bzip2: Bug fixes (#1894)

* bzip2: Bug fixes; added citations

* bzip2: Bump bzip2 version to 1.0.6

* bzip2: Variable blockSize100k, workFactor, and small

* bzip2: Remove hardcoded buffer sizes; fix nZ (compressor) to point to real buffer size

* bzip: Remove ubsan from project.yaml beacuse of start-up crash google/oss-fuzz#1887

4 files changed, 30 insertions, 13 deletions

diff --git a/projects/bzip2/Dockerfile b/projects/bzip2/Dockerfile
index 8732051b5..3d75a86b0 100644
--- a/projects/bzip2/Dockerfile
+++ b/projects/bzip2/Dockerfile
@@ -17,6 +17,6 @@
 FROM gcr.io/oss-fuzz-base/base-builder
 MAINTAINER bshas3@gmail.com
 RUN apt-get update && apt-get install -y make autoconf automake libtool wget
-RUN wget ftp://sources.redhat.com/pub/bzip2/v102/bzip2-1.0.2.tar.gz 
+RUN wget https://fossies.org/linux/misc/bzip2-1.0.6.tar.gz
 COPY build.sh *.c $SRC/
 WORKDIR $SRC
diff --git a/projects/bzip2/bzip2_compress_target.c b/projects/bzip2/bzip2_compress_target.c
index 45723103c..08f6a62ea 100644
--- a/projects/bzip2/bzip2_compress_target.c
+++ b/projects/bzip2/bzip2_compress_target.c
@@ -40,11 +40,29 @@ extern int BZ2_bzBuffToBuffDecompress(char* dest,
 int
 LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
-    int r;
+    int r, blockSize100k, workFactor, small;
     unsigned int nZ, nOut;
-    char *zbuf = malloc(size + 600 + (size / 100));
 
-    r = BZ2_bzBuffToBuffCompress(zbuf, &nZ, (char *)data, size, 9, 0, 30);
+    /* Copying @julian-seward1's comment from
+     * https://github.com/google/oss-fuzz/pull/1887#discussion_r226852388
+     *
+     * They just reflect the fact that the worst case output size is 101%
+     * of the input size + 600 bytes (I assume -- this is now nearly 20
+     * years old). Since the buffer is in mallocville, presumably asan
+     * will complain if it gets overrun. I doubt that will happen though.
+     */
+    nZ = size + 600 + (size / 100);
+    char *zbuf = malloc(nZ);
+
+    blockSize100k = (size % 11) + 1;
+    if (blockSize100k > 9) {
+        blockSize100k = 9;
+    }
+    workFactor = size % 251;
+
+    // Choose highest compression (blockSize100k=9)
+    r = BZ2_bzBuffToBuffCompress(zbuf, &nZ, (char *)data, size,
+            blockSize100k, /*verbosity=*/0, workFactor);
     if (r != BZ_OK) {
 #ifdef __DEBUG__
         fprintf(stdout, "Compression error: %d\n", r);
@@ -55,7 +73,9 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 
     nOut = size*2;
     char *outbuf = malloc(nOut);
-    r = BZ2_bzBuffToBuffDecompress(outbuf, &nOut, zbuf, nZ, 0, 0);
+    small = size % 2;
+    r = BZ2_bzBuffToBuffDecompress(outbuf, &nOut, zbuf, nZ, small,
+            /*verbosity=*/0);
     if (r != BZ_OK) {
 #ifdef __DEBUG__
         fprintf(stdout, "Decompression error: %d\n", r);
diff --git a/projects/bzip2/bzip2_decompress_target.c b/projects/bzip2/bzip2_decompress_target.c
index d165973a1..ef3a93a09 100644
--- a/projects/bzip2/bzip2_decompress_target.c
+++ b/projects/bzip2/bzip2_decompress_target.c
@@ -32,23 +32,21 @@ extern int BZ2_bzBuffToBuffDecompress(char* dest,
 int
 LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
-    int r;
+    int r, small;
     unsigned int nZ, nOut;
 
+    // See: https://github.com/google/bzip2-rpc/blob/master/unzcrash.c#L39
     nOut = size*2;
     char *outbuf = malloc(nOut);
-    r = BZ2_bzBuffToBuffDecompress(outbuf, &nOut, (char *)data, size, 0, 0);
+    small = size % 2;
+    r = BZ2_bzBuffToBuffDecompress(outbuf, &nOut, (char *)data, size,
+            small, /*verbosity=*/0);
 
     if (r != BZ_OK) {
 #ifdef __DEBUG__
         fprintf(stdout, "Decompression error: %d\n", r);
 #endif
-        free(outbuf);
-        return 0;
     }
-
-    assert(nOut == size);
-    assert(memcmp(data, outbuf, size) == 0);
     free(outbuf);
     return 0;
 }
\ No newline at end of file
diff --git a/projects/bzip2/project.yaml b/projects/bzip2/project.yaml
index d2d338b9f..35fe5b6f9 100644
--- a/projects/bzip2/project.yaml
+++ b/projects/bzip2/project.yaml
@@ -4,5 +4,4 @@ auto_ccs:
   - "bshas3@gmail.com"
 sanitizers:
   - address
-  - undefined
   - memory