liblzma: Don't verify header CRC32s if building for fuzz testing.

FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION is #defined when liblzma
is being built for fuzz testing.

Most fuzzed inputs would normally get rejected because of incorrect
CRC32 and the actual header decoding code wouldn't get fuzzed.
Disabling CRC32 checks avoids this problem. The fuzzer program
must still use LZMA_IGNORE_CHECK flag to disable verification of
integrity checks of uncompressed data.

diff --git a/src/liblzma/common/block_header_decoder.c b/src/liblzma/common/block_header_decoder.c
index 1dd982f6bd6896e69c8428734ef4915613ed23bf..730c52444b67cbc89c693b6850a9a130fb9d930c 100644 (file)
--- a/src/liblzma/common/block_header_decoder.c
+++ b/src/liblzma/common/block_header_decoder.c
@@ -67,8 +67,11 @@ lzma_block_header_decode(lzma_block *block,
        const size_t in_size = block->header_size - 4;
 
        // Verify CRC32
-       if (lzma_crc32(in, in_size, 0) != unaligned_read32le(in + in_size))
+       if (lzma_crc32(in, in_size, 0) != unaligned_read32le(in + in_size)) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
                return LZMA_DATA_ERROR;
+#endif
+       }
 
        // Check for unsupported flags.
        if (in[1] & 0x3C)

diff --git a/src/liblzma/common/index_decoder.c b/src/liblzma/common/index_decoder.c
index e71fc6dfa7e03a56c58119aa5a241d8256e3a373..b26898853381bfc7daa8a61e797c3c43e19ae21b 100644 (file)
--- a/src/liblzma/common/index_decoder.c
+++ b/src/liblzma/common/index_decoder.c
@@ -180,8 +180,11 @@ index_decode(void *coder_ptr, const lzma_allocator *allocator,
                                return LZMA_OK;
 
                        if (((coder->crc32 >> (coder->pos * 8)) & 0xFF)
-                                       != in[(*in_pos)++])
+                                       != in[(*in_pos)++]) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
                                return LZMA_DATA_ERROR;
+#endif
+                       }
 
                } while (++coder->pos < 4);
 

diff --git a/src/liblzma/common/index_hash.c b/src/liblzma/common/index_hash.c
index d7a0344b76c3a7b3adcb64779e58d4b706badbf1..e131fab7f8508d2d3c565da099fe7a3f9d88fc1d 100644 (file)
--- a/src/liblzma/common/index_hash.c
+++ b/src/liblzma/common/index_hash.c
@@ -313,8 +313,11 @@ lzma_index_hash_decode(lzma_index_hash *index_hash, const uint8_t *in,
                                return LZMA_OK;
 
                        if (((index_hash->crc32 >> (index_hash->pos * 8))
-                                       & 0xFF) != in[(*in_pos)++])
+                                       & 0xFF) != in[(*in_pos)++]) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
                                return LZMA_DATA_ERROR;
+#endif
+                       }
 
                } while (++index_hash->pos < 4);
 

diff --git a/src/liblzma/common/stream_flags_decoder.c b/src/liblzma/common/stream_flags_decoder.c
index 1bc2f97c5190ea18b27801e31f50d3a21f2e1013..84f9467f72093c7d17fa7324c278f7e80754c3eb 100644 (file)
--- a/src/liblzma/common/stream_flags_decoder.c
+++ b/src/liblzma/common/stream_flags_decoder.c
@@ -39,8 +39,11 @@ lzma_stream_header_decode(lzma_stream_flags *options, const uint8_t *in)
        const uint32_t crc = lzma_crc32(in + sizeof(lzma_header_magic),
                        LZMA_STREAM_FLAGS_SIZE, 0);
        if (crc != unaligned_read32le(in + sizeof(lzma_header_magic)
-                       + LZMA_STREAM_FLAGS_SIZE))
+                       + LZMA_STREAM_FLAGS_SIZE)) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
                return LZMA_DATA_ERROR;
+#endif
+       }
 
        // Stream Flags
        if (stream_flags_decode(options, in + sizeof(lzma_header_magic)))
@@ -67,8 +70,11 @@ lzma_stream_footer_decode(lzma_stream_flags *options, const uint8_t *in)
        // CRC32
        const uint32_t crc = lzma_crc32(in + sizeof(uint32_t),
                        sizeof(uint32_t) + LZMA_STREAM_FLAGS_SIZE, 0);
-       if (crc != unaligned_read32le(in))
+       if (crc != unaligned_read32le(in)) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
                return LZMA_DATA_ERROR;
+#endif
+       }
 
        // Stream Flags
        if (stream_flags_decode(options, in + sizeof(uint32_t) * 2))