search

FLIF-hub / FLIF

Free Lossless Image Format
Other
3.72k stars 229 forks source link

Out Of Memory (71518751) #482

Open Google-Autofuzz opened 6 years ago

Google-Autofuzz commented 6 years ago

Hello flif team,

As part of our fuzzing efforts at Google, we have identified an issue affecting flif (tested with revision * master cfd25e57578ccd047dd2177aea2924f5a3fa1e5f).

To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/

TL;DR instructions: artifacts_71518751.zip

From another terminal, outside the container: docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer (reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container: /fuzzing/repro.sh /fuzzing/reproducer

Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here:

INFO: Seed: 2536420363
./fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc
Invalid number encountered!
==11== ERROR: libFuzzer: out-of-memory (used: 2271Mb; limit: 2048Mb)
   To change the out-of-memory limit use -rss_limit_mb=<N>

Live Heap Allocations: 2399332688 bytes from 57 allocations; showing top 50%
710191112 byte(s) (29%) in 2 allocation(s)
    #0 0x505280 in operator new(unsigned long) (/fuzzing/FLIF/src/fuzzer+0x505280)
    #1 0x7f2d16ae1b87 in std::vector<unsigned int, std::allocator<unsigned int> >::_M_fill_insert(__gnu_cxx::__normal_iterator<unsigned int*, std::vector<unsigned int, std::allocator<unsigned int> > >, unsigned long, unsigned int const&) (/fuzzing/FLIF/src/libflif.so.0+0xcbb87)
    #2 0x7f2d16adfc78 in Image::semi_init(unsigned int, unsigned int, int, int, int) (/fuzzing/FLIF/src/libflif.so.0+0xc9c78)
    #3 0x7f2d16c0ef66 in bool flif_decode<BlobReader>(BlobReader&, std::vector<Image, std::allocator<Image> >&, unsigned int (*)(unsigned int, long, unsigned char, void*, void*), void*, int, std::vector<Image, std::allocator<Image> >&, flif_options&, metadata_options&, FLIF_INFO*) (/fuzzing/FLIF/src/libflif.so.0+0x1f8f66)
    #4 0x7f2d16eb7987 in FLIF_DECODER::decode_memory(void const*, unsigned long) (/fuzzing/FLIF/src/libflif.so.0+0x4a1987)
    #5 0x7f2d16eb8a48 in flif_decoder_decode_memory (/fuzzing/FLIF/src/libflif.so.0+0x4a2a48)
    #6 0x5085f5 in LLVMFuzzerTestOneInput /fuzzing/FLIF/src/flif_dec_fuzzer.cc:8:3
    #7 0x50f17c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/FLIF/src/fuzzer+0x50f17c)
    #8 0x50864c in main (/fuzzing/FLIF/src/fuzzer+0x50864c)

710191112 byte(s) (29%) in 2 allocation(s)
    #0 0x505280 in operator new(unsigned long) (/fuzzing/FLIF/src/fuzzer+0x505280)
    #1 0x7f2d16ae1b87 in std::vector<unsigned int, std::allocator<unsigned int> >::_M_fill_insert(__gnu_cxx::__normal_iterator<unsigned int*, std::vector<unsigned int, std::allocator<unsigned int> > >, unsigned long, unsigned int const&) (/fuzzing/FLIF/src/libflif.so.0+0xcbb87)
    #2 0x7f2d16adfd1a in Image::semi_init(unsigned int, unsigned int, int, int, int) (/fuzzing/FLIF/src/libflif.so.0+0xc9d1a)
    #3 0x7f2d16c0ef66 in bool flif_decode<BlobReader>(BlobReader&, std::vector<Image, std::allocator<Image> >&, unsigned int (*)(unsigned int, long, unsigned char, void*, void*), void*, int, std::vector<Image, std::allocator<Image> >&, flif_options&, metadata_options&, FLIF_INFO*) (/fuzzing/FLIF/src/libflif.so.0+0x1f8f66)
    #4 0x7f2d16eb7987 in FLIF_DECODER::decode_memory(void const*, unsigned long) (/fuzzing/FLIF/src/libflif.so.0+0x4a1987)
    #5 0x7f2d16eb8a48 in flif_decoder_decode_memory (/fuzzing/FLIF/src/libflif.so.0+0x4a2a48)
    #6 0x5085f5 in LLVMFuzzerTestOneInput /fuzzing/FLIF/src/flif_dec_fuzzer.cc:8:3
    #7 0x50f17c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/FLIF/src/fuzzer+0x50f17c)
    #8 0x50864c in main (/fuzzing/FLIF/src/fuzzer+0x50864c)

SUMMARY: libFuzzer: out-of-memory

We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

saschanaz commented 6 years ago

Also reproduced on my flif-wasm:

> flif-wasm poc-8c7f61717e96f6fef73c9a2ceedc72f37dfc12165796e7813b4fdec6cd114c23_min -o flif.flif
Warning: expected file name extension ".flif" for input file, trying anyway...
Invalid number encountered!
Cannot enlarge memory arrays. Either (1) compile with  -s TOTAL_MEMORY=X  with X higher than the current value 2066874368, (2) compile with  -s ALLOW_MEMORY_GROWTH=1  which allows increasing the size at runtime, or (3) if you want malloc to return NULL (0) instead of this abort, compile with  -s ABORTING_MALLOC=0
Cannot enlarge memory arrays. Either (1) compile with  -s TOTAL_MEMORY=X  with X higher than the current value 2066874368, (2) compile with  -s ALLOW_MEMORY_GROWTH=1  which allows increasing the size at runtime, or (3) if you want malloc to return NULL (0) instead of this abort, compile with  -s ABORTING_MALLOC=0
exception thrown: abort("Cannot enlarge memory arrays. Either (1) compile with  -s TOTAL_MEMORY=X  with X higher than the current value 2066874368, (2) compile with  -s ALLOW_MEMORY_GROWTH=1  which allows increasing the size at runtime, or (3) if you want malloc to return NULL (0) instead of this abort, compile with  -s ABORTING_MALLOC=0 ") at Error
    at jsStackTrace (C:\Users\sasch\AppData\Roaming\npm\node_modules\flif-wasm\lib\flif.js:5:16305)
    at stackTrace (C:\Users\sasch\AppData\Roaming\npm\node_modules\flif-wasm\lib\flif.js:5:16476)
    at abort (C:\Users\sasch\AppData\Roaming\npm\node_modules\flif-wasm\lib\flif.js:5:129113)
    at abortOnCannotGrowMemory (C:\Users\sasch\AppData\Roaming\npm\node_modules\flif-wasm\lib\flif.js:5:17573)
    at wasm-function[1157]:42
    at wasm-function[1002]:3372
    at wasm-function[1119]:19
    at wasm-function[57]:113
    at wasm-function[51]:248
    at wasm-function[487]:8607
If this abort() is unexpected, build with -s ASSERTIONS=1 which can give more information.
(node:17756) UnhandledPromiseRejectionWarning: abort("Cannot enlarge memory arrays. Either (1) compile with  -s TOTAL_MEMORY=X  with X higher than the current value 2066874368, (2) compile with  -s ALLOW_MEMORY_GROWTH=1  which allows increasing the size at runtime, or (3) if you want malloc to return NULL (0) instead of this abort, compile with  -s ABORTING_MALLOC=0 ") at Error
    at jsStackTrace (C:\Users\sasch\AppData\Roaming\npm\node_modules\flif-wasm\lib\flif.js:5:16305)
    at stackTrace (C:\Users\sasch\AppData\Roaming\npm\node_modules\flif-wasm\lib\flif.js:5:16476)
    at abort (C:\Users\sasch\AppData\Roaming\npm\node_modules\flif-wasm\lib\flif.js:5:129113)
    at abortOnCannotGrowMemory (C:\Users\sasch\AppData\Roaming\npm\node_modules\flif-wasm\lib\flif.js:5:17573)
    at wasm-function[1157]:42
    at wasm-function[1002]:3372
    at wasm-function[1119]:19
    at wasm-function[57]:113
    at wasm-function[51]:248
    at wasm-function[487]:8607
If this abort() is unexpected, build with -s ASSERTIONS=1 which can give more information.
(node:17756) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:17756) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
saschanaz commented 6 years ago

read_big_endian_varint can report error but cannot abort. No callers check its error.

https://github.com/FLIF-hub/FLIF/blob/9d63d5d21e6824419ad03f56ce19842d51744ab4/src/flif-dec.cpp#L923-L937

saschanaz commented 6 years ago

It seems the source doesn't really want to use exceptions, but I think it should work on this type of error.