root/xz
1
0
Fork 0
mirror of https://git.tukaani.org/xz.git synced 2025-09-14 06:28:31 +00:00
Code Issues Releases Wiki Activity

liblzma: Don't verify header CRC32s if building for fuzz testing.

Browse Source 
FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION is #defined when liblzma
is being built for fuzz testing.

Most fuzzed inputs would normally get rejected because of incorrect
CRC32 and the actual header decoding code wouldn't get fuzzed.
Disabling CRC32 checks avoids this problem. The fuzzer program
must still use LZMA_IGNORE_CHECK flag to disable verification of
integrity checks of uncompressed data.
This commit is contained in:
Lasse Collin 2018-10-26 22:49:10 +03:00
parent f76f7516d6
commit a18ae42a79
4 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/liblzma/common/block_header_decoder.c
View File

@ -67,8 +67,11 @@ lzma_block_header_decode(lzma_block *block,
const size_t in_size = block->header_size - 4; const size_t in_size = block->header_size - 4;
// Verify CRC32 // Verify CRC32
if (lzma_crc32(in, in_size, 0) != unaligned_read32le(in + in_size)) if (lzma_crc32(in, in_size, 0) != unaligned_read32le(in + in_size)) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
return LZMA_DATA_ERROR; return LZMA_DATA_ERROR;
#endif
}
// Check for unsupported flags. // Check for unsupported flags.
if (in[1] & 0x3C) if (in[1] & 0x3C)

5
src/liblzma/common/index_decoder.c
View File

@ -180,8 +180,11 @@ index_decode(void *coder_ptr, const lzma_allocator *allocator,
return LZMA_OK; return LZMA_OK;
if (((coder->crc32 >> (coder->pos * 8)) & 0xFF) if (((coder->crc32 >> (coder->pos * 8)) & 0xFF)
!= in[(*in_pos)++]) != in[(*in_pos)++]) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
return LZMA_DATA_ERROR; return LZMA_DATA_ERROR;
#endif
}
} while (++coder->pos < 4); } while (++coder->pos < 4);

5
src/liblzma/common/index_hash.c
View File

@ -313,8 +313,11 @@ lzma_index_hash_decode(lzma_index_hash *index_hash, const uint8_t *in,
return LZMA_OK; return LZMA_OK;
if (((index_hash->crc32 >> (index_hash->pos * 8)) if (((index_hash->crc32 >> (index_hash->pos * 8))
& 0xFF) != in[(*in_pos)++]) & 0xFF) != in[(*in_pos)++]) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
return LZMA_DATA_ERROR; return LZMA_DATA_ERROR;
#endif
}
} while (++index_hash->pos < 4); } while (++index_hash->pos < 4);

10
src/liblzma/common/stream_flags_decoder.c
View File

@ -39,8 +39,11 @@ lzma_stream_header_decode(lzma_stream_flags *options, const uint8_t *in)
const uint32_t crc = lzma_crc32(in + sizeof(lzma_header_magic), const uint32_t crc = lzma_crc32(in + sizeof(lzma_header_magic),
LZMA_STREAM_FLAGS_SIZE, 0); LZMA_STREAM_FLAGS_SIZE, 0);
if (crc != unaligned_read32le(in + sizeof(lzma_header_magic) if (crc != unaligned_read32le(in + sizeof(lzma_header_magic)
+ LZMA_STREAM_FLAGS_SIZE)) + LZMA_STREAM_FLAGS_SIZE)) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
return LZMA_DATA_ERROR; return LZMA_DATA_ERROR;
#endif
}
// Stream Flags // Stream Flags
if (stream_flags_decode(options, in + sizeof(lzma_header_magic))) if (stream_flags_decode(options, in + sizeof(lzma_header_magic)))
@ -67,8 +70,11 @@ lzma_stream_footer_decode(lzma_stream_flags *options, const uint8_t *in)
// CRC32 // CRC32
const uint32_t crc = lzma_crc32(in + sizeof(uint32_t), const uint32_t crc = lzma_crc32(in + sizeof(uint32_t),
sizeof(uint32_t) + LZMA_STREAM_FLAGS_SIZE, 0); sizeof(uint32_t) + LZMA_STREAM_FLAGS_SIZE, 0);
if (crc != unaligned_read32le(in)) if (crc != unaligned_read32le(in)) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
return LZMA_DATA_ERROR; return LZMA_DATA_ERROR;
#endif
}
// Stream Flags // Stream Flags
if (stream_flags_decode(options, in + sizeof(uint32_t) * 2)) if (stream_flags_decode(options, in + sizeof(uint32_t) * 2))