lzo: Fixes problems with google/oss-fuzz#1900 (#1905)

8 files changed, 250 insertions, 0 deletions

diff --git a/projects/lzo/Dockerfile b/projects/lzo/Dockerfile
new file mode 100644
index 000000000..d6971e6ff
--- /dev/null
+++ b/projects/lzo/Dockerfile
@@ -0,0 +1,23 @@
+# Copyright 2018 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder
+MAINTAINER info@oberhumer.com
+RUN apt-get update && apt-get install -y make autoconf automake libtool wget
+RUN wget -O lzo.tar.gz \
+    http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
+COPY *.c *.options build.sh $SRC/
+COPY lzo_decompress_target_seeds $SRC/lzo_decompress_target_seeds
diff --git a/projects/lzo/build.sh b/projects/lzo/build.sh
new file mode 100755
index 000000000..25b84d57f
--- /dev/null
+++ b/projects/lzo/build.sh
@@ -0,0 +1,35 @@
+#!/bin/bash -eu
+# Copyright 2018 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# build project
+cd $SRC
+tar xzf lzo.tar.gz
+cd lzo-*
+./configure && make -j$(nproc)
+
+# build fuzzers
+for file in $SRC/*.c;
+do
+    name=$(basename $file .c)
+    $CC $CFLAGS -c -I include -I minilzo -I include/lzo ${file} -o ${name}.o
+    $CXX $CXXFLAGS -std=c++11 -I include -I minilzo -I include/lzo ${name}.o \
+        -o $OUT/${name} -lFuzzingEngine src/.libs/liblzo2.a
+done
+
+# copy fuzzer options
+cp $SRC/*.options $OUT/
+zip -j $OUT/lzo_decompress_target_seed_corpus.zip $SRC/lzo_decompress_target_seeds/*
diff --git a/projects/lzo/lzo_compress_target.c b/projects/lzo/lzo_compress_target.c
new file mode 100644
index 000000000..455972ab1
--- /dev/null
+++ b/projects/lzo/lzo_compress_target.c
@@ -0,0 +1,86 @@
+/*
+# Copyright 2018 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <assert.h>
+#include "lzo1x.h"
+
+/* Work-memory needed for compression. Allocate memory in units
+ * of 'lzo_align_t' (instead of 'char') to make sure it is properly aligned.
+ */
+#define HEAP_ALLOC(var,size) \
+    lzo_align_t __LZO_MMODEL var [ ((size) + (sizeof(lzo_align_t) - 1)) / sizeof(lzo_align_t) ]
+
+static HEAP_ALLOC(wrkmem, LZO1X_1_MEM_COMPRESS);
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    int r;
+    lzo_uint out_len;
+    lzo_uint new_len;
+    /* We want to compress the data block at 'in' with length 'IN_LEN' to
+     * the block at 'out'. Because the input block may be incompressible,
+     * we must provide a little more output space in case that compression
+     * is not possible.
+    */
+    unsigned char __LZO_MMODEL in[size];
+    unsigned char __LZO_MMODEL out[size + size/16 + 64 + 3];
+
+    static bool isInit = false;
+    if (!isInit)
+    {
+        if (lzo_init() != LZO_E_OK)
+        {
+#ifdef __DEBUG__
+            printf("internal error - lzo_init() failed !!!\n");
+#endif
+            return 0;
+        }
+        isInit = true;
+    }
+
+    /* Compress with LZO1X-1. */
+    r = lzo1x_1_compress(data, size, out, &out_len, wrkmem);
+    assert(r == LZO_E_OK);
+#ifdef __DEBUG__
+    printf("compressed %lu bytes into %lu bytes\n",
+            (unsigned long) size, (unsigned long) out_len);
+#endif
+    
+    /* check for an incompressible block */
+    if (out_len >= size)
+    {
+#ifdef __DEBUG__
+        printf("This block contains incompressible data.\n");
+#endif
+        return 0;
+    }
+
+    // Decompress
+    new_len = size;
+    r = lzo1x_decompress(out, out_len, in, &new_len,/*wrkmem=*/NULL);
+    assert(r == LZO_E_OK && new_len == size);
+#ifdef __DEBUG__
+    printf("decompressed %lu bytes back into %lu bytes\n",
+            (unsigned long) out_len, (unsigned long) size);
+#endif
+    return 0;
+}
diff --git a/projects/lzo/lzo_compress_target.options b/projects/lzo/lzo_compress_target.options
new file mode 100644
index 000000000..329a6e27b
--- /dev/null
+++ b/projects/lzo/lzo_compress_target.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+close_fd_mask = 3
diff --git a/projects/lzo/lzo_decompress_target.c b/projects/lzo/lzo_decompress_target.c
new file mode 100644
index 000000000..5b742c1ca
--- /dev/null
+++ b/projects/lzo/lzo_decompress_target.c
@@ -0,0 +1,95 @@
+/*
+# Copyright 2018 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <assert.h>
+#include "lzo1b.h"
+#include "lzo1c.h"
+#include "lzo1f.h"
+#include "lzo1x.h"
+#include "lzo1y.h"
+#include "lzo1z.h"
+#include "lzo2a.h"
+
+typedef int (*decompress_function)( const lzo_bytep, lzo_uint  ,
+                                lzo_bytep, lzo_uintp,
+                                lzo_voidp  );
+
+#define NUM_DECOMP   7
+
+static decompress_function funcArr[NUM_DECOMP] =
+{
+        &lzo1b_decompress_safe,
+        &lzo1c_decompress_safe,
+        &lzo1f_decompress_safe,
+        &lzo1x_decompress_safe,
+        &lzo1y_decompress_safe,
+        &lzo1z_decompress_safe,
+        &lzo2a_decompress_safe
+};
+
+/* lzo (de)compresses data in blocks. Block size is the
+ * size of one such block. This size has a default value of 256KB.
+ */
+static const size_t bufSize = 256 * 1024L;
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    int r;
+    lzo_uint new_len;
+    if (size < 1){
+        return 0;
+    }
+    /* Buffer into which compressed data provided by the fuzzer
+     * is going to be decompressed. The buffer size is chosen
+     * to be equal to the default block size (256KB) for
+     * (de)compression.
+     */
+    unsigned char __LZO_MMODEL out[bufSize];
+
+    static bool isInit = false;
+    if (!isInit)
+    {
+        if (lzo_init() != LZO_E_OK)
+        {
+#ifdef __DEBUG__
+            printf("internal error - lzo_init() failed !!!\n");
+#endif
+            return 0;
+        }
+        isInit = true;
+    }
+
+    // Decompress.
+    int idx = size % NUM_DECOMP;
+    new_len = bufSize;
+    // Work memory not necessary for decompression
+    r = (*funcArr[idx])(data, size, out, &new_len, /*wrkmem=*/NULL);
+#ifdef __DEBUG__
+    if (r != LZO_E_OK)
+    {
+        printf("error thrown by lzo1x_decompress_safe: %d\n", r);
+    }
+    printf("decompressed %lu bytes back into %lu bytes\n",
+            (unsigned long) size, (unsigned long) new_len);
+#endif
+    return 0;
+}
diff --git a/projects/lzo/lzo_decompress_target.options b/projects/lzo/lzo_decompress_target.options
new file mode 100644
index 000000000..329a6e27b
--- /dev/null
+++ b/projects/lzo/lzo_decompress_target.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+close_fd_mask = 3
diff --git a/projects/lzo/lzo_decompress_target_seeds/seed.lzo b/projects/lzo/lzo_decompress_target_seeds/seed.lzo
new file mode 100755
index 000000000..bf310368e
--- /dev/null
+++ b/projects/lzo/lzo_decompress_target_seeds/seed.lzo
diff --git a/projects/lzo/project.yaml b/projects/lzo/project.yaml
new file mode 100644
index 000000000..b8a91c29c
--- /dev/null
+++ b/projects/lzo/project.yaml
@@ -0,0 +1,7 @@
+homepage: "http://www.oberhumer.com"
+primary_contact: "info@oberhumer.com"
+auto_ccs:
+  - "bshas3@gmail.com"
+sanitizers:
+  - address
+  - memory