Add test for CVE-2002-0059

CVE-2002-0059 was a double free in inflation. [0]

This makes sure we don't accidentally reintroduce it.

zlib-1.1.3 was download and fuzz tested using AFL[1].
This crashing case (test.gz) was discovered, and using gdb it was
confirmed to be a double free in the expected place.

The test script looks for a normal error exit (status code 1),
and fails if any other code is returned.

[0] http://www.cvedetails.com/cve/CVE-2002-0059/
[1] http://lcamtuf.coredump.cx/afl/

Signed-off-by: Daniel Axtens <dja@axtens.net>

diff --git a/test/CVE-2002-0059/test.gz b/test/CVE-2002-0059/test.gz
new file mode 100644 (file)
index 0000000..c5c3e18
Binary files /dev/null and b/test/CVE-2002-0059/test.gz differ

diff --git a/test/Makefile.in b/test/Makefile.in
index 51167d9c0ec04aff845e973b58599491e0e4eaae..9887f0f8e0e6bba1f9d5551f577a21251060f838 100644 (file)
--- a/test/Makefile.in
+++ b/test/Makefile.in
@@ -45,7 +45,10 @@ test64:
        fi; \
        rm -f $$TMP64
 
-cvetests: testCVE-2003-0107
+cvetests: testCVE-2003-0107 testCVEinputs
+
+testCVEinputs:
+       @$(SRCDIR)/testCVEinputs.sh
 
 testCVE-2003-0107: CVE-2003-0107$(EXE)
        @if ./CVE-2003-0107$(EXE); then \

diff --git a/test/testCVEinputs.sh b/test/testCVEinputs.sh
new file mode 100755 (executable)
index 0000000..2a86e20
--- /dev/null
+++ b/test/testCVEinputs.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+TESTDIR="$(dirname "$0")"
+
+CVEs="CVE-2002-0059"
+
+for CVE in $CVEs; do
+    fail=0
+    for testcase in ${TESTDIR}/${CVE}/*.gz; do
+       ../minigzip -d < "$testcase"
+       # we expect that a 1 error code is OK
+       # for a vulnerable failure we'd expect 134 or similar
+       if [ $? -ne 1 ]; then
+           fail=1
+       fi
+    done
+    if [ $fail -eq 0 ]; then
+       echo "          --- zlib not vulnerable to $CVE ---";
+    else
+       echo "          --- zlib VULNERABLE to $CVE ---"; exit 1;
+    fi
+done
+