1/*-
2 * Copyright (c) 2003-2007 Tim Kientzle
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25#include "test.h"
26__FBSDID("$FreeBSD$");
27
28/*
29 * This was inspired by an ISO fuzz tester written by Michal Zalewski
30 * and posted to the "vulnwatch" mailing list on March 17, 2005:
31 *    http://seclists.org/vulnwatch/2005/q1/0088.html
32 *
33 * This test simply reads each archive image into memory, pokes
34 * random values into it and runs it through libarchive.  It tries
35 * to damage about 1% of each file and repeats the exercise 100 times
36 * with each file.
37 *
38 * Unlike most other tests, this test does not verify libarchive's
39 * responses other than to ensure that libarchive doesn't crash.
40 *
41 * Due to the deliberately random nature of this test, it may be hard
42 * to reproduce failures.  Because this test deliberately attempts to
43 * induce crashes, there's little that can be done in the way of
44 * post-failure diagnostics.
45 */
46
47/* Because this works for any archive, we can just re-use the archives
48 * developed for other tests. */
49struct files {
50	int uncompress; /* If 1, decompress the file before fuzzing. */
51	const char **names;
52};
53
54static void
55test_fuzz(const struct files *filesets)
56{
57	const void *blk;
58	size_t blk_size;
59	int64_t blk_offset;
60	int n;
61
62	for (n = 0; filesets[n].names != NULL; ++n) {
63		const size_t buffsize = 30000000;
64		struct archive_entry *ae;
65		struct archive *a;
66		char *rawimage = NULL, *image = NULL, *tmp = NULL;
67		size_t size = 0, oldsize = 0;
68		int i, q;
69
70		extract_reference_files(filesets[n].names);
71		if (filesets[n].uncompress) {
72			int r;
73			/* Use format_raw to decompress the data. */
74			assert((a = archive_read_new()) != NULL);
75			assertEqualIntA(a, ARCHIVE_OK,
76			    archive_read_support_filter_all(a));
77			assertEqualIntA(a, ARCHIVE_OK,
78			    archive_read_support_format_raw(a));
79			r = archive_read_open_filenames(a, filesets[n].names, 16384);
80			if (r != ARCHIVE_OK) {
81				archive_read_free(a);
82				if (filesets[n].names[0] == NULL || filesets[n].names[1] == NULL) {
83					skipping("Cannot uncompress fileset");
84				} else {
85					skipping("Cannot uncompress %s", filesets[n].names[0]);
86				}
87				continue;
88			}
89			assertEqualIntA(a, ARCHIVE_OK,
90			    archive_read_next_header(a, &ae));
91			rawimage = malloc(buffsize);
92			size = archive_read_data(a, rawimage, buffsize);
93			assertEqualIntA(a, ARCHIVE_EOF,
94			    archive_read_next_header(a, &ae));
95			assertEqualInt(ARCHIVE_OK,
96			    archive_read_free(a));
97			assert(size > 0);
98			if (filesets[n].names[0] == NULL || filesets[n].names[1] == NULL) {
99				failure("Internal buffer is not big enough for "
100					"uncompressed test files");
101			} else {
102				failure("Internal buffer is not big enough for "
103					"uncompressed test file: %s", filesets[n].names[0]);
104			}
105			if (!assert(size < buffsize)) {
106				free(rawimage);
107				continue;
108			}
109		} else {
110			for (i = 0; filesets[n].names[i] != NULL; ++i)
111			{
112				tmp = slurpfile(&size, filesets[n].names[i]);
113				rawimage = (char *)realloc(rawimage, oldsize + size);
114				memcpy(rawimage + oldsize, tmp, size);
115				oldsize += size;
116				size = oldsize;
117				free(tmp);
118				if (!assert(rawimage != NULL))
119					continue;
120			}
121		}
122		if (size == 0)
123			continue;
124		image = malloc(size);
125		assert(image != NULL);
126		if (image == NULL)
127			return;
128		srand((unsigned)time(NULL));
129
130		for (i = 0; i < 100; ++i) {
131			FILE *f;
132			int j, numbytes, trycnt;
133
134			/* Fuzz < 1% of the bytes in the archive. */
135			memcpy(image, rawimage, size);
136			q = (int)size / 100;
137			if (!q) q = 1;
138			numbytes = (int)(rand() % q);
139			for (j = 0; j < numbytes; ++j)
140				image[rand() % size] = (char)rand();
141
142			/* Save the messed-up image to a file.
143			 * If we crash, that file will be useful. */
144			for (trycnt = 0; trycnt < 3; trycnt++) {
145				f = fopen("after.test.failure.send.this.file."
146				    "to.libarchive.maintainers.with.system.details", "wb");
147				if (f != NULL)
148					break;
149#if defined(_WIN32) && !defined(__CYGWIN__)
150				/*
151				 * Sometimes previous close operation does not completely
152				 * end at this time. So we should take a wait while
153				 * the operation running.
154				 */
155				Sleep(100);
156#endif
157			}
158			assertEqualInt((size_t)size, fwrite(image, 1, (size_t)size, f));
159			fclose(f);
160
161			assert((a = archive_read_new()) != NULL);
162			assertEqualIntA(a, ARCHIVE_OK,
163			    archive_read_support_filter_all(a));
164			assertEqualIntA(a, ARCHIVE_OK,
165			    archive_read_support_format_all(a));
166
167			if (0 == archive_read_open_memory(a, image, size)) {
168				while(0 == archive_read_next_header(a, &ae)) {
169					while (0 == archive_read_data_block(a,
170						&blk, &blk_size, &blk_offset))
171						continue;
172				}
173				archive_read_close(a);
174			}
175			archive_read_free(a);
176		}
177		free(image);
178		free(rawimage);
179	}
180}
181
182DEFINE_TEST(test_fuzz_ar)
183{
184	static const char *fileset1[] = {
185		"test_read_format_ar.ar",
186		NULL
187	};
188	static const struct files filesets[] = {
189		{0, fileset1},
190		{1, NULL}
191	};
192	test_fuzz(filesets);
193}
194
195DEFINE_TEST(test_fuzz_cab)
196{
197	static const char *fileset1[] = {
198		"test_fuzz.cab",
199		NULL
200	};
201	static const struct files filesets[] = {
202		{0, fileset1},
203		{1, NULL}
204	};
205	test_fuzz(filesets);
206}
207
208DEFINE_TEST(test_fuzz_cpio)
209{
210	static const char *fileset1[] = {
211		"test_read_format_cpio_bin_be.cpio",
212		NULL
213	};
214	static const char *fileset2[] = {
215		/* Test RPM unwrapper */
216		"test_read_format_cpio_svr4_gzip_rpm.rpm",
217		NULL
218	};
219	static const struct files filesets[] = {
220		{0, fileset1},
221		{0, fileset2},
222		{1, NULL}
223	};
224	test_fuzz(filesets);
225}
226
227DEFINE_TEST(test_fuzz_iso9660)
228{
229	static const char *fileset1[] = {
230		"test_fuzz_1.iso.Z",
231		NULL
232	};
233	static const struct files filesets[] = {
234		{0, fileset1}, /* Exercise compress decompressor. */
235		{1, fileset1},
236		{1, NULL}
237	};
238	test_fuzz(filesets);
239}
240
241DEFINE_TEST(test_fuzz_lzh)
242{
243	static const char *fileset1[] = {
244		"test_fuzz.lzh",
245		NULL
246	};
247	static const struct files filesets[] = {
248		{0, fileset1},
249		{1, NULL}
250	};
251	test_fuzz(filesets);
252}
253
254DEFINE_TEST(test_fuzz_mtree)
255{
256	static const char *fileset1[] = {
257		"test_read_format_mtree.mtree",
258		NULL
259	};
260	static const struct files filesets[] = {
261		{0, fileset1},
262		{1, NULL}
263	};
264	test_fuzz(filesets);
265}
266
267DEFINE_TEST(test_fuzz_rar)
268{
269	static const char *fileset1[] = {
270		/* Uncompressed RAR test */
271		"test_read_format_rar.rar",
272		NULL
273	};
274	static const char *fileset2[] = {
275		/* RAR file with binary data */
276		"test_read_format_rar_binary_data.rar",
277		NULL
278	};
279	static const char *fileset3[] = {
280		/* Best Compressed RAR test */
281		"test_read_format_rar_compress_best.rar",
282		NULL
283	};
284	static const char *fileset4[] = {
285		/* Normal Compressed RAR test */
286		"test_read_format_rar_compress_normal.rar",
287		NULL
288	};
289	static const char *fileset5[] = {
290		/* Normal Compressed Multi LZSS blocks RAR test */
291		"test_read_format_rar_multi_lzss_blocks.rar",
292		NULL
293	};
294	static const char *fileset6[] = {
295		/* RAR with no EOF header */
296		"test_read_format_rar_noeof.rar",
297		NULL
298	};
299	static const char *fileset7[] = {
300		/* Best Compressed RAR file with both PPMd and LZSS blocks */
301		"test_read_format_rar_ppmd_lzss_conversion.rar",
302		NULL
303	};
304	static const char *fileset8[] = {
305		/* RAR with subblocks */
306		"test_read_format_rar_subblock.rar",
307		NULL
308	};
309	static const char *fileset9[] = {
310		/* RAR with Unicode filenames */
311		"test_read_format_rar_unicode.rar",
312		NULL
313	};
314	static const char *fileset10[] = {
315		"test_read_format_rar_multivolume.part0001.rar",
316		"test_read_format_rar_multivolume.part0002.rar",
317		"test_read_format_rar_multivolume.part0003.rar",
318		"test_read_format_rar_multivolume.part0004.rar",
319		NULL
320	};
321	static const struct files filesets[] = {
322		{0, fileset1},
323		{0, fileset2},
324		{0, fileset3},
325		{0, fileset4},
326		{0, fileset5},
327		{0, fileset6},
328		{0, fileset7},
329		{0, fileset8},
330		{0, fileset9},
331		{0, fileset10},
332		{1, NULL}
333	};
334	test_fuzz(filesets);
335}
336
337DEFINE_TEST(test_fuzz_tar)
338{
339	static const char *fileset1[] = {
340		"test_compat_bzip2_1.tbz",
341		NULL
342	};
343	static const char *fileset2[] = {
344		"test_compat_gtar_1.tar",
345		NULL
346	};
347	static const char *fileset3[] = {
348		"test_compat_gzip_1.tgz",
349		NULL
350	};
351	static const char *fileset4[] = {
352		"test_compat_gzip_2.tgz",
353		NULL
354	};
355	static const char *fileset5[] = {
356		"test_compat_tar_hardlink_1.tar",
357		NULL
358	};
359	static const char *fileset6[] = {
360		"test_compat_xz_1.txz",
361		NULL
362	};
363	static const char *fileset7[] = {
364		"test_read_format_gtar_sparse_1_17_posix10_modified.tar",
365		NULL
366	};
367	static const char *fileset8[] = {
368		"test_read_format_tar_empty_filename.tar",
369		NULL
370	};
371	static const char *fileset9[] = {
372		"test_compat_lzop_1.tar.lzo",
373		NULL
374	};
375	static const struct files filesets[] = {
376		{0, fileset1}, /* Exercise bzip2 decompressor. */
377		{1, fileset1},
378		{0, fileset2},
379		{0, fileset3}, /* Exercise gzip decompressor. */
380		{0, fileset4}, /* Exercise gzip decompressor. */
381		{0, fileset5},
382		{0, fileset6}, /* Exercise xz decompressor. */
383		{0, fileset7},
384		{0, fileset8},
385		{0, fileset9}, /* Exercise lzo decompressor. */
386		{1, NULL}
387	};
388	test_fuzz(filesets);
389}
390
391DEFINE_TEST(test_fuzz_zip)
392{
393	static const char *fileset1[] = {
394		"test_compat_zip_1.zip",
395		NULL
396	};
397	static const char *fileset2[] = {
398		"test_read_format_zip.zip",
399		NULL
400	};
401	static const struct files filesets[] = {
402		{0, fileset1},
403		{0, fileset2},
404		{1, NULL}
405	};
406	test_fuzz(filesets);
407}
408
409