Open gy741 opened 6 years ago
Go 1.18 makes this fairly easy to reproduce on the current 'master' branch
func FuzzGaad(f *testing.F) {
testcases := []string{"0123456789abcdef", "ff"}
for _, tc := range testcases {
f.Add(tc)
}
f.Fuzz(func(t *testing.T, orig string) {
buf, _ := hex.DecodeString(orig)
adts, err := gaad.ParseADTS(buf)
_ = adts
_ = err
})
}
Output:
root@debian11:~/fuzz# go test -fuzz=Gaad
fuzz: elapsed: 0s, gathering baseline coverage: 0/2 completed
fuzz: elapsed: 0s, gathering baseline coverage: 2/2 completed, now fuzzing with 2 workers
fuzz: minimizing 32-byte failing input file
fuzz: elapsed: 0s, minimizing
--- FAIL: FuzzGaad (0.01s)
--- FAIL: FuzzGaad (0.00s)
testing.go:1349: panic: runtime error: index out of range [0] with length 0
goroutine 22 [running]:
runtime/debug.Stack()
/usr/local/go/src/runtime/debug/stack.go:24 +0x90
testing.tRunner.func1()
/usr/local/go/src/testing/testing.go:1349 +0x1f2
panic({0x5e7720, 0xc0000160f0})
/usr/local/go/src/runtime/panic.go:838 +0x207
github.com/Comcast/gaad/bitreader.NewBitReader(...)
/root/go/pkg/mod/github.com/!comcast/gaad@v0.0.0-20220518134758-0701f5ae5fe9/bitreader/bitreader.go:30
github.com/Comcast/gaad.ParseADTS({0xc0000141b8, 0x0, 0x8})
/root/go/pkg/mod/github.com/!comcast/gaad@v0.0.0-20220518134758-0701f5ae5fe9/aacparser.go:774 +0xed
fuzz1.FuzzGaad.func1(0x0?, {0x72cde0?, 0x0?})
/root/fuzz1/main_test.go:30 +0x65
reflect.Value.call({0x5c6e20?, 0x607fa0?, 0x13?}, {0x5f8e7c, 0x4}, {0xc000068810, 0x2, 0x2?})
/usr/local/go/src/reflect/value.go:556 +0x845
reflect.Value.Call({0x5c6e20?, 0x607fa0?, 0x514?}, {0xc000068810, 0x2, 0x2})
/usr/local/go/src/reflect/value.go:339 +0xbf
testing.(*F).Fuzz.func1.1(0x0?)
/usr/local/go/src/testing/fuzz.go:337 +0x231
testing.tRunner(0xc000091860, 0xc0000b41b0)
/usr/local/go/src/testing/testing.go:1439 +0x102
created by testing.(*F).Fuzz.func1
/usr/local/go/src/testing/fuzz.go:324 +0x5b8
Failing input written to testdata/fuzz/FuzzGaad/771e938e4458e983a736261a702e27c7a414fd660a15b63034f290b146d2f217
To re-run:
go test -run=FuzzGaad/771e938e4458e983a736261a702e27c7a414fd660a15b63034f290b146d2f217
FAIL
exit status 1
FAIL fuzz1 0.014s
I'll take a look in the next couple of days!
Got it reproduced.
I have not forgotten about this.
What I noticed while goofing with the fuzzer is that this library was written like the spec and like a C library. This pattern is repeated everywhere... While I acknowledge it is not bit safe it should still be fairly robust. Comcast has tens of thousands of streams with AAC streams and we have taken care of the bugs we have found from our production. I don't really currently have the time to rewrite this to make it have fewer assumptions of this nature.
Hello.
I found a slice bounds out of range bug in gaad.
Please confirm.
Thanks.
reproduce code:
Crash Log: