diff options
author | Bhargava Shastry <bshas3@gmail.com> | 2018-10-26 15:10:57 +0200 |
---|---|---|
committer | Abhishek Arya <inferno@chromium.org> | 2018-10-26 06:10:57 -0700 |
commit | ebf4501860350a6331edae20fa83b3aa68231d04 (patch) | |
tree | 2a71eab48f671e942c11f9e357c77afc70a057d5 /projects/bzip2 | |
parent | 6d82dbf32cc68b7e6a4a6138514f0f31b57cd321 (diff) | |
download | oss-fuzz-ebf4501860350a6331edae20fa83b3aa68231d04.tar.gz |
bzip2: Bug fixes (#1894)
* bzip2: Bug fixes; added citations
* bzip2: Bump bzip2 version to 1.0.6
* bzip2: Variable blockSize100k, workFactor, and small
* bzip2: Remove hardcoded buffer sizes; fix nZ (compressor) to point to real buffer size
* bzip: Remove ubsan from project.yaml beacuse of start-up crash google/oss-fuzz#1887
Diffstat (limited to 'projects/bzip2')
-rw-r--r-- | projects/bzip2/Dockerfile | 2 | ||||
-rw-r--r-- | projects/bzip2/bzip2_compress_target.c | 28 | ||||
-rw-r--r-- | projects/bzip2/bzip2_decompress_target.c | 12 | ||||
-rw-r--r-- | projects/bzip2/project.yaml | 1 |
4 files changed, 30 insertions, 13 deletions
diff --git a/projects/bzip2/Dockerfile b/projects/bzip2/Dockerfile index 8732051b5..3d75a86b0 100644 --- a/projects/bzip2/Dockerfile +++ b/projects/bzip2/Dockerfile @@ -17,6 +17,6 @@ FROM gcr.io/oss-fuzz-base/base-builder MAINTAINER bshas3@gmail.com RUN apt-get update && apt-get install -y make autoconf automake libtool wget -RUN wget ftp://sources.redhat.com/pub/bzip2/v102/bzip2-1.0.2.tar.gz +RUN wget https://fossies.org/linux/misc/bzip2-1.0.6.tar.gz COPY build.sh *.c $SRC/ WORKDIR $SRC diff --git a/projects/bzip2/bzip2_compress_target.c b/projects/bzip2/bzip2_compress_target.c index 45723103c..08f6a62ea 100644 --- a/projects/bzip2/bzip2_compress_target.c +++ b/projects/bzip2/bzip2_compress_target.c @@ -40,11 +40,29 @@ extern int BZ2_bzBuffToBuffDecompress(char* dest, int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - int r; + int r, blockSize100k, workFactor, small; unsigned int nZ, nOut; - char *zbuf = malloc(size + 600 + (size / 100)); - r = BZ2_bzBuffToBuffCompress(zbuf, &nZ, (char *)data, size, 9, 0, 30); + /* Copying @julian-seward1's comment from + * https://github.com/google/oss-fuzz/pull/1887#discussion_r226852388 + * + * They just reflect the fact that the worst case output size is 101% + * of the input size + 600 bytes (I assume -- this is now nearly 20 + * years old). Since the buffer is in mallocville, presumably asan + * will complain if it gets overrun. I doubt that will happen though. + */ + nZ = size + 600 + (size / 100); + char *zbuf = malloc(nZ); + + blockSize100k = (size % 11) + 1; + if (blockSize100k > 9) { + blockSize100k = 9; + } + workFactor = size % 251; + + // Choose highest compression (blockSize100k=9) + r = BZ2_bzBuffToBuffCompress(zbuf, &nZ, (char *)data, size, + blockSize100k, /*verbosity=*/0, workFactor); if (r != BZ_OK) { #ifdef __DEBUG__ fprintf(stdout, "Compression error: %d\n", r); @@ -55,7 +73,9 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) nOut = size*2; char *outbuf = malloc(nOut); - r = BZ2_bzBuffToBuffDecompress(outbuf, &nOut, zbuf, nZ, 0, 0); + small = size % 2; + r = BZ2_bzBuffToBuffDecompress(outbuf, &nOut, zbuf, nZ, small, + /*verbosity=*/0); if (r != BZ_OK) { #ifdef __DEBUG__ fprintf(stdout, "Decompression error: %d\n", r); diff --git a/projects/bzip2/bzip2_decompress_target.c b/projects/bzip2/bzip2_decompress_target.c index d165973a1..ef3a93a09 100644 --- a/projects/bzip2/bzip2_decompress_target.c +++ b/projects/bzip2/bzip2_decompress_target.c @@ -32,23 +32,21 @@ extern int BZ2_bzBuffToBuffDecompress(char* dest, int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - int r; + int r, small; unsigned int nZ, nOut; + // See: https://github.com/google/bzip2-rpc/blob/master/unzcrash.c#L39 nOut = size*2; char *outbuf = malloc(nOut); - r = BZ2_bzBuffToBuffDecompress(outbuf, &nOut, (char *)data, size, 0, 0); + small = size % 2; + r = BZ2_bzBuffToBuffDecompress(outbuf, &nOut, (char *)data, size, + small, /*verbosity=*/0); if (r != BZ_OK) { #ifdef __DEBUG__ fprintf(stdout, "Decompression error: %d\n", r); #endif - free(outbuf); - return 0; } - - assert(nOut == size); - assert(memcmp(data, outbuf, size) == 0); free(outbuf); return 0; }
\ No newline at end of file diff --git a/projects/bzip2/project.yaml b/projects/bzip2/project.yaml index d2d338b9f..35fe5b6f9 100644 --- a/projects/bzip2/project.yaml +++ b/projects/bzip2/project.yaml @@ -4,5 +4,4 @@ auto_ccs: - "bshas3@gmail.com" sanitizers: - address - - undefined - memory |