Exemplo n.º 1
0
uint32_t edthreaded_fd::write(uint8_t * buffer, uint32_t size, int32_t response_size)
{
	int32_t resp = 0;
	pthread_mutex_lock(&m_send_lock);
	if (size > m_write_buffer.size())
		size = m_write_buffer.size();
    for (uint32_t i = 0; i < size; ++i)
	{
		if (i == size-1)
			resp = response_size;
		m_write_buffer[m_write_curindex] = WriteVal(buffer[i], resp);
		++m_write_curindex;
		if (m_write_curindex == m_write_rawindex)
			size = i;
		if (m_write_curindex == m_write_buffer.size())
			m_write_curindex = 0;
	}
	pthread_mutex_unlock(&m_send_lock);
	return size;
}
Exemplo n.º 2
0
Arquivo: segments.c Projeto: cc65/cc65
unsigned SegWriteConstExpr (FILE* F, ExprNode* E, int Signed, unsigned Size)
/* Write a supposedly constant expression to the target file. Do a range
** check and return one of the SEG_EXPR_xxx codes.
*/
{
    static const unsigned long U_Hi[4] = {
        0x000000FFUL, 0x0000FFFFUL, 0x00FFFFFFUL, 0xFFFFFFFFUL
    };
    static const long S_Hi[4] = {
        0x0000007FL, 0x00007FFFL, 0x007FFFFFL, 0x7FFFFFFFL
    };
    static const long S_Lo[4] = {
        ~0x0000007FL, ~0x00007FFFL, ~0x007FFFFFL, ~0x7FFFFFFFL
    };


    /* Get the expression value */
    long Val = GetExprVal (E);

    /* Check the size */
    CHECK (Size >= 1 && Size <= 4);

    /* Check for a range error */
    if (Signed) {
        if (Val > S_Hi[Size-1] || Val < S_Lo[Size-1]) {
            /* Range error */
            return SEG_EXPR_RANGE_ERROR;
        }
    } else {
        if (((unsigned long)Val) > U_Hi[Size-1]) {
            /* Range error */
            return SEG_EXPR_RANGE_ERROR;
        }
    }

    /* Write the value to the file */
    WriteVal (F, Val, Size);

    /* Success */
    return SEG_EXPR_OK;
}
Exemplo n.º 3
0
//--------------------------------------------------------------------------------------
int _tmain(int argc, _TCHAR* argv[])
{    
    m_hInstance = (HINSTANCE)GetModuleHandle(NULL);

    if (argc >= 3)
    {
        m_lpFontPath = argv[2];
        m_lpFontName = argv[1];
        printf(__FUNCTION__"(): Using external font %ws \"%ws\"\n", m_lpFontName, m_lpFontPath);
    }
    else
    {
        printf("USAGE: MsFontsFuzz.exe <font_name> <font_file> [options]\n");
        goto end;
    }    

    _stprintf_s(m_TmpFontPath, _T("__TMP__%s"), _tGetNameFromFullPath(m_lpFontPath));
    DbgMsg(__FILE__, __LINE__, "[+] Temporary font file is \"%ws\"\n", m_TmpFontPath);

    if (_tcslen(m_TmpFontPath) >= 4)
    {
        _tcslwr(m_TmpFontPath + _tcslen(m_TmpFontPath) - 4);
        if (!_tcscmp(m_TmpFontPath + _tcslen(m_TmpFontPath) - 4, _T(".otf")))
        {
            m_dwFontType = FONT_TYPE_OTF;
            DbgMsg(__FILE__, __LINE__, "[+] Font type is .OTF\n");
        }
        else if (!_tcscmp(m_TmpFontPath + _tcslen(m_TmpFontPath) - 4, _T(".ttf")))
        {
            m_dwFontType = FONT_TYPE_TTF;
            DbgMsg(__FILE__, __LINE__, "[+] Font type is .TTF\n");
        }
    }    

    RemoveFontResource(m_TmpFontPath);

#ifdef USE_BOADCAST_MESSAGES

    SendMessage(HWND_BROADCAST, WM_FONTCHANGE, 0, 0);

#endif

    char ch = 0;
    memset(m_szTable, '.', sizeof(m_szTable) - 1);
    
    for (int i = 0; i < sizeof(m_szTable); i++)
    {
        if (i != 0 && i % 16 == 0)
        {
            m_szTable[i] = '\n';
            continue;
        }

        if (ch >= 0x20)
        {
            m_szTable[i] = ch;
        }

        if (ch == 0x7f)
        {
            m_szTable[i] = 0;
            break;
        }

        ch += 1;
    }

    if (argc > 3)
    {
        // enumerate additional parameters
        for (int i = 3; i < argc; i++)
        {
            if (!_tcscmp(argv[i], _T("--test")))
            {
                // single launch mode
                m_bTest = TRUE;
            }
            else if (!_tcscmp(argv[i], _T("--resume")))
            {
                // resume fuzzing in the new process
                m_bResume = TRUE;
            }
            else if (!_tcscmp(argv[i], _T("--noisy")))
            {
                // show lot of output information
                m_bNoisy = TRUE;
            }
            else if (!_tcscmp(argv[i], _T("--text")) && argc - i > 1)
            {
#ifdef UNICODE
                // use caller-specified text for display
                WideCharToMultiByte(
                    CP_ACP, 0, 
                    argv[i + 1], 
                    -1, 
                    m_szTable,
                    sizeof(m_szTable) - 1, 
                    NULL, NULL
                );
#else
                strcpy_s(m_szTable, argv[i + 1]);
#endif
                i++;
            }
            else if (!_tcscmp(argv[i], _T("--fix-crcs")))
            {
                // fix incorrect checksums for the original font file
                m_bFixCrcs = TRUE;
            }
            else if (argc - i > 1 && argv[i][0] == '-')
            {
                /**
                 * Process data generation options.
                 */

                LPCTSTR lpParam = argv[i] + 1;
                DWORD dwValue = 0;
                BOOL bFound = FALSE;

                if (!StrToIntEx(argv[i + 1], STIF_SUPPORT_HEX, (int *)&dwValue))
                {
                    DbgMsg(__FILE__, __LINE__, "[!] ERROR: Invalid value for parameter \"%ws\"\n", argv[i]);
                    continue;
                }

                for (int i_n = 0; i_n < sizeof(m_Params) / sizeof(ENGINE_PARAM); i_n++)
                {
                    // search parameter by name
                    if (!_tcscmp(m_Params[i_n].lpName, lpParam))
                    {
                        *(m_Params[i_n].pdwValue) = dwValue;
                        bFound = TRUE;
                        break;
                    }
                }

                if (!bFound)
                {
                    DbgMsg(__FILE__, __LINE__, "[!] ERROR: Unknown parameter \"%ws\"\n", argv[i]);
                }

                i++;
            }            
        }
    }

    DbgInit(LOG_FILE_NAME);

    // check block size and range
    if (BLOCK_SIZE == 1)
    {
        if (BLOCK_RANGE_START >= 0xFF)
        {
            DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Invalid BLOCK_RANGE_START value (it must be <0xFF)\n");
            goto end;
        }

        if (BLOCK_RANGE_END > 0xFF)
        {
            DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Invalid BLOCK_RANGE_END value (it must be <=0xFF)\n");
            goto end;
        }
    }
    else if (BLOCK_SIZE == 2)
    {
        if (BLOCK_RANGE_START >= 0xFFFF)
        {
            DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Invalid BLOCK_RANGE_START value (it must be <0xFFFF)\n");
            goto end;
        }

        if (BLOCK_RANGE_END > 0xFFFF)
        {
            DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Invalid BLOCK_RANGE_END value (it must be <=0xFFFF)\n");
            goto end;
        }
    }
    else if (BLOCK_SIZE == 4)
    {
        if (BLOCK_RANGE_START >= 0xFFFFFFFF)
        {
            DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Invalid BLOCK_RANGE_START value (it must be <0xFFFFFFFF)\n");
            goto end;
        }

        if (BLOCK_RANGE_END > 0xFFFFFFFF)
        {
            DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Invalid BLOCK_RANGE_END value (it must be <=0xFFFFFFFF)\n");
            goto end;
        }
    }
    else
    {
        DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Invalid BLOCK_SIZE value (it must be 1, 2 or 4)\n");
        goto end;
    }

    // check step size
    if (BLOCK_RANGE_N > BLOCK_RANGE_END)
    {
        DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Invalid BLOCK_RANGE_N value (it must be <=BLOCK_RANGE_END)\n");
        goto end;
    }

    WNDCLASSEX wcex;
    ZeroMemory(&wcex, sizeof(wcex));
    wcex.cbSize = sizeof(WNDCLASSEX);

    wcex.style = CS_HREDRAW | CS_VREDRAW;
    wcex.lpfnWndProc = WndProc;
    wcex.hInstance = m_hInstance;    
    wcex.lpszClassName = _T(WND_CLASS);
    wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);

    m_hWndEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
    if (m_hWndEvent == NULL)
    {
        DbgMsg(__FILE__, __LINE__, "CreateEvent() ERROR %d\n", GetLastError());
        goto end;
    }

    // register window class
    if (RegisterClassEx(&wcex) == NULL)
    {
        DbgMsg(__FILE__, __LINE__, "RegisterClassEx() ERROR %d\n", GetLastError());
        goto end;
    }    
    
    // init random number generator
    init_genrand(GetTickCount());

    SetUnhandledExceptionFilter(UnhandledExceptionError);
        
    // read input file
    if (ReadFromFile(m_lpFontPath, &m_pData, &m_dwDataSize))
    {
        if (FILE_RANGE_START >= m_dwDataSize)
        {
            DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Invalid FILE_RANGE_START value (it must be <=FILE_SIZE)\n");
            M_FREE(m_pData);
            return -1;
        }

        if (FILE_RANGE_END > m_dwDataSize)
        {
            DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Invalid FILE_RANGE_END value (it must be <FILE_SIZE)\n");
            M_FREE(m_pData);
            return -1;
        }        

        if (FILE_RANGE_END == 0)
        {
            FILE_RANGE_END = m_dwDataSize;
        }

        if (FILE_RANGE_START >= FILE_RANGE_END)
        {
            DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Invalid FILE_RANGE_START/FILE_RANGE_END values\n");
            M_FREE(m_pData);
            return -1;
        }

        DbgMsg(__FILE__, __LINE__, "[+] %d bytes readed from \"%ws\"\n", m_dwDataSize, m_lpFontPath);

        if (!m_bResume && (m_dwFontType == FONT_TYPE_OTF || m_dwFontType == FONT_TYPE_TTF))
        {
            OTF_TableByOffset(m_pData, (ULONG)-1);
        }

        if (m_bFixCrcs)
        {
            // write fixed checksums into the original file
            if (DumpToFile(m_lpFontPath, m_pData, m_dwDataSize))
            {
                DbgMsg(__FILE__, __LINE__, "[+] Checksums has been fixed for font file \"%ws\"\n", m_lpFontPath);
            }
        }
        else if (m_bTest)
        {
            // single run with the unchanged font file
            if (DumpToFile(m_TmpFontPath, m_pData, m_dwDataSize))
            {
                FuzzIteration();
            }
        }
        else
        {
            DbgMsg(__FILE__, __LINE__, "[+] Fuzzing params:\n\n");

            // print parameters values
            for (int i_n = 0; i_n < sizeof(m_Params) / sizeof(ENGINE_PARAM); i_n++)
            {            
                DbgMsg(__FILE__, __LINE__, " %20ws = 0x%.8x\n", m_Params[i_n].lpName, *(m_Params[i_n].pdwValue));
            }

            DbgMsg(__FILE__, __LINE__, "\n");
            DbgMsg(__FILE__, __LINE__, "[+] Processing cases...\n\n");

            // align buffer size by block size
            m_dwAlignedDataSize = XALIGN_UP(m_dwDataSize, BLOCK_SIZE);

            // allocate output buffer
            if (m_pAlignedData = M_ALLOC(m_dwAlignedDataSize))
            {         
                char *lpszBigBuff = (char *)M_ALLOC(BIG_BUFFER_LENGTH);
                if (lpszBigBuff)
                {
                    FillMemory(lpszBigBuff, BIG_BUFFER_LENGTH, 'A');
                }

                PVOID pBigData = M_ALLOC(m_dwDataSize + BIG_BUFFER_LENGTH);
                
                // for each byte/word/dword of input file...
                for (DWORD i = FILE_RANGE_START; i < FILE_RANGE_END; i += BLOCK_SIZE)
                {                
                    DbgMsg(__FILE__, __LINE__, "Offset=0x%.8x TotalSize=0x%.8x File=%.8x\n", i, m_dwDataSize, m_dwCasesProcessed);

                    POTF_TABLE_HEADER Table = NULL;
                    if (m_dwFontType == FONT_TYPE_OTF || m_dwFontType == FONT_TYPE_TTF)
                    {
                        Table = OTF_TableByOffset(m_pData, i);
                        if (Table == NULL)
                        {
                            // skip OTF/TTF data outside the tables
                            continue;
                        }
                    }                    

                    if (BLOCK_RANGE_N > 0)
                    {
                        // fuze each value with the step size == BLOCK_RANGE_N
                        for (DWORD n = XALIGN_DOWN(BLOCK_RANGE_START, BLOCK_RANGE_N); 
                             n < XALIGN_DOWN(BLOCK_RANGE_END, BLOCK_RANGE_N); 
                             n += BLOCK_RANGE_N)
                        {                            
                            // write plain value
                            WriteVal(i, BLOCK_SIZE, n, n, n);                

                            if (BLOCK_SIZE > 1)
                            {
                                // write randomized value
                                WriteVal(i, BLOCK_SIZE, 
                                    n, 
                                    n + getrand(0, BLOCK_RANGE_N - 1), 
                                    n + getrand(0, BLOCK_RANGE_N - 1)
                                );                                    
                            }                    
                        }
                    }

                    // zero-bytes stuff
                    WriteVal(i, BLOCK_SIZE, 0x00, 0x0000, 0x00000000);                

                    // integer overflow stuff
                    WriteVal(i, BLOCK_SIZE, 0xFF, 0xFFFF, 0xFFFFFFFF);

                    // invalid user-mode pointers
                    WriteVal(i, BLOCK_SIZE, 0x0D, 0x0D0D, 0x0D0D0D0D);

                    if (lpszBigBuff && pBigData)
                    {
                        /**
                         * Write big ASCI data after the each byte.
                         */

                        memcpy(pBigData, m_pData, i);
                        memcpy((PUCHAR)pBigData + i, lpszBigBuff, BIG_BUFFER_LENGTH);
                        memcpy((PUCHAR)pBigData + i + BIG_BUFFER_LENGTH, (PUCHAR)m_pData + i, m_dwDataSize - i);

                        if (m_dwFontType == FONT_TYPE_OTF || m_dwFontType == FONT_TYPE_TTF)
                        {
                            POTF_FILE_HEADER Hdr = (POTF_FILE_HEADER)pBigData;
                            POTF_TABLE_HEADER Table = (POTF_TABLE_HEADER)((PUCHAR)pBigData + sizeof(OTF_FILE_HEADER));
                            POTF_TABLE_HEADER CurrentTable = NULL;

                            for (USHORT t = 0; t < htons(Hdr->numTables); t++)
                            {
                                ULONG Offset = htonl(Table->offset), Length = htonl(Table->length);

                                if (i >= Offset &&
                                    i < Offset + Length)
                                {
                                    // fix OTF/TTF table checksum and length
                                    ULONG Sum = OTF_CalcTableChecksum((ULONG *)((PUCHAR)pBigData + Offset), Length);
                                    
                                    Table->checkSum = htonl(Sum);
                                    Table->length = htonl(Length);
                                    CurrentTable = Table;

                                    break;
                                }

                                Table += 1;
                            }

                            if (CurrentTable)
                            {
                                Table = (POTF_TABLE_HEADER)((PUCHAR)pBigData + sizeof(OTF_FILE_HEADER));

                                for (USHORT t = 0; t < htons(Hdr->numTables); t++)
                                {
                                    ULONG Offset = htonl(Table->offset), Length = htonl(Table->length);

                                    if (Offset > htonl(CurrentTable->offset))
                                    {
                                        // fix offsets of the other tables
                                        Table->offset = htonl(Offset + BIG_BUFFER_LENGTH);
                                    }

                                    Table += 1;
                                }
                            }
                        }

                        if (DumpToFile(m_TmpFontPath, pBigData, m_dwDataSize + BIG_BUFFER_LENGTH))
                        {
                            FuzzIteration();
                            m_dwCasesProcessed++;
                        }
                    }

                    if (m_dwCasesProcessed > MAX_CASES_PER_PROCESS)
                    {
                        TCHAR szSelf[MAX_PATH], szCmdLine[MAX_PATH];
                        GetModuleFileName(GetModuleHandle(NULL), szSelf, MAX_PATH);

                        _stprintf_s(
                            szCmdLine, MAX_PATH, 
                            _T("\"%s\" \"%s\" \"%s\" -BLOCK_SIZE 0x%x -BLOCK_RANGE_START 0x%x -BLOCK_RANGE_END 0x%x -BLOCK_RANGE_N 0x%x -FILE_RANGE_START 0x%x --resume Y"),
                            szSelf, m_lpFontName, m_lpFontPath, BLOCK_SIZE, BLOCK_RANGE_START, BLOCK_RANGE_END, BLOCK_RANGE_N, i
                        );

                        if (m_bNoisy)
                        {
                            _tcscat(szCmdLine, _T(" --noisy Y"));
                        }

                        STARTUPINFO si;
                        PROCESS_INFORMATION pi;

                        ZeroMemory(&pi, sizeof(pi));
                        ZeroMemory(&si, sizeof(si));
                        si.cb = sizeof(si);                            

                        // create a new fuzzer instance
                        if (!CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
                        {
                            MessageBox(0, _T("CreateProcess() fails"), _T("ERROR"), MB_ICONERROR);
                        }

                        ExitProcess(0);
                    }
                }

                DbgMsg(__FILE__, __LINE__, "Done; %d cases processed\n", m_dwCasesProcessed);

                if (pBigData)
                {
                    M_FREE(pBigData);
                }

                if (lpszBigBuff)
                {
                    M_FREE(lpszBigBuff);
                }

                M_FREE(m_pAlignedData);
            }
        }        

        M_FREE(m_pData);        
    }
    else
    {
        DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Error while reading input file\n");
    }

end:

    if (m_hWndEvent)
    {
        CloseHandle(m_hWndEvent);
    }

    printf("Press any key to quit...\n");
    _getch();

	return 0;
}