2008-12-06 07:08:08 +00:00
|
|
|
/*-
|
|
|
|
* Copyright (c) 2003-2007 Tim Kientzle
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
* IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
#include "test.h"
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This was inspired by an ISO fuzz tester written by Michal Zalewski
|
|
|
|
* and posted to the "vulnwatch" mailing list on March 17, 2005:
|
|
|
|
* http://seclists.org/vulnwatch/2005/q1/0088.html
|
|
|
|
*
|
|
|
|
* This test simply reads each archive image into memory, pokes
|
|
|
|
* random values into it and runs it through libarchive. It tries
|
|
|
|
* to damage about 1% of each file and repeats the exercise 100 times
|
|
|
|
* with each file.
|
|
|
|
*
|
|
|
|
* Unlike most other tests, this test does not verify libarchive's
|
|
|
|
* responses other than to ensure that libarchive doesn't crash.
|
|
|
|
*
|
|
|
|
* Due to the deliberately random nature of this test, it may be hard
|
|
|
|
* to reproduce failures. Because this test deliberately attempts to
|
|
|
|
* induce crashes, there's little that can be done in the way of
|
|
|
|
* post-failure diagnostics.
|
|
|
|
*/
|
|
|
|
|
2009-12-30 05:59:21 +00:00
|
|
|
/* Because this works for any archive, we can just re-use the archives
|
|
|
|
* developed for other tests. */
|
|
|
|
static struct {
|
|
|
|
int uncompress; /* If 1, decompress the file before fuzzing. */
|
|
|
|
const char *name;
|
|
|
|
} files[] = {
|
|
|
|
{0, "test_fuzz_1.iso.Z"}, /* Exercise compress decompressor. */
|
|
|
|
{1, "test_fuzz_1.iso.Z"},
|
|
|
|
{0, "test_compat_bzip2_1.tbz"}, /* Exercise bzip2 decompressor. */
|
|
|
|
{1, "test_compat_bzip2_1.tbz"},
|
|
|
|
{0, "test_compat_gtar_1.tar"},
|
|
|
|
{0, "test_compat_gzip_1.tgz"}, /* Exercise gzip decompressor. */
|
|
|
|
{0, "test_compat_gzip_2.tgz"}, /* Exercise gzip decompressor. */
|
|
|
|
{0, "test_compat_tar_hardlink_1.tar"},
|
|
|
|
{0, "test_compat_xz_1.txz"}, /* Exercise xz decompressor. */
|
|
|
|
{0, "test_compat_zip_1.zip"},
|
|
|
|
{0, "test_read_format_ar.ar"},
|
|
|
|
{0, "test_read_format_cpio_bin_be.cpio"},
|
2011-07-17 21:27:38 +00:00
|
|
|
{0, "test_read_format_cpio_svr4_gzip_rpm.rpm"}, /* Test RPM unwrapper */
|
2009-12-30 05:59:21 +00:00
|
|
|
{0, "test_read_format_gtar_sparse_1_17_posix10_modified.tar"},
|
|
|
|
{0, "test_read_format_mtree.mtree"},
|
|
|
|
{0, "test_read_format_tar_empty_filename.tar"},
|
|
|
|
{0, "test_read_format_zip.zip"},
|
|
|
|
{1, NULL}
|
2008-12-06 07:08:08 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
DEFINE_TEST(test_fuzz)
|
|
|
|
{
|
2009-04-27 18:55:22 +00:00
|
|
|
const void *blk;
|
|
|
|
size_t blk_size;
|
|
|
|
off_t blk_offset;
|
2009-12-30 05:59:21 +00:00
|
|
|
int n;
|
2008-12-06 07:08:08 +00:00
|
|
|
|
2009-12-30 05:59:21 +00:00
|
|
|
for (n = 0; files[n].name != NULL; ++n) {
|
|
|
|
const size_t buffsize = 30000000;
|
|
|
|
const char *filename = files[n].name;
|
2009-03-07 03:30:35 +00:00
|
|
|
struct archive_entry *ae;
|
|
|
|
struct archive *a;
|
2008-12-06 07:08:08 +00:00
|
|
|
char *rawimage, *image;
|
|
|
|
size_t size;
|
2009-12-30 05:59:21 +00:00
|
|
|
int i;
|
2008-12-06 07:08:08 +00:00
|
|
|
|
2009-12-30 05:59:21 +00:00
|
|
|
extract_reference_file(filename);
|
|
|
|
if (files[n].uncompress) {
|
|
|
|
int r;
|
|
|
|
/* Use format_raw to decompress the data. */
|
|
|
|
assert((a = archive_read_new()) != NULL);
|
|
|
|
assertEqualIntA(a, ARCHIVE_OK,
|
|
|
|
archive_read_support_compression_all(a));
|
|
|
|
assertEqualIntA(a, ARCHIVE_OK,
|
|
|
|
archive_read_support_format_raw(a));
|
|
|
|
r = archive_read_open_filename(a, filename, 16384);
|
|
|
|
if (r != ARCHIVE_OK) {
|
|
|
|
archive_read_finish(a);
|
|
|
|
skipping("Cannot uncompress %s", filename);
|
2009-03-07 03:30:35 +00:00
|
|
|
continue;
|
|
|
|
}
|
2009-12-30 05:59:21 +00:00
|
|
|
assertEqualIntA(a, ARCHIVE_OK,
|
|
|
|
archive_read_next_header(a, &ae));
|
|
|
|
rawimage = malloc(buffsize);
|
|
|
|
size = archive_read_data(a, rawimage, buffsize);
|
|
|
|
assertEqualIntA(a, ARCHIVE_EOF,
|
|
|
|
archive_read_next_header(a, &ae));
|
|
|
|
assertEqualInt(ARCHIVE_OK,
|
|
|
|
archive_read_finish(a));
|
|
|
|
assert(size > 0);
|
|
|
|
failure("Internal buffer is not big enough for "
|
|
|
|
"uncompressed test file: %s", filename);
|
2011-07-17 21:27:38 +00:00
|
|
|
if (!assert(size < buffsize)) {
|
|
|
|
free(rawimage);
|
2009-12-30 05:59:21 +00:00
|
|
|
continue;
|
2011-07-17 21:27:38 +00:00
|
|
|
}
|
2009-12-30 05:59:21 +00:00
|
|
|
} else {
|
|
|
|
rawimage = slurpfile(&size, filename);
|
|
|
|
if (!assert(rawimage != NULL))
|
2009-04-27 18:55:22 +00:00
|
|
|
continue;
|
2009-03-07 03:30:35 +00:00
|
|
|
}
|
2009-12-30 05:59:21 +00:00
|
|
|
image = malloc(size);
|
|
|
|
assert(image != NULL);
|
|
|
|
srand((unsigned)time(NULL));
|
2009-03-07 03:30:35 +00:00
|
|
|
|
2008-12-06 07:08:08 +00:00
|
|
|
for (i = 0; i < 100; ++i) {
|
2009-12-30 05:59:21 +00:00
|
|
|
FILE *f;
|
|
|
|
int j, numbytes;
|
2008-12-06 07:08:08 +00:00
|
|
|
|
|
|
|
/* Fuzz < 1% of the bytes in the archive. */
|
|
|
|
memcpy(image, rawimage, size);
|
2009-03-03 17:02:51 +00:00
|
|
|
numbytes = (int)(rand() % (size / 100));
|
2008-12-06 07:08:08 +00:00
|
|
|
for (j = 0; j < numbytes; ++j)
|
|
|
|
image[rand() % size] = (char)rand();
|
|
|
|
|
|
|
|
/* Save the messed-up image to a file.
|
|
|
|
* If we crash, that file will be useful. */
|
2009-12-30 05:59:21 +00:00
|
|
|
f = fopen("after.test.failure.send.this.file."
|
|
|
|
"to.libarchive.maintainers.with.system.details", "wb");
|
|
|
|
fwrite(image, 1, (size_t)size, f);
|
|
|
|
fclose(f);
|
2008-12-06 07:08:08 +00:00
|
|
|
|
|
|
|
assert((a = archive_read_new()) != NULL);
|
|
|
|
assertEqualIntA(a, ARCHIVE_OK,
|
|
|
|
archive_read_support_compression_all(a));
|
|
|
|
assertEqualIntA(a, ARCHIVE_OK,
|
|
|
|
archive_read_support_format_all(a));
|
|
|
|
|
|
|
|
if (0 == archive_read_open_memory(a, image, size)) {
|
|
|
|
while(0 == archive_read_next_header(a, &ae)) {
|
2009-04-27 18:55:22 +00:00
|
|
|
while (0 == archive_read_data_block(a,
|
|
|
|
&blk, &blk_size, &blk_offset))
|
|
|
|
continue;
|
2008-12-06 07:08:08 +00:00
|
|
|
}
|
|
|
|
archive_read_close(a);
|
|
|
|
}
|
2011-07-17 21:27:38 +00:00
|
|
|
archive_read_finish(a);
|
2008-12-06 07:08:08 +00:00
|
|
|
}
|
|
|
|
free(image);
|
|
|
|
free(rawimage);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|