Out-of-Memory

[Google-Autofuzz]

Hello flif team,

As part of our fuzzing efforts at Google, we have identified an issue affecting flif (tested with revision * master cfd25e57578ccd047dd2177aea2924f5a3fa1e5f). To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/

TL;DR instructions:

• mkdir project
• cp Dockerfile /path/to/project
• docker build --no-cache /path/to/project
• docker run -it image_id_from_docker_build

From another terminal, outside the container: docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer (reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container: /fuzzing/repro.sh /fuzzing/reproducer

Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here:

==10== ERROR: libFuzzer: out-of-memory (used: 2342Mb; limit: 2048Mb) To change the out-of-memory limit use -rss_limit_mb=

Live Heap Allocations: 4031595572 bytes from 38 allocations; showing top 50% 4026531840 byte(s) (99%) in 2 allocation(s)

0 0x505280 in operator new(unsigned long) (/fuzzing/FLIF/src/fuzzer+0x505280)

#1 0x7efe3f773485 in void std::vector<MetaData, std::allocator<MetaData> >::_M_emplace_back_aux<MetaData const&>(MetaData const&) (/fuzzing/FLIF/src/libflif.so.0+0xbc485)
#2 0x7efe3f88d53c in bool flif_decode<BlobReader>(BlobReader&, std::vector<Image, std::allocator<Image> >&, unsigned int (*)(unsigned int, long, unsigned char, void*, void*), void*, int, std::vector<Image, std::allocator<Image> >&, flif_options&, metadata_options&, FLIF_INFO*) (/fuzzing/FLIF/src/libflif.so.0+0x1d653c)
#3 0x7efe3fb732b7 in FLIF_DECODER::decode_memory(void const*, unsigned long) (/fuzzing/FLIF/src/libflif.so.0+0x4bc2b7)
#4 0x7efe3fb74378 in flif_decoder_decode_memory (/fuzzing/FLIF/src/libflif.so.0+0x4bd378)
#5 0x5085f5 in LLVMFuzzerTestOneInput /fuzzing/FLIF/src/fuzzer.cc:6:3
#6 0x50f17c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/FLIF/src/fuzzer+0x50f17c)
#7 0x50864c in main (/fuzzing/FLIF/src/fuzzer+0x50864c)

SUMMARY: libFuzzer: out-of-memory

We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team 68953028

Dockerfile.flif.zip poc-8e7d8ffabdd958682fe9235bb167317bd13df6a6f4d024c0dc69c62180651ef0.zip

[gaming-hacker]

why don't you stop spamming and provide decent and meaningful results?

[bjorn3]

@gaming-hacker as far as i know autofuzz is a bot.

[Google-Autofuzz]

@gaming-hacker

Hi,

At Google we have several fuzzing efforts, including Autofuzz, OSS-Fuzz and others. If you have a specific suggestion that would make our reports to maintainers clearer or more meaningful, please let us know. Our goal is to report high quality bugs that are easily reproducible so that triage and reproduction is fast, and maintainers can focus on building and patching their software. Suggestions are welcome.

Cheers,

Matt (not a bot, but this might all be a simulation) :) Autofuzz Team

[hrj]

Matt and team, thanks for these reports. Though the FLIF maintainers are not active right now, we hope to eventually resolve these issues. (Hopefully before the bots get smart enough to auto-fix these)