Fuzz minizip google/oss-fuzz#1940.

CMakeLists.txt

@@ -20,6 +20,7 @@ option(USE_BRG "Enables Brian Gladman's encryption library" OFF)
 option(COMPRESS_ONLY "Only support compression" OFF)
 option(DECOMPRESS_ONLY "Only support decompression" OFF)
 option(BUILD_TEST "Builds minizip test executable" OFF)
+option(BUILD_FUZZ_TEST "Builds minizip fuzzer executables" OFF)
 
 project("minizip" C)
 
@@ -345,9 +346,7 @@ if(USE_ZLIB)
         if (ZLIB_FOUND)
             include(CheckFunctionExists)
             set(CMAKE_REQUIRED_LIBRARIES ZLIB)
-            CHECK_FUNCTION_EXISTS(z_get_crc_table
-                NEEDS_Z_PREFIX)
-    
+            check_function_exists(z_get_crc_table NEEDS_Z_PREFIX)
             if(NEEDS_Z_PREFIX)
                 add_definitions(-DZ_PREFIX)
             endif()
@@ -513,6 +512,9 @@ if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG)
     add_compile_options(-W -Wall)
     add_compile_options(-O3)
 endif()
+if(MSVC)
+    add_compile_options(/W3)
+endif()
 
 # Create minizip library
 source_group("Minizip" FILES ${MINIZIP_SRC} ${MINIZIP_PUBLIC_HEADERS})
@@ -523,16 +525,19 @@ add_library(${PROJECT_NAME}
                 ${BZIP2_SRC} ${BZIP2_PUBLIC_HEADERS}
                 ${LZMA_SRC} ${LZMA_PUBLIC_HEADERS})
 
+set_target_properties(${PROJECT_NAME} PROPERTIES 
+                        VERSION ${VERSION} 
+                        SOVERSION ${SOVERSION}
+                        LINKER_LANGUAGE C
+                        PREFIX ""
+                        POSITION_INDEPENDENT_CODE 1) 
+if(USE_LZMA)
+    set_target_properties(${PROJECT_NAME} PROPERTIES C_STANDARD 99)
+endif()
 if (MSVC AND BUILD_SHARED_LIBS)
     set_target_properties(${PROJECT_NAME} PROPERTIES ARCHIVE_OUTPUT_NAME "minizip")
 endif ()
 
-set_target_properties(${PROJECT_NAME} PROPERTIES VERSION ${VERSION} SOVERSION ${SOVERSION})
-
-set_target_properties(${PROJECT_NAME} PROPERTIES LINKER_LANGUAGE C PREFIX ""
-                      POSITION_INDEPENDENT_CODE 1)
-set_target_properties(${PROJECT_NAME} PROPERTIES C_STANDARD 99)
-
 # Link with external libraries
 if(USE_ZLIB)
     target_link_libraries(${PROJECT_NAME} ${ZLIB_LIBRARIES})
@@ -588,7 +593,20 @@ if(BUILD_TEST)
     target_link_libraries(minizip ${PROJECT_NAME})
 
     if(NOT SKIP_INSTALL_BINARIES AND NOT SKIP_INSTALL_ALL)
-        install(TARGETS minizip
-            RUNTIME DESTINATION "bin")
+        install(TARGETS minizip RUNTIME DESTINATION "bin")
     endif()
 endif()
+
+#Build fuzzer executables
+if(BUILD_FUZZ_TEST)
+    add_executable(zip_fuzzer "test/fuzz/zip_fuzzer.c")
+    add_executable(unzip_fuzzer "test/fuzz/unzip_fuzzer.c")
+
+    target_link_libraries(zip_fuzzer ${PROJECT_NAME})
+    target_link_libraries(unzip_fuzzer ${PROJECT_NAME})
+
+    if(NOT SKIP_INSTALL_BINARIES AND NOT SKIP_INSTALL_ALL)
+        install(TARGETS zip_fuzzer RUNTIME DESTINATION "bin")
+        install(TARGETS unzip_fuzzer RUNTIME DESTINATION "bin")
+    endif()
+endif()

test/fuzz/unzip_fuzzer.c

@@ -0,0 +1,125 @@
+/* minizip.c
+   Version 2.7.4, November 6, 2018
+   part of the MiniZip project
+
+   Copyright (C) 2018 The Chromium Authors
+   Copyright (C) 2018 Anand K. Mistry
+   Copyright (C) 2018 Nathan Moinvaziri
+     https://github.com/nmoinvaz/minizip
+
+   This program is distributed under the terms of the same license as zlib.
+   See the accompanying LICENSE file for the full text of the license.
+*/
+
+/***************************************************************************/
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "mz.h"
+#include "mz_strm.h"
+#include "mz_strm_mem.h"
+#include "mz_zip.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/***************************************************************************/
+
+#define MZ_FUZZ_TEST_PWD        "test123"
+#define MZ_FUZZ_TEST_FILENAME   "foo"
+#define MZ_FUZZ_TEST_FILENAMEUC "FOO"
+
+/***************************************************************************/
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    mz_zip_file* file_info = NULL;
+    void *stream = NULL;
+    void *handle = NULL;
+    const char* archive_comment = NULL;
+    char buffer[1024];
+    uint16_t version_madeby = 0;
+    uint64_t num_entries = 0;
+    int32_t err = MZ_OK;
+    uint8_t encrypted = 0;
+
+
+    mz_stream_mem_create(&stream);
+    mz_stream_mem_set_buffer(stream, (const void *)data, size);
+
+    mz_zip_create(&handle);
+
+    err = mz_zip_open(handle, stream, MZ_OPEN_MODE_READ);
+
+    if (err == MZ_OK)
+    {
+        // Some archive properties that are non-fatal for reading the archive.
+        mz_zip_get_comment(handle, &archive_comment);
+        mz_zip_get_version_madeby(handle, &version_madeby);
+        mz_zip_get_number_entry(handle, &num_entries);
+
+        err = mz_zip_goto_first_entry(handle);
+        while (err == MZ_OK)
+        {
+            err = mz_zip_entry_get_info(handle, &file_info);
+            if (err != MZ_OK)
+                break;
+
+            encrypted = (file_info->flag & MZ_ZIP_FLAG_ENCRYPTED);
+
+            err = mz_zip_entry_read_open(handle, 0,
+                        encrypted ? MZ_FUZZ_TEST_PWD : NULL);
+            if (err != MZ_OK)
+                break;
+
+            err = mz_zip_entry_is_open(handle);
+            if (err != MZ_OK)
+                break;
+
+            // Return value isn't checked here because we can't predict 
+            // what the value will be.
+            
+            mz_zip_entry_is_dir(handle);
+            err = mz_zip_get_entry(handle);
+            if (err < 0)
+                break;
+
+            err = mz_zip_entry_read(handle, buffer, sizeof(buffer));
+            if (err < 0)
+                break;
+
+            err = mz_zip_entry_close(handle);
+            if (err != MZ_OK)
+                break;
+            
+            err = mz_zip_goto_next_entry(handle);
+        }
+
+        mz_zip_entry_close(handle);
+
+        // Return value isn't checked here because we can't predict what the value
+        // will be.
+
+        mz_zip_locate_entry(handle, MZ_FUZZ_TEST_FILENAME, 0);
+        mz_zip_locate_entry(handle, MZ_FUZZ_TEST_FILENAMEUC, 0);
+        mz_zip_locate_entry(handle, MZ_FUZZ_TEST_FILENAME, 1);
+        mz_zip_locate_entry(handle, MZ_FUZZ_TEST_FILENAMEUC, 1);
+
+        mz_zip_close(handle);
+    }
+
+    mz_zip_delete(&handle);
+    mz_stream_mem_delete(&stream);
+
+    return 0;
+}
+
+/***************************************************************************/
+
+#ifdef __cplusplus
+}
+#endif

test/fuzz/unzip_fuzzer.dict

@@ -0,0 +1,9 @@
+# A dictionary for more efficient fuzzing of DoStuff(). 
+# If the inputs contain multi-byte tokens, list them here.
+# See http://libfuzzer.info#dictionaries
+"\x50\x4b\x03\x04"
+"\x50\x4b\x01\x02"
+"\x50\x4b\x05\x06"
+"\x50\x4b\x06\x06"
+"\x50\x4b\x06\x07"
+"\x50\x4b\x07\x08"

test/fuzz/zip_fuzzer.c

@@ -0,0 +1,119 @@
+/* minizip.c
+   Version 2.7.4, November 6, 2018
+   part of the MiniZip project
+
+   Copyright (C) 2018 The Chromium Authors
+   Copyright (C) 2018 Anand K. Mistry
+   Copyright (C) 2018 Nathan Moinvaziri
+     https://github.com/nmoinvaz/minizip
+
+   This program is distributed under the terms of the same license as zlib.
+   See the accompanying LICENSE file for the full text of the license.
+*/
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "mz.h"
+#include "mz_strm.h"
+#include "mz_strm_mem.h"
+#include "mz_zip.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/***************************************************************************/
+
+#define MZ_FUZZ_TEST_FILENAME   "foo"
+
+/***************************************************************************/
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    mz_zip_file file_info;
+    void *fuzz_stream = NULL;
+    void *stream = NULL;
+    void *handle = NULL;
+    int32_t err = MZ_OK;
+    uint16_t value16 = 0;
+    uint8_t value8 = 0;
+    int16_t compress_level = 0;
+    int64_t fuzz_pos = 0;
+    int32_t fuzz_length = 0;
+    uint8_t *fuzz_buf = NULL;
+
+    mz_stream_mem_create(&fuzz_stream);
+    mz_stream_mem_set_buffer(fuzz_stream, (void *)data, size);
+
+    memset(&file_info, 0, sizeof(file_info));
+
+    file_info.flag = MZ_ZIP_FLAG_UTF8;
+    if ((mz_stream_read_uint8(fuzz_stream, &value8) == MZ_OK) && (value8 < 0x08))
+    {
+        if (mz_stream_read_uint16(fuzz_stream, &value16) == MZ_OK)
+            file_info.flag = value16;
+    }
+    file_info.compression_method = MZ_COMPRESS_METHOD_DEFLATE;
+    if ((mz_stream_read_uint8(fuzz_stream, &value8) == MZ_OK) && (value8 < 0x08))
+    {
+        file_info.compression_method = MZ_COMPRESS_METHOD_STORE;
+    }
+    else if ((mz_stream_read_uint8(fuzz_stream, &value8) == MZ_OK) && (value8 < 0x08))
+    {
+        if (mz_stream_read_uint16(fuzz_stream, &value16) == MZ_OK)
+            file_info.compression_method = value16;
+    }
+
+    if ((mz_stream_read_uint8(fuzz_stream, &value8) == MZ_OK) && (value8 < 0x08))
+    {
+        if (mz_stream_read_uint16(fuzz_stream, &value16) == MZ_OK)
+            file_info.zip64 = value16;
+    }
+
+    file_info.filename = MZ_FUZZ_TEST_FILENAME;
+    file_info.filename_size = (uint16_t)strlen(MZ_FUZZ_TEST_FILENAME);
+
+    compress_level = MZ_COMPRESS_LEVEL_DEFAULT;
+    if ((mz_stream_read_uint8(fuzz_stream, &value8) == MZ_OK) && (value8 < 0x08))
+    {
+        if (mz_stream_read_uint16(fuzz_stream, &value16) == MZ_OK)
+            compress_level = value16;
+    }
+
+    mz_stream_mem_create(&stream);
+    mz_zip_create(&handle);
+
+    err = mz_zip_open(handle, stream, MZ_OPEN_MODE_CREATE | MZ_OPEN_MODE_WRITE);
+    if (err == MZ_OK)
+    {
+        err = mz_zip_entry_write_open(handle, &file_info, compress_level, 0, NULL);
+        if (err == MZ_OK)
+        {
+            mz_stream_mem_get_buffer_at_current(fuzz_stream, &fuzz_buf);
+            fuzz_pos = mz_stream_tell(fuzz_stream);
+            mz_stream_mem_get_buffer_length(fuzz_stream, &fuzz_length);
+
+            err = mz_zip_entry_write(handle, fuzz_buf, (fuzz_length - (int32_t)fuzz_pos));
+
+            mz_zip_entry_close(handle);
+        }
+
+        mz_zip_close(handle);
+    }
+
+    mz_zip_delete(&handle);
+    mz_stream_mem_delete(&stream);
+
+    mz_stream_mem_delete(&fuzz_stream);
+
+    return 0;
+}
+
+/***************************************************************************/
+
+#ifdef __cplusplus
+}
+#endif