Skip to content

Add memory bounds to fuzz harnesses, add test for a new crasher #181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 23, 2025
Merged

Add memory bounds to fuzz harnesses, add test for a new crasher #181

merged 3 commits into from
Mar 23, 2025

Conversation

lopopolo
Copy link
Member

With the changes we've made recently, the fuzzer has been running out of memory by discovering very large padding 😂

In this commit, I attempted to fix these fuzzing failures by using the strftime::io and strftime::fmt variants. In strftime::fmt, the fuzzer immediately found a crash.

If a multibyte UTF-8 sequence appears immediately following a % spec begin marker, the loop to pluck out padding consumes one element from the cursor and then breaks. This leads to pushing a partial UTF-8 character into the fmt::Write instance, which causes a panic in the underlying String because the string's contents is now malformed UTF-8.

Add a test and break with None if encountering a non-ASCII byte while processing the spec.

I've also cleaned up the fuzz targets so they build without warnings.

@lopopolo
Add memory bounds to fuzz harnesses, add test for a new crasher
6a2f5f8 
With the changes we've made recently, the fuzzer has been running out of
memory by discovering very large padding 😂

In this commit, I attempted to fix these fuzzing failures by using the
`strftime::io` and `strftime::fmt` variants. In `strftime::fmt`, the
fuzzer immediately found a crash.

If a multibyte UTF-8 sequence appears immediately following a `%` spec
begin marker, the loop to pluck out padding consumes one element from
the cursor and then breaks. This leads to pushing a partial UTF-8
character into the `fmt::Write` instance, which causes a panic in the
underlying `String` because the string's contents is now malformed
UTF-8.

Add a test and break with `None` if encountering a non-ASCII byte while
processing the spec.

I've also cleaned up the fuzz targets so they build without warnings.
@lopopolo lopopolo added A-parser Area: strftime parser. C-bug Category: This is a bug. labels Mar 23, 2025
@lopopolo lopopolo requested a review from x-hgg-x March 23, 2025 04:49
@lopopolo lopopolo mentioned this pull request Mar 23, 2025
Merged
@x-hgg-x
Copy link
Collaborator

x-hgg-x commented Mar 23, 2025
edited
Loading

I added more commits to fix another issue found by the fuzzer.

lopopolo
lopopolo commented Mar 23, 2025
View reviewed changes
Copy link
Member Author

@lopopolo lopopolo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks for the additional fix

@lopopolo lopopolo merged commit a773e8b into trunk Mar 23, 2025
13 checks passed
@lopopolo lopopolo deleted the dev/lopopolo-fuzzer-infra branch March 23, 2025 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@x-hgg-x x-hgg-x x-hgg-x approved these changes

Assignees
No one assigned
Labels
A-parser Area: strftime parser. C-bug Category: This is a bug.
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lopopolo @x-hgg-x