Two more invalid input cases [afl]

author: Josh MacDonald <josh.macdonald@gmail.com> 2015-11-02 21:33:51 -0800
committer: Josh MacDonald <josh.macdonald@gmail.com> 2015-11-02 21:33:51 -0800
commit: c948e08db789d90547b45ce0a5dcbec9225bad57 (patch)
tree: 1fdd31f1fa169a456e8a92b595b3f4d69b3f4c77 /xdelta3
parent: 482c20590f29c91a06430d2818a140257826ac01 (diff)
4 files changed, 42 insertions, 14 deletions
diff --git a/xdelta3/xdelta3-decode.h b/xdelta3/xdelta3-decode.h
index b44dae4..dc28323 100644
--- a/xdelta3/xdelta3-decode.h
+++ b/xdelta3/xdelta3-decode.h
@@ -162,6 +162,9 @@ xd3_decode_allocate (xd3_stream  *stream,
                     uint8_t    **buf_ptr,
                     usize_t      *buf_alloc)
 {
+  IF_DEBUG2 (DP(RINT "[xd3_decode_allocate] size %u alloc %u\n",
+                size, *buf_alloc));
+  
  if (*buf_ptr != NULL && *buf_alloc < size)
    {
      xd3_free (stream, *buf_ptr);
@@ -204,6 +207,9 @@ xd3_decode_section (xd3_stream *stream,
          /* No allocation/copy needed */
          section->buf = stream->next_in;
          sect_take    = section->size;
+          IF_DEBUG2 (DP(RINT "[xd3_decode_section] copy==0 @ 0 %u\n",
+                        sect_take, section->alloc1));
        }
      else
        {
@@ -227,6 +233,11 @@ xd3_decode_section (xd3_stream *stream,
              section->buf = section->copied1;
            }
+          IF_DEBUG2 (DP(RINT "[xd3_decode_section] take %u @ %u[%u] size %u\n",
+                        section->pos, sect_take, section->alloc1, section->size));
+                        
+          XD3_ASSERT (section->pos + sect_take < section->alloc1);
          memcpy (section->copied1 + section->pos,
                  stream->next_in,
                  sect_take);
diff --git a/xdelta3/xdelta3-djw.h b/xdelta3/xdelta3-djw.h
index 080de59..f69cb1d 100644
--- a/xdelta3/xdelta3-djw.h
+++ b/xdelta3/xdelta3-djw.h
@@ -1456,7 +1456,7 @@ djw_decode_symbol (xd3_stream     *stream,
      if (*input == input_end)
        {
          stream->msg = "secondary decoder end of input";
-          return XD3_INTERNAL;
+          return XD3_INVALID_INPUT;
        }
      bstate->cur_byte = *(*input)++;
@@ -1479,7 +1479,7 @@ djw_decode_symbol (xd3_stream     *stream,
 corrupt:
  stream->msg = "secondary decoder invalid code";
-  return XD3_INTERNAL;
+  return XD3_INVALID_INPUT;
 }
 static int
@@ -1606,7 +1606,7 @@ djw_decode_1_2 (xd3_stream     *stream,
  if (rep != 0)
    {
      stream->msg = "secondary decoder invalid repeat code";
-      return XD3_INTERNAL;
+      return XD3_INVALID_INPUT;
    }
  
  return 0;
@@ -1654,7 +1654,7 @@ xd3_decode_huff (xd3_stream     *stream,
  if (output_bytes == 0)
    {
      stream->msg = "secondary decoder invalid input";
-      return XD3_INTERNAL;
+      return XD3_INVALID_INPUT;
    }
  /* Decode: number of groups */
@@ -1796,7 +1796,11 @@ xd3_decode_huff (xd3_stream     *stream,
                gp_maxlen  = maxlen[gp];
              }
-            XD3_ASSERT (output_end - output > 0);
+            if (output_end < output)
+              {
+                stream->msg = "secondary decoder invalid input";
+                return XD3_INVALID_INPUT;
+              }
            
            /* Decode next sector. */
            n = xd3_min (sector_size, (usize_t) (output_end - output));
diff --git a/xdelta3/xdelta3-internal.h b/xdelta3/xdelta3-internal.h
index d6eb0ac..eb360be 100644
--- a/xdelta3/xdelta3-internal.h
+++ b/xdelta3/xdelta3-internal.h
@@ -330,12 +330,14 @@ xd3_sizeof_uint64_t (uint64_t num)
 #if SIZEOF_USIZE_T == 4
 #define USIZE_T_MAX        UINT32_MAX
+#define USIZE_T_MAXBLKSZ   0x80000000U
 #define xd3_decode_size   xd3_decode_uint32_t
 #define xd3_emit_size     xd3_emit_uint32_t
 #define xd3_sizeof_size   xd3_sizeof_uint32_t
 #define xd3_read_size     xd3_read_uint32_t
 #elif SIZEOF_USIZE_T == 8
 #define USIZE_T_MAX        UINT64_MAX
+#define USIZE_T_MAXBLKSZ   0x8000000000000000ULL
 #define xd3_decode_size   xd3_decode_uint64_t
 #define xd3_emit_size     xd3_emit_uint64_t
 #define xd3_sizeof_size   xd3_sizeof_uint64_t
diff --git a/xdelta3/xdelta3.c b/xdelta3/xdelta3.c
index 95ff509..51d24de 100644
--- a/xdelta3/xdelta3.c
+++ b/xdelta3/xdelta3.c
@@ -1104,7 +1104,17 @@ xd3_round_blksize (usize_t sz, usize_t blksz)
  XD3_ASSERT (xd3_check_pow2 (blksz, NULL) == 0);
-  return mod ? (sz + (blksz - mod)) : sz;
+  if (mod == 0)
+    {
+      return sz;
+    }
+  if (sz > USIZE_T_MAXBLKSZ)
+    {
+      return USIZE_T_MAXBLKSZ;
+    }
+  return sz + (blksz - mod);
 }
 /***********************************************************************
@@ -2081,8 +2091,8 @@ xd3_close_stream (xd3_stream *stream)
          break;
        default:
          /* If decoding, should be ready for the next window. */
-          stream->msg = "EOF in decode";
+          stream->msg = "eof in decode";
-          return XD3_INTERNAL;
+          return XD3_INVALID_INPUT;
        }
    }
@@ -3762,7 +3772,7 @@ xd3_source_match_setup (xd3_stream *stream, xoff_t srcpos)
               frontier_pos, srcpos, stream->src->max_winsize));
  if (srcpos < frontier_pos &&
      frontier_pos - srcpos > stream->src->max_winsize) {
-    IF_DEBUG1(DP(RINT "[match_setup] rejected due to src->max_winsize "
+    IF_DEBUG2(DP(RINT "[match_setup] rejected due to src->max_winsize "
                 "distance eof=%"Q"u srcpos=%"Q"u maxsz=%"Q"u\n",
                 xd3_source_eof (stream->src),
                 srcpos, stream->src->max_winsize));
@@ -4423,14 +4433,15 @@ xd3_srcwin_move_point (xd3_stream *stream, usize_t *next_move_point)
          IF_DEBUG1 (DP(RINT
                        "[srcwin_move_point] async getblk return for %"Q"u\n",
                        blkno));
          return ret;
        }
      IF_DEBUG1 (DP(RINT
-                    "[srcwin_move_point] T=%"Q"u{%"Q"u} S=%"Q"u EOF=%"Q"u %s\n",
+                    "[srcwin_move_point] T=%"Q"u S=%"Q"u L=%"Q"u EOF=%"Q"u %s\n",
                    stream->total_in + stream->input_position,
-                    logical_input_cksum_pos,
                    stream->srcwin_cksum_pos,
+                    logical_input_cksum_pos,
                    xd3_source_eof (stream->src),
                    stream->src->eof_known ? "known" : "unknown"));
@@ -4475,11 +4486,11 @@ xd3_srcwin_move_point (xd3_stream *stream, usize_t *next_move_point)
    }
  IF_DEBUG1 (DP(RINT
-                "[srcwin_move_point] exited loop T=%"Q"u{%"Q"u} "
+                "[srcwin_move_point] exited loop T=%"Q"u "
-                "S=%"Q"u EOF=%"Q"u %s\n",
+                "S=%"Q"u L=%"Q" EOF=%"Q"u %s\n",
                stream->total_in + stream->input_position,
-                logical_input_cksum_pos,
                stream->srcwin_cksum_pos,
+                logical_input_cksum_pos,
                xd3_source_eof (stream->src),
                stream->src->eof_known ? "known" : "unknown"));
author	Josh MacDonald <josh.macdonald@gmail.com>	2015-11-02 21:33:51 -0800
committer	Josh MacDonald <josh.macdonald@gmail.com>	2015-11-02 21:33:51 -0800
commit	c948e08db789d90547b45ce0a5dcbec9225bad57 (patch)
tree	1fdd31f1fa169a456e8a92b595b3f4d69b3f4c77 /xdelta3
parent	482c20590f29c91a06430d2818a140257826ac01 (diff)