Fix out-of-bounds reads due to missing error handling

pfalcon / uzlib

Radically unbloated DEFLATE/zlib/gzip compression/decompression library. Can decompress any gzip/zlib data, and offers simplified compressor which produces gzip-compatible output, while requiring much less resources (and providing less compression ratio of course).

Other

303 stars 82 forks source link

Using libfuzzer with the following code (inspired from examples/tgunzip.c, and UZLIB_CONF_PARANOID_CHECKS=1) led to a crash:

#include "uzlib.h"
#include <stddef.h>
#include <stdint.h>

#define OUT_SIZE 8192

int uncompress(const uint8_t * data, size_t length) {
    struct uzlib_uncomp d;
    uint32_t dlen;
    int32_t res;
    uint8_t * dest = (uint8_t *)malloc(OUT_SIZE);
    if (dest == NULL) return -1;

    uzlib_uncompress_init(&d, NULL, 0);

    d.source = data;
    d.source_limit = &data[length - 4];
    d.source_read_cb = NULL;

    res = uzlib_zlib_parse_header(&d);
    if (res != TINF_OK) {
        return -1;
    }

    d.dest_start = d.dest = dest;
    d.dest_limit = &dest[OUT_SIZE];

    if (uzlib_uncompress(&d) != TINF_OK) {
        return -1;
    }
    return 0;
}

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
    if (Size > 4) {
        uncompress(Data, Size);
    }
    return 0;
}

(compiled with clang and -fsanitize=fuzzer,address -g -O3 -ggdb2)

It can be reproduced with this input (although there are several possibilities): \x08\xd7\xba\xf9\x08\x01(\x01\x00\x06\xd7\xba\xf9\x08&\x01ggggggggggggggggggggggggg\x08\xd7\xbaggggg\x04\x00\xb8\x07gggggggggggggggggg6666666666666\x00666666666666666666666

The reason for this is that although tinf_decode_symbol() can return an error here, it is not propagated to the caller here and here and ends up being used as an index into a table, which is incorrect since TINF_DATA_ERROR is negative.

This PR fixes this problem and removes the #if UZLIB_CONF_PARANOID_CHECKS in tinf_decode_symbol since this shows a case where it leads to a crash.

Thanks for your submission. However there was no (further) activity on it for some time. Below are possible reasons and/or means to proceed further:

Please make sure that your submission contains clear and complete description of the issue and information required to understand and reproduce it (exact version of all components involved, etc.). Please refer to numerous guides on submitting helpful bugreports, e.g. https://www.chiark.greenend.org.uk/~sgtatham/bugs.html
Please make sure that your feature request/suggestion/change aligns well with the project purpose, goals, and process.
If you face the issue you report while working on a community-oriented open-source project, feel free to provide additional context and information - that may help to prioritize the issue better.
As many open-source projects, this project is severely under-staffed and under-resourced. If you don't run a community-oriented open-source project, and would like to get additional support/maintenance, feel free to request a support contract.

Thanks for your understanding!

pfalcon / uzlib

Fix out-of-bounds reads due to missing error handling #46