizeof(read_buf); +static const size_t data_max = 1024 * 256; + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + if(size > data_max) return 0; + + int ret = 0; + mz_zip_archive zip; + mz_zip_zero_struct(&zip); + + mz_uint flags = 0; + + if(!mz_zip_reader_init_mem(&zip, data, size, flags)) return 0; + + mz_uint i, files; + + files = mz_zip_reader_get_num_files(&zip); + + for(i=0; i < files; i++) + { + mz_zip_clear_last_error(&zip); + + if(mz_zip_reader_is_file_a_directory(&zip, i)) continue; + + mz_zip_validate_file(&zip, i, MZ_ZIP_FLAG_VALIDATE_HEADERS_ONLY); + mz_zip_validate_file(&zip, i, 0); + + if(mz_zip_reader_is_file_encrypted(&zip, i)) continue; + + mz_zip_clear_last_error(&zip); + + mz_uint ret = mz_zip_reader_get_filename(&zip, i, filename, filename_max); + + if(mz_zip_get_last_error(&zip)) continue; + + mz_zip_archive_file_stat file_stat = {0}; + mz_bool status = mz_zip_reader_file_stat(&zip, i, &file_stat) != 0; + + if ((file_stat.m_method) && (file_stat.m_method != MZ_DEFLATED)) continue; + + mz_zip_reader_extract_file_to_mem(&zip, file_stat.m_filename, read_buf, read_buf_size, 0); + } + +cleanup: + mz_zip_reader_end(&zip); + + return ret; +} \ No newline at end of file