From a825ff3a1d9210f939a32fb96ad188b3442e129a Mon Sep 17 00:00:00 2001 From: Guido Draheim Date: Tue, 13 Mar 2018 01:13:51 +0100 Subject: [PATCH] add testcase for invalid-mem #39 --- test/zziptests.py | 120 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) diff --git a/test/zziptests.py b/test/zziptests.py index 6ea3539..9ad46b4 100644 --- a/test/zziptests.py +++ b/test/zziptests.py @@ -3236,6 +3236,126 @@ class ZZipTest(unittest.TestCase): self.assertIn(" zipped ", run.output) self.rm_testdir() + url_CVE_2018_39 = "https://github.com/fantasy7082/image_test/blob/master" + zip_CVE_2018_39 = "003-unknow-def-zip" + def test_65470(self): + """ info unzip -l $(CVE).zip """ + tmpdir = self.testdir() + filename = self.zip_CVE_2018_39 + file_url = self.url_CVE_2018_39 + download_raw(file_url, filename, tmpdir) + if not os.path.isfile(os.path.join(tmpdir, filename)): self.skipTest("missing " + filename) + exe = self.bins("unzip") + run = shell("{exe} -l {tmpdir}/{filename} ".format(**locals()), + returncodes = [3]) + self.assertIn("missing 5123 bytes in zipfile", run.errors) + self.assertIn("expected central file header signature not found", run.errors) + self.assertLess(len(run.output), 400) + self.assertLess(len(errors(run.errors)), 800) + # + run = shell("cd {tmpdir} && {exe} -o {filename}".format(**locals()), + returncodes = [3]) + self.assertLess(len(run.output), 400) + self.assertLess(len(errors(run.errors)), 800) + self.assertIn("missing 5123 bytes in zipfile", run.errors) + self.assertIn("expected central file header signature not found", run.errors) + # self.assertEqual(os.path.getsize(tmpdir+"/test"), 3) + self.assertFalse(os.path.exists(tmpdir+"/test")) + self.rm_testdir() + def test_65471(self): + """ unzzip-big -l $(CVE).zip """ + tmpdir = self.testdir() + filename = self.zip_CVE_2018_39 + file_url = self.url_CVE_2018_39 + download_raw(file_url, filename, tmpdir) + if not os.path.isfile(os.path.join(tmpdir, filename)): self.skipTest("missing " + filename) + exe = self.bins("unzzip-big") + run = shell("{exe} -l {tmpdir}/{filename} ".format(**locals()), + returncodes = [0]) + self.assertLess(len(run.output), 1) + # + run = shell("cd {tmpdir} && ../{exe} {filename} ".format(**locals()), + returncodes = [0]) + self.assertLess(len(run.output), 30) + self.assertLess(len(errors(run.errors)), 1) + # self.assertEqual(os.path.getsize(tmpdir+"/test"), 3) + self.assertFalse(os.path.exists(tmpdir+"/test")) + self.rm_testdir() + def test_65472(self): + """ unzzip-mem -l $(CVE).zip """ + tmpdir = self.testdir() + filename = self.zip_CVE_2018_39 + file_url = self.url_CVE_2018_39 + download_raw(file_url, filename, tmpdir) + if not os.path.isfile(os.path.join(tmpdir, filename)): self.skipTest("missing " + filename) + exe = self.bins("unzzip-mem") + run = shell("{exe} -l {tmpdir}/{filename} ".format(**locals()), + returncodes = [0]) + self.assertLess(len(run.output), 200) + self.assertLess(len(errors(run.errors)), 1) + # + run = shell("cd {tmpdir} && ../{exe} {filename} ".format(**locals()), + returncodes = [0]) + self.assertLess(len(run.output), 200) + self.assertLess(len(errors(run.errors)), 10) + # self.assertEqual(os.path.getsize(tmpdir+"/test"), 3) + self.assertFalse(os.path.exists(tmpdir+"/test")) + # + run = shell("cd {tmpdir} && ../{exe} -p {filename} ".format(**locals()), + returncodes = [0]) + # self.rm_testdir() + def test_65473(self): + """ unzzip-mix -l $(CVE).zip """ + tmpdir = self.testdir() + filename = self.zip_CVE_2018_39 + file_url = self.url_CVE_2018_39 + download_raw(file_url, filename, tmpdir) + if not os.path.isfile(os.path.join(tmpdir, filename)): self.skipTest("missing " + filename) + exe = self.bins("unzzip-mix") + run = shell("{exe} -l {tmpdir}/{filename} ".format(**locals()), + returncodes = [0,2]) + self.assertLess(len(run.output), 1) + self.assertTrue(greps(run.errors, "Invalid or")) + # + run = shell("cd {tmpdir} && ../{exe} {filename} ".format(**locals()), + returncodes = [0,2]) + self.assertLess(len(run.output), 30) + self.assertTrue(greps(run.errors, "Invalid or")) + # self.assertEqual(os.path.getsize(tmpdir+"/test"), 3) + self.assertFalse(os.path.exists(tmpdir+"/test")) + self.rm_testdir() + def test_65474(self): + """ unzzip-zap -l $(CVE).zip """ + tmpdir = self.testdir() + filename = self.zip_CVE_2018_39 + file_url = self.url_CVE_2018_39 + download_raw(file_url, filename, tmpdir) + if not os.path.isfile(os.path.join(tmpdir, filename)): self.skipTest("missing " + filename) + exe = self.bins("unzzip") + run = shell("{exe} -l {tmpdir}/{filename} ".format(**locals()), + returncodes = [0, 3]) + self.assertLess(len(run.output), 1) + self.assertLess(len(errors(run.errors)), 200) + self.assertIn(": Success", run.errors) + # + run = shell("cd {tmpdir} && ../{exe} {filename} ".format(**locals()), + returncodes = [0,3]) + self.assertLess(len(run.output), 30) + self.assertTrue(greps(run.errors, "Zipfile corrupted")) + # self.assertEqual(os.path.getsize(tmpdir+"/test"), 3) + self.assertFalse(os.path.exists(tmpdir+"/test")) + self.rm_testdir() + def test_65479(self): + """ check $(CVE).zip """ + tmpdir = self.testdir() + filename = self.zip_CVE_2018_39 + file_url = self.url_CVE_2018_39 + download_raw(file_url, filename, tmpdir) + if not os.path.isfile(os.path.join(tmpdir, filename)): self.skipTest("missing " + filename) + shell("ls -l {tmpdir}/{filename}".format(**locals())) + size = os.path.getsize(os.path.join(tmpdir, filename)) + self.assertEqual(size, 82347) + def test_91000_zzshowme_check_sfx(self): """ create an *.exe that can extract its own zip content """ -- 2.40.0