Set of patches from fuzzing campaign

common/LZMA/LzmaDecompress.c

@@ -72,7 +72,7 @@ checking of the validity of the source data. It just retrieves the "Original Siz
 field from the LZMA_HEADER_SIZE beginning bytes of the source data and output it as DestinationSize.
 And ScratchSize is specific to the decompression implementation.
 
-If SourceSize is less than LZMA_HEADER_SIZE, then ASSERT().
+If SourceSize is less than LZMA_HEADER_SIZE, then return U_BUFFER_TOO_SMALL.
 
 @param  Source          The source buffer containing the compressed data.
 @param  SourceSize      The size, bytes, of the source buffer.
@@ -94,8 +94,9 @@ LzmaGetInfo (
     )
 {
     UINT64 DecodedSize;
-    ASSERT(SourceSize >= LZMA_HEADER_SIZE);
-    (void)SourceSize;
+    if (SourceSize <= LZMA_HEADER_SIZE) {
+        return U_BUFFER_TOO_SMALL;
+    }
 
     DecodedSize = GetDecodedSizeOfBuf((UINT8*)Source);
 

common/fitparser.cpp

@@ -70,7 +70,12 @@ USTATUS FitParser::parseFit(const UModelIndex & index)
         msg(usprintf("%s: not enough space to contain the whole FIT table", __FUNCTION__), fitIndex);
         return U_INVALID_FIT;
     }
-
+
+    if (fitSize == 0) {
+        msg(usprintf("%s: FIT header size is 0", __FUNCTION__));
+        return U_INVALID_FIT;
+    }
+
     // Check FIT checksum, if present
     if (fitHeader->ChecksumValid) {
         // Calculate FIT entry checksum
@@ -221,6 +226,10 @@ void FitParser::findFitRecursive(const UModelIndex & index, UModelIndex & found,
     UByteArray lastVtfBody = model->body(ffsParser->lastVtf);
     UINT64 fitSignatureValue = INTEL_FIT_SIGNATURE;
     UByteArray fitSignature((const char*)&fitSignatureValue, sizeof(fitSignatureValue));
+
+    if (lastVtfBody.size() < INTEL_FIT_POINTER_OFFSET)
+        return;
+
     UINT32 storedFitAddress = *(const UINT32*)(lastVtfBody.constData() + lastVtfBody.size() - INTEL_FIT_POINTER_OFFSET);
     for (INT32 offset = (INT32)model->body(index).indexOf(fitSignature);
          offset >= 0;

common/kaitai/kaitaistream.cpp

@@ -478,14 +478,25 @@ uint64_t kaitai::kstream::read_bits_int_le(int n) {
 // ========================================================================
 
 std::string kaitai::kstream::read_bytes(std::streamsize len) {
-    std::vector<char> result(len);
-
     // NOTE: streamsize type is signed, negative values are only *supposed* to not be used.
     // https://en.cppreference.com/w/cpp/io/streamsize
     if (len < 0) {
         throw std::runtime_error("read_bytes: requested a negative amount");
     }
 
+    if (len > 0) {
+        // Check that the stream has enough data before allocating
+        std::streampos cur_pos = m_io->tellg();
+        m_io->seekg(0, std::ios::end);
+        std::streampos end_pos = m_io->tellg();
+        m_io->seekg(cur_pos);
+        if (len > end_pos - cur_pos) {
+            throw std::runtime_error("read_bytes: requested more bytes than available in stream");
+        }
+    }
+
+    std::vector<char> result(len);
+
     if (len > 0) {
         m_io->read(&result[0], len);
     }

common/meparser.cpp

@@ -183,6 +183,12 @@ USTATUS MeParser::parseFptRegion(const UByteArray & region, const UModelIndex &
     UINT32 offset = (UINT32)header.size();
     UINT32 numEntries = ptHeader->NumEntries;
     const FPT_HEADER_ENTRY* firstPtEntry = (const FPT_HEADER_ENTRY*)(region.constData() + offset);
+
+    if ((UINT32)offset + sizeof(FPT_HEADER_ENTRY) * numEntries >= region.size()) {
+        msg(usprintf("%s: Corrupted ME region, too many header entries", __FUNCTION__), parent);
+        return U_INVALID_ME_PARTITION_TABLE;
+    }
+
     for (UINT32 i = 0; i < numEntries; i++) {
         // Populate entry header
         const FPT_HEADER_ENTRY* ptEntry = firstPtEntry + i;
@@ -249,9 +255,9 @@ USTATUS MeParser::parseFptRegion(const UByteArray & region, const UModelIndex &
     // Check for intersections/paddings between partitions
     for (size_t i = 1; i < partitions.size(); i++) {
         UINT32 previousPartitionEnd = partitions[i - 1].ptEntry.Offset + partitions[i - 1].ptEntry.Size;
-
         // Check that current region is fully present in the image
-        if ((UINT32)partitions[i].ptEntry.Offset + (UINT32)partitions[i].ptEntry.Size > (UINT32)region.size()) {
+        if (partitions[i].ptEntry.Offset > UINT_MAX - partitions[i].ptEntry.Size ||
+            (UINT32)partitions[i].ptEntry.Offset + (UINT32)partitions[i].ptEntry.Size > (UINT32)region.size()) {
             if ((UINT32)partitions[i].ptEntry.Offset >= (UINT32)region.size()) {
                 msg(usprintf("%s: FPT partition is located outside of the opened image, skipped", __FUNCTION__), partitions[i].index);
                 partitions.erase(partitions.begin() + i);
@@ -460,6 +466,9 @@ USTATUS MeParser::parseIfwi16Region(const UByteArray & region, const UModelIndex
 
     // Partition map is consistent
     for (size_t i = 0; i < partitions.size(); i++) {
+        // Sanity check
+        if (partitions[i].ptEntry.Offset >= region.size())
+            break;
         UByteArray partition = region.mid(partitions[i].ptEntry.Offset, partitions[i].ptEntry.Size);
         if (partitions[i].type == Types::IfwiPartition) {
             UModelIndex partitionIndex;
@@ -597,7 +606,8 @@ USTATUS MeParser::parseIfwi17Region(const UByteArray & region, const UModelIndex
         UINT32 previousPartitionEnd = partitions[i - 1].ptEntry.Offset + partitions[i - 1].ptEntry.Size;
 
         // Check that current region is fully present in the image
-        if ((UINT32)partitions[i].ptEntry.Offset + (UINT32)partitions[i].ptEntry.Size > (UINT32)region.size()) {
+        if (partitions[i].ptEntry.Offset > UINT_MAX - partitions[i].ptEntry.Size ||
+            (UINT32)partitions[i].ptEntry.Offset + (UINT32)partitions[i].ptEntry.Size > (UINT32)region.size()) {
             if ((UINT32)partitions[i].ptEntry.Offset >= (UINT32)region.size()) {
                 msg(usprintf("%s: IFWI partition is located outside of the opened image, skipped", __FUNCTION__), index);
                 partitions.erase(partitions.begin() + i);

common/nvramparser.cpp

@@ -56,8 +56,10 @@ USTATUS NvramParser::parseNvarStore(const UModelIndex & index, const bool probe)
     UINT8 emptyByte = 0xFF;
     if (model->hasEmptyParsingData(index) == false) {
         UByteArray data = model->parsingData(index);
-        const VOLUME_PARSING_DATA* pdata = (const VOLUME_PARSING_DATA*)data.constData();
-        emptyByte = pdata->emptyByte;
+        if ((UINT32)data.size() >= sizeof(VOLUME_PARSING_DATA)) {
+            const VOLUME_PARSING_DATA* pdata = (const VOLUME_PARSING_DATA*)data.constData();
+            emptyByte = pdata->emptyByte;
+        }
     }
 
     try {
@@ -205,6 +207,10 @@ USTATUS NvramParser::parseNvarStore(const UModelIndex & index, const bool probe)
                 if (guidsInStore < entry_body->guid_index() + 1)
                     guidsInStore = entry_body->guid_index() + 1;
 
+                // Sanity check.
+                if (nvar.size() < sizeof(EFI_GUID) * (entry_body->guid_index() + 1))
+                   goto processing_done;
+
                 // The list begins at the end of the store and goes backwards
                 const EFI_GUID g = readUnaligned((EFI_GUID*)(nvar.constData() + nvar.size()) - (entry_body->guid_index() + 1));
                 name = guidToUString(g);
@@ -316,8 +322,10 @@ USTATUS NvramParser::parseNvramVolumeBody(const UModelIndex & index,const UINT32
     UINT8 emptyByte = 0xFF;
     if (model->hasEmptyParsingData(index) == false) {
         UByteArray data = model->parsingData(index);
-        const VOLUME_PARSING_DATA* pdata = (const VOLUME_PARSING_DATA*)data.constData();
-        emptyByte = pdata->emptyByte;
+        if ((UINT32)data.size() >= sizeof(VOLUME_PARSING_DATA)) {
+            const VOLUME_PARSING_DATA* pdata = (const VOLUME_PARSING_DATA*)data.constData();
+            emptyByte = pdata->emptyByte;
+        }
     }
 
     // Get local offset

common/ustring.cpp

@@ -112,11 +112,11 @@ UString uFromUcs2(const char* str, size_t max_len)
     // Naive implementation assuming that only ASCII LE part of UCS2 is used, str may not be aligned.
     UString msg;
     const char *str8 = str;
-    size_t rest = (max_len == 0) ? SIZE_MAX : max_len;
-    while (str8[0] && rest) {
+    size_t rest = (max_len == 0) ? SIZE_MAX : max_len - (max_len % 2);
+    while (rest > 0 && str8[0]) {
         msg += str8[0];
         str8 += 2;
-        rest--;
+        rest -= 2;
     }
     return msg;
 }

common/utility.cpp

@@ -206,7 +206,11 @@ USTATUS decompress(const UByteArray & compressedData, const UINT8 compressionTyp
     UINT8* scratch;
     UINT32 scratchSize = 0;
     const EFI_TIANO_HEADER* header;
-
+
+    if (compressedData.size() < 4) {
+        return U_BUFFER_TOO_SMALL;
+    }
+
     // For all but LZMA dictionary size is 0
     dictionarySize = 0;
 
@@ -233,7 +237,11 @@ USTATUS decompress(const UByteArray & compressedData, const UINT8 compressionTyp
             // Get info function is the same for both algorithms
             if (U_SUCCESS != EfiTianoGetInfo(data, dataSize, &decompressedSize, &scratchSize))
                 return U_STANDARD_DECOMPRESSION_FAILED;
-
+
+            // Check for suspiciously large decompressed size
+            if (decompressedSize > INT32_MAX / 4)
+                return U_STANDARD_DECOMPRESSION_FAILED;
+
             // Allocate memory
             decompressed = (UINT8*)malloc(decompressedSize);
             efiDecompressed = (UINT8*)malloc(decompressedSize);
@@ -244,18 +252,14 @@ USTATUS decompress(const UByteArray & compressedData, const UINT8 compressionTyp
                 free(scratch);
                 return U_STANDARD_DECOMPRESSION_FAILED;
             }
-            
+
             // Decompress section data using both algorithms
             USTATUS result = U_SUCCESS;
             // Try Tiano
             USTATUS TianoResult = TianoDecompress(data, dataSize, decompressed, decompressedSize, scratch, scratchSize);
             // Try EFI 1.1
             USTATUS EfiResult = EfiDecompress(data, dataSize, efiDecompressed, decompressedSize, scratch, scratchSize);
-
-            if (decompressedSize > INT32_MAX) {
-                result = U_STANDARD_DECOMPRESSION_FAILED;
-            }
-            else if (EfiResult == U_SUCCESS && TianoResult == U_SUCCESS) { // Both decompressions are OK
+            if (EfiResult == U_SUCCESS && TianoResult == U_SUCCESS) { // Both decompressions are OK
                 algorithm = COMPRESSION_ALGORITHM_UNDECIDED;
                 decompressedData = UByteArray((const char*)decompressed, (int)decompressedSize);
                 efiDecompressedData = UByteArray((const char*)efiDecompressed, (int)decompressedSize);
@@ -289,6 +293,7 @@ USTATUS decompress(const UByteArray & compressedData, const UINT8 compressionTyp
             if (U_SUCCESS != LzmaGetInfo(data, dataSize, &decompressedSize)) {
                 // Get info as Intel legacy LZMA section
                 data += sizeof(UINT32);
+                dataSize -= sizeof(UINT32);
                 if (U_SUCCESS != LzmaGetInfo(data, dataSize, &decompressedSize)) {
                     return U_CUSTOMIZED_DECOMPRESSION_FAILED;
                 }

fuzzing/CMakeLists.txt

@@ -3,7 +3,14 @@ CMAKE_MINIMUM_REQUIRED(VERSION 3.22)
 PROJECT(ffsparser_fuzzer LANGUAGES C CXX)
 
 OPTION(USE_QT "Link against Qt" OFF)
-OPTION(USE_AFL "Build in AFL-compatible mode" OFF)
+
+if (CMAKE_CXX_COMPILER MATCHES "afl-")
+  MESSAGE("-- Building in AFL-compatible mode")
+  SET(USE_AFL ON)
+ELSE()
+  MESSAGE("-- Building in libFuzzer mode")
+  SET(USE_AFL OFF)
+ENDIF()
 
 SET(CMAKE_CXX_STANDARD 11)
 SET(CMAKE_CXX_STANDARD_REQUIRED ON)
@@ -82,12 +89,6 @@ SET(PROJECT_SOURCES
  ../common/zlib/zutil.c
 )
 
-IF(USE_AFL)
-  SET(PROJECT_SOURCES ${PROJECT_SOURCES} afl_driver.cpp)
-  MESSAGE("-- Building in AFL-compatible mode")
-ELSE()
-  MESSAGE("-- Building in libFuzzer mode")
-ENDIF()
 
 IF(NOT USE_QT)
   SET(PROJECT_SOURCES ${PROJECT_SOURCES}
@@ -110,12 +111,12 @@ ADD_DEFINITIONS(
 ADD_EXECUTABLE(ffsparser_fuzzer ${PROJECT_SOURCES})
 
 
-IF(NOT USE_AFL_DRIVER)
+IF(USE_AFL)
+TARGET_COMPILE_OPTIONS(ffsparser_fuzzer PRIVATE -O1 -fno-omit-frame-pointer -g -ggdb3 -fsanitize=fuzzer)
+TARGET_LINK_LIBRARIES(ffsparser_fuzzer PRIVATE -fsanitize=fuzzer)
+ELSE()
 TARGET_COMPILE_OPTIONS(ffsparser_fuzzer PRIVATE -O1 -fno-omit-frame-pointer -g -ggdb3 -fsanitize=fuzzer,address,undefined -fsanitize-address-use-after-scope -fno-sanitize-recover=undefined)
 TARGET_LINK_LIBRARIES(ffsparser_fuzzer PRIVATE -fsanitize=fuzzer,address,undefined)
-ELSE()
-TARGET_COMPILE_OPTIONS(ffsparser_fuzzer PRIVATE -O1 -fno-omit-frame-pointer -g -ggdb3 -fsanitize=address,undefined -fsanitize-coverage=trace-pc-guard -fsanitize-address-use-after-scope -fno-sanitize-recover=undefined)
-TARGET_LINK_LIBRARIES(ffsparser_fuzzer PRIVATE -fsanitize=address,undefined)
 ENDIF()
 
 IF(USE_QT)

fuzzing/afl_driver.cpp

@@ -48,6 +48,7 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both.
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include <stdarg.h>
 
 #include <fstream>
 #include <iostream>