Added OSS-Fuzz target and code clean up

loongson-zjl · Jul 15, 2020 · 8f8d020 · 8f8d020
1 parent 63250cd
commit 8f8d020
Show file tree

Hide file tree

Showing 12 changed files with 353 additions and 32 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -29,6 +29,7 @@ SUBDIRS = \
 	po \
 	manuals \
 	tests \
+	ossfuzz \
 	msvscpp
 
 DPKG_FILES = \
@@ -134,4 +135,5 @@ splint:
 	(cd $(srcdir)/pypff && $(MAKE) splint $(AM_MAKEFLAGS))
 	(cd $(srcdir)/po && $(MAKE) splint $(AM_MAKEFLAGS))
 	(cd $(srcdir)/tests && $(MAKE) splint $(AM_MAKEFLAGS))
+	(cd $(srcdir)/ossfuzz && $(MAKE) splint $(AM_MAKEFLAGS))
 
diff --git a/configure.ac b/configure.ac
@@ -21,6 +21,7 @@ AC_LIBTOOL_WIN32_DLL
 dnl Checks for programs
 AC_PROG_CC
 AC_PROG_GCC_TRADITIONAL
+AC_PROG_CXX
 AC_PROG_MAKE_SET
 AC_PROG_INSTALL
 
@@ -151,6 +152,7 @@ AX_LIBPFF_CHECK_DLL_SUPPORT
 
 dnl Check if tests required headers and functions are available
 AX_TESTS_CHECK_LOCAL
+AX_TESTS_CHECK_OSSFUZZ
 
 dnl Set additional compiler flags
 CFLAGS="$CFLAGS -Wall";
@@ -204,6 +206,7 @@ AC_CONFIG_FILES([po/Makefile.in])
 AC_CONFIG_FILES([po/Makevars])
 AC_CONFIG_FILES([manuals/Makefile])
 AC_CONFIG_FILES([tests/Makefile])
+AC_CONFIG_FILES([ossfuzz/Makefile])
 AC_CONFIG_FILES([msvscpp/Makefile])
 dnl Generate header files
 AC_CONFIG_FILES([include/libpff.h])

diff --git a/libpff/libpff_compression.c b/libpff/libpff_compression.c
@@ -195,7 +195,7 @@ int libpff_decompress_data(
 			result = -1;
 		}
 #else
-		result = libpff_deflate_decompress(
+		result = libpff_deflate_decompress_zlib(
 		          compressed_data,
 		          compressed_data_size,
 		          uncompressed_data,

diff --git a/libpff/libpff_data_block.c b/libpff/libpff_data_block.c
@@ -231,6 +231,17 @@ int libpff_data_block_clone(
 	if( ( source_data_block->data != NULL )
 	 && ( source_data_block->data_size > 0 ) )
 	{
+		if( source_data_block->data_size > MEMORY_MAXIMUM_ALLOCATION_SIZE )
+		{
+			libcerror_error_set(
+			 error,
+			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+			 LIBCERROR_RUNTIME_ERROR_VALUE_EXCEEDS_MAXIMUM,
+			 "%s: invalid source data block - data size value exceeds maximum.",
+			 function );
+
+			goto on_error;
+		}
 		( *destination_data_block )->data = (uint8_t *) memory_allocate(
 		                                                 sizeof( uint8_t ) * source_data_block->data_size );
 
@@ -503,6 +514,7 @@ int libpff_data_block_read_footer_data(
 		 "\n" );
 	}
 #endif /* defined( HAVE_DEBUG_OUTPUT ) */
+
 	return( 1 );
 }
 
@@ -645,7 +657,8 @@ int libpff_data_block_read_file_io_handle(
 		{
 			data_block_data_size += data_block_increment_size;
 		}
-		if( data_block_data_size > maximum_data_block_size )
+		if( ( data_block_data_size == 0 )
+		 || ( data_block_data_size > maximum_data_block_size ) )
 		{
 			libcerror_error_set(
 			 error,
@@ -830,6 +843,18 @@ int libpff_data_block_read_file_io_handle(
 		{
 			uncompressed_data_size = (size_t) data_block->uncompressed_data_size;
 
+			if( ( uncompressed_data_size == 0 )
+			 || ( uncompressed_data_size > MEMORY_MAXIMUM_ALLOCATION_SIZE ) )
+			{
+				libcerror_error_set(
+				 error,
+				 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+				 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
+				 "%s: invalid uncompressed data size value out of bounds.",
+				 function );
+
+				goto on_error;
+			}
 			uncompressed_data = (uint8_t *) memory_allocate(
 			                                 sizeof( uint8_t ) * uncompressed_data_size );
 

diff --git a/libpff/libpff_local_descriptor_node.c b/libpff/libpff_local_descriptor_node.c
@@ -677,16 +677,16 @@ int libpff_local_descriptor_node_read(
 /* TODO implement error tollerance */
 		goto on_error;
 	}
-	if( local_descriptor_node->entries_data_size > (size32_t) SSIZE_MAX )
+	if( local_descriptor_node->entries_data_size > (size32_t) MEMORY_MAXIMUM_ALLOCATION_SIZE )
 	{
 		libcerror_error_set(
 		 error,
 		 LIBCERROR_ERROR_DOMAIN_RUNTIME,
 		 LIBCERROR_RUNTIME_ERROR_VALUE_EXCEEDS_MAXIMUM,
-		 "%s: entries data size value exceeds maximum.",
+		 "%s: invalid local descriptor node - entries data size value exceeds maximum allocation size.",
 		 function );
 
-		return( -1 );
+		goto on_error;
 	}
 	/* Copy the entries data to the local descriptor node
 	 * to prevent loosing it when the data block is cached out.

diff --git a/libpff/libpff_name_to_id_map.c b/libpff/libpff_name_to_id_map.c
@@ -866,6 +866,18 @@ int libpff_name_to_id_map_entry_read(
 		}
 		else
 		{
+			if( ( name_to_id_map_string_size == 0 )
+			 || ( name_to_id_map_string_size > (size32_t) MEMORY_MAXIMUM_ALLOCATION_SIZE ) )
+			{
+				libcerror_error_set(
+				 error,
+				 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+				 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
+				 "%s: invalid name to id map string size value out of bounds.",
+				 function );
+
+				goto on_error;
+			}
 			result = libpff_value_type_string_contains_zero_bytes(
 				  name_to_id_map_string_data,
 				  (size_t) name_to_id_map_string_size,
@@ -886,10 +898,8 @@ int libpff_name_to_id_map_entry_read(
 			{
 				internal_name_to_id_map_entry->is_ascii_string = 1;
 			}
-			internal_name_to_id_map_entry->value_size = (size_t) name_to_id_map_string_size;
-
 			internal_name_to_id_map_entry->string_value = (uint8_t *) memory_allocate(
-			                                                           sizeof( uint8_t ) * internal_name_to_id_map_entry->value_size );
+			                                                           sizeof( uint8_t ) * (size_t) name_to_id_map_string_size );
 
 			if( internal_name_to_id_map_entry->string_value == NULL )
 			{
@@ -902,6 +912,8 @@ int libpff_name_to_id_map_entry_read(
 
 				goto on_error;
 			}
+			internal_name_to_id_map_entry->value_size = (size_t) name_to_id_map_string_size;
+
 			if( memory_copy(
 			     internal_name_to_id_map_entry->string_value,
 			     name_to_id_map_string_data,

diff --git a/libpff/libpff_record_entry.c b/libpff/libpff_record_entry.c
@@ -569,17 +569,6 @@ int libpff_record_entry_set_value_data(
 
 		return( -1 );
 	}
-	if( value_data_size > (size_t) SSIZE_MAX )
-	{
-		libcerror_error_set(
-		 error,
-		 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
-		 LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM,
-		 "%s: invalid value data size value exceeds maximum.",
-		 function );
-
-		return( -1 );
-	}
 	if( value_data_size > 0 )
 	{
 		if( value_data == NULL )
@@ -593,6 +582,17 @@ int libpff_record_entry_set_value_data(
 
 			goto on_error;
 		}
+		if( value_data_size > (size_t) MEMORY_MAXIMUM_ALLOCATION_SIZE )
+		{
+			libcerror_error_set(
+			 error,
+			 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
+			 LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM,
+			 "%s: invalid value data size value exceeds maximum allocation size.",
+			 function );
+
+			goto on_error;
+		}
 		internal_record_entry->value_data = (uint8_t *) memory_allocate(
 		                                                 value_data_size );
 
@@ -761,19 +761,19 @@ int libpff_record_entry_set_value_data_from_stream(
 
 		return( -1 );
 	}
-	if( value_data_size > (size64_t) SSIZE_MAX )
-	{
-		libcerror_error_set(
-		 error,
-		 LIBCERROR_ERROR_DOMAIN_RUNTIME,
-		 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
-		 "%s: invalid value data size value out of bounds.",
-		 function );
-
-		return( -1 );
-	}
 	if( value_data_size > 0 )
 	{
+		if( value_data_size > (size64_t) MEMORY_MAXIMUM_ALLOCATION_SIZE )
+		{
+			libcerror_error_set(
+			 error,
+			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+			 LIBCERROR_RUNTIME_ERROR_VALUE_EXCEEDS_MAXIMUM,
+			 "%s: invalid value data size value exceeds maximum allocation size.",
+			 function );
+
+			goto on_error;
+		}
 		if( libfdata_stream_seek_offset(
 		     value_data_stream,
 		     0,
@@ -2658,10 +2658,20 @@ int libpff_record_entry_get_multi_value(
 	 */
 	if( internal_record_entry->value_data != NULL )
 	{
-		internal_multi_value->value_data_size = internal_record_entry->value_data_size;
+		if( ( internal_record_entry->value_data_size == 0 )
+		 || ( internal_record_entry->value_data_size > (size_t) MEMORY_MAXIMUM_ALLOCATION_SIZE ) )
+		{
+			libcerror_error_set(
+			 error,
+			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+			 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
+			 "%s: invalid record entry - value data size value out of bounds.",
+			 function );
 
+			goto on_error;
+		}
 		internal_multi_value->value_data = (uint8_t *) memory_allocate(
-								sizeof( uint8_t ) * internal_multi_value->value_data_size );
+								sizeof( uint8_t ) * internal_record_entry->value_data_size );
 
 		if( internal_multi_value->value_data == NULL )
 		{
@@ -2674,6 +2684,8 @@ int libpff_record_entry_get_multi_value(
 
 			goto on_error;
 		}
+		internal_multi_value->value_data_size = internal_record_entry->value_data_size;
+
 		if( memory_copy(
 		     internal_multi_value->value_data,
 		     internal_record_entry->value_data,
@@ -2763,6 +2775,18 @@ int libpff_record_entry_get_multi_value(
 		}
 		if( internal_multi_value->number_of_values > 0 )
 		{
+			if( ( internal_multi_value->number_of_values > (size_t) ( MEMORY_MAXIMUM_ALLOCATION_SIZE / sizeof( uint32_t ) ) )
+			 || ( internal_multi_value->number_of_values > (size_t) ( MEMORY_MAXIMUM_ALLOCATION_SIZE / sizeof( size_t ) ) ) )
+			{
+				libcerror_error_set(
+				 error,
+				 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+				 LIBCERROR_RUNTIME_ERROR_VALUE_EXCEEDS_MAXIMUM,
+				 "%s: invalid multi value - number of values exceeds maximum allocatio size.",
+				 function );
+
+				goto on_error;
+			}
 			internal_multi_value->value_offset = (uint32_t *) memory_allocate(
 									   sizeof( uint32_t ) * internal_multi_value->number_of_values );
 

diff --git a/libpff/libpff_table.c b/libpff/libpff_table.c
@@ -1270,6 +1270,17 @@ int libpff_table_clone_value_data_by_reference(
 
 		goto on_error;
 	}
+	if( table_value_data_size > (size_t) MEMORY_MAXIMUM_ALLOCATION_SIZE )
+	{
+		libcerror_error_set(
+		 error,
+		 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+		 LIBCERROR_RUNTIME_ERROR_VALUE_EXCEEDS_MAXIMUM,
+		 "%s: invalid table value data size value exceeds maximum allocation size.",
+		 function );
+
+		goto on_error;
+	}
 	*value_data = (uint8_t *) memory_allocate(
 	                           table_value_data_size );
 
@@ -3654,6 +3665,18 @@ int libpff_table_read_7c_values(
 	 */
 	column_definitions_data_size = table_header_data_size;
 
+	if( ( column_definitions_data_size == 0 )
+	 || ( column_definitions_data_size > (size_t) MEMORY_MAXIMUM_ALLOCATION_SIZE ) )
+	{
+		libcerror_error_set(
+		 error,
+		 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+		 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
+		 "%s: invalid column definitions data size value out of bounds.",
+		 function );
+
+		goto on_error;
+	}
 	column_definitions_data = (uint8_t *) memory_allocate(
 	                                       column_definitions_data_size );
 

diff --git a/ossfuzz/Makefile.am b/ossfuzz/Makefile.am
@@ -0,0 +1,45 @@
+if HAVE_LIB_FUZZING_ENGINE
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/include \
+	-I$(top_srcdir)/common \
+	@LIBCERROR_CPPFLAGS@ \
+	@LIBCDATA_CPPFLAGS@ \
+	@LIBCLOCALE_CPPFLAGS@ \
+	@LIBCNOTIFY_CPPFLAGS@ \
+	@LIBUNA_CPPFLAGS@ \
+	@LIBCFILE_CPPFLAGS@ \
+	@LIBCPATH_CPPFLAGS@ \
+	@LIBBFIO_CPPFLAGS@
+
+bin_PROGRAMS = \
+	file_fuzzer
+
+file_fuzzer_SOURCES = \
+	file_fuzzer.cc \
+	ossfuzz_libbfio.h \
+	ossfuzz_libpff.h
+
+file_fuzzer_LDADD = \
+	@LIB_FUZZING_ENGINE@ \
+	@LIBBFIO_LIBADD@ \
+	@LIBCPATH_LIBADD@ \
+	@LIBCFILE_LIBADD@ \
+	@LIBUNA_LIBADD@ \
+	@LIBCDATA_LIBADD@ \
+	../libpff/libpff.la \
+	@LIBCNOTIFY_LIBADD@ \
+	@LIBCLOCALE_LIBADD@ \
+	@LIBCERROR_LIBADD@ \
+	@LIBINTL@
+endif
+
+MAINTAINERCLEANFILES = \
+	Makefile.in
+
+distclean: clean
+	/bin/rm -f Makefile
+
+splint:
+	@echo "Running splint on file_fuzzer ..."
+	-splint -preproc -redef $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(file_fuzzer_SOURCES)
+