add fuzz target, fix heap-buffer-overflow issue

Pascal Seitz · Pascal Seitz · commit ce92fbf28c94 · 2020-10-19T07:50:36.000+02:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -33,7 +33,7 @@ lz4-compress = "0.1.1"
 more-asserts = "0.2.1"
 
 [features]
-default = ["safe-decode"]
+default = ["safe-decode", "safe-decode"]
 safe-decode = []
 safe-encode = []
 
diff --git a/README.md b/README.md
@@ -50,7 +50,10 @@ Executed on Macbook Pro 2017 i7
 
 ## Fuzzer
 This fuzz target fuzzes, and asserts compression and decompression returns the original input.
-`cargo fuzz run fuzz_target_1`
+`cargo fuzz run fuzz_roundtrip`
+
+This fuzz target fuzzes, and asserts compression with cpp and decompression returns the original input.
+`cargo fuzz run fuzz_roundtrip_cpp_compress`
 
 
 
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
@@ -11,6 +11,7 @@ cargo-fuzz = true
 
 [dependencies]
 libfuzzer-sys = "0.3"
+lz4 = "1.23.1"
 
 [dependencies.lz4_flex]
 path = ".."
@@ -20,7 +21,13 @@ path = ".."
 members = ["."]
 
 [[bin]]
-name = "fuzz_target_1"
-path = "fuzz_targets/fuzz_target_1.rs"
+name = "fuzz_roundtrip"
+path = "fuzz_targets/fuzz_roundtrip.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_roundtrip_cpp_compress"
+path = "fuzz_targets/fuzz_roundtrip_cpp_compress.rs"
 test = false
 doc = false
diff --git a/fuzz/fuzz_targets/fuzz_roundtrip.rs b/fuzz/fuzz_targets/fuzz_roundtrip.rs
diff --git a/fuzz/fuzz_targets/fuzz_roundtrip_cpp_compress.rs b/fuzz/fuzz_targets/fuzz_roundtrip_cpp_compress.rs
@@ -0,0 +1,12 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+
+use lz4_flex::block::decompress::decompress_size_prepended;
+use lz4::block::compress as lz4_linked_block_compress;
+
+fuzz_target!(|data: &[u8]| {
+    // fuzzed code goes here
+    let compressed = lz4_linked_block_compress(data, None, true).unwrap();
+    let decompressed = decompress_size_prepended(&compressed).unwrap();
+    assert_eq!(data, decompressed);
+});
diff --git a/src/block/decompress.rs b/src/block/decompress.rs
@@ -326,8 +326,8 @@ pub fn decompress_size_prepended(input: &[u8]) -> Result<Vec<u8>, Error> {
         | (input[1] as usize) << 8
         | (input[2] as usize) << 16
         | (input[3] as usize) << 24;
-    // Allocate a vector to contain the decompressed stream.
-    let mut vec = Vec::with_capacity(uncompressed_size + 8);
+    // Allocate a vector to contain the decompressed stream. we may wildcopy out of bounds, so the vector needs to have ad additional BLOCK_COPY_SIZE capacity
+    let mut vec = Vec::with_capacity(uncompressed_size + BLOCK_COPY_SIZE);
     unsafe {
         vec.set_len(uncompressed_size);
     }
@@ -336,11 +336,12 @@ pub fn decompress_size_prepended(input: &[u8]) -> Result<Vec<u8>, Error> {
     Ok(vec)
 }
 
+
 /// Decompress all bytes of `input` into a new vec.
 #[inline]
 pub fn decompress(input: &[u8], uncompressed_size: usize) -> Result<Vec<u8>, Error> {
-    // Allocate a vector to contain the decompressed stream.
-    let mut vec = Vec::with_capacity(uncompressed_size + 8);
+    // Allocate a vector to contain the decompressed stream. we may wildcopy out of bounds, so the vector needs to have ad additional BLOCK_COPY_SIZE capacity
+    let mut vec = Vec::with_capacity(uncompressed_size + BLOCK_COPY_SIZE);
     unsafe {
         vec.set_len(uncompressed_size);
     }
