search

FLIF-hub / FLIF

Free Lossless Image Format
Other
3.72k stars 229 forks source link

Abort (71787616) #483

Open Google-Autofuzz opened 6 years ago

Google-Autofuzz commented 6 years ago

Hello flif team,

As part of our fuzzing efforts at Google, we have identified an issue affecting flif (tested with revision * master cfd25e57578ccd047dd2177aea2924f5a3fa1e5f).

To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/

TL;DR instructions: artifacts_71787616.zip

From another terminal, outside the container: docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer (reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container: /fuzzing/repro.sh /fuzzing/reproducer

Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here:

fuzzer: flif-dec.cpp:429: void flif_decode_plane_zoomlevel_horizontal(plane_t &, Coder &, Images &, const ranges_t *, const alpha_t &, const alpha_t &, Properties &, const int, const int, const uint32_t, const bool, const bool, const int, const int) [Coder = FinalPropertySymbolCoder<SimpleBitChance, RacInput24<BlobReader>, 10>, plane_t = Plane<short>, alpha_t = Plane<unsigned char>, p = 2, ranges_t = ColorRanges]: Assertion `curr >= ranges->min(p) && curr <= ranges->max(p)' failed.
==10== ERROR: libFuzzer: deadly signal
    #0 0x4da933 in __sanitizer_print_stack_trace (/fuzzing/FLIF/src/fuzzer+0x4da933)
    #1 0x50d8ca in fuzzer::Fuzzer::CrashCallback() (/fuzzing/FLIF/src/fuzzer+0x50d8ca)
    #2 0x50d89a in fuzzer::Fuzzer::StaticCrashSignalCallback() (/fuzzing/FLIF/src/fuzzer+0x50d89a)
    #3 0x7f6dde7a90bf  (/lib/x86_64-linux-gnu/libpthread.so.0+0x110bf)
    #4 0x7f6ddde08fce in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x32fce)
    #5 0x7f6ddde0a3f9 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x343f9)
    #6 0x7f6ddde01e36  (/lib/x86_64-linux-gnu/libc.so.6+0x2be36)
    #7 0x7f6ddde01ee1 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x2bee1)
    #8 0x7f6ddf3b6f11 in void flif_decode_plane_zoomlevel_horizontal<FinalPropertySymbolCoder<SimpleBitChance, RacInput24<BlobReader>, 10>, Plane<short>, Plane<unsigned char>, 2, ColorRanges>(Plane<short>&, FinalPropertySymbolCoder<SimpleBitChance, RacInput24<BlobReader>, 10>&, std::vector<Image, std::allocator<Image> >&, ColorRanges const*, Plane<unsigned char> const&, Plane<unsigned char> const&, std::vector<int, std::allocator<int> >&, int, int, unsigned int, bool, bool, int, int) (/fuzzing/FLIF/src/libflif.so.0+0x37bf11)
    #9 0x7f6ddf3a73f0 in horizontal_plane_decoder<FinalPropertySymbolCoder<SimpleBitChance, RacInput24<BlobReader>, 10>, Plane<unsigned char>, ColorRanges>::visit(Plane<short>&) (/fuzzing/FLIF/src/libflif.so.0+0x36c3f0)
    #10 0x7f6ddf3a341b in bool flif_decode_FLIF2_inner_horizontal<BlobReader, RacInput24<BlobReader>, FinalPropertySymbolCoder<SimpleBitChance, RacInput24<BlobReader>, 10>, Plane<unsigned char>, ColorRanges>(int, BlobReader&, RacInput24<BlobReader>&, std::vector<FinalPropertySymbolCoder<SimpleBitChance, RacInput24<BlobReader>, 10>, std::allocator<FinalPropertySymbolCoder<SimpleBitChance, RacInput24<BlobReader>, 10> > >&, std::vector<Image, std::allocator<Image> >&, ColorRanges const*, int, int, int, int, int, int, int, std::vector<int, std::allocator<int> >&, std::vector<Transform<BlobReader>*, std::allocator<Transform<BlobReader>*> >&, int) (/fuzzing/FLIF/src/libflif.so.0+0x36841b)
    #11 0x7f6ddf3a0ea2 in bool flif_decode_FLIF2_inner<BlobReader, RacInput24<BlobReader>, FinalPropertySymbolCoder<SimpleBitChance, RacInput24<BlobReader>, 10>, ColorRanges>(BlobReader&, RacInput24<BlobReader>&, std::vector<FinalPropertySymbolCoder<SimpleBitChance, RacInput24<BlobReader>, 10>, std::allocator<FinalPropertySymbolCoder<SimpleBitChance, RacInput24<BlobReader>, 10> > >&, std::vector<Image, std::allocator<Image> >&, ColorRanges const*, int, int, flif_options&, std::vector<Transform<BlobReader>*, std::allocator<Transform<BlobReader>*> >&, unsigned int (*)(unsigned int, long, unsigned char, void*, void*), void*, std::vector<Image, std::allocator<Image> >&) (/fuzzing/FLIF/src/libflif.so.0+0x365ea2)
    #12 0x7f6ddf39cbb0 in bool flif_decode_FLIF2_pass<BlobReader, RacInput24<BlobReader>, FinalPropertySymbolCoder<SimpleBitChance, RacInput24<BlobReader>, 10> >(BlobReader&, RacInput24<BlobReader>&, std::vector<Image, std::allocator<Image> >&, ColorRanges const*, std::vector<Tree, std::allocator<Tree> >&, int, int, flif_options&, std::vector<Transform<BlobReader>*, std::allocator<Transform<BlobReader>*> >&, unsigned int (*)(unsigned int, long, unsigned char, void*, void*), void*, std::vector<Image, std::allocator<Image> >&) (/fuzzing/FLIF/src/libflif.so.0+0x361bb0)
    #13 0x7f6ddf23a904 in bool flif_decode_main<10, BlobReader>(RacInput24<BlobReader>&, BlobReader&, std::vector<Image, std::allocator<Image> >&, ColorRanges const*, std::vector<Transform<BlobReader>*, std::allocator<Transform<BlobReader>*> >&, flif_options&, unsigned int (*)(unsigned int, long, unsigned char, void*, void*), void*, std::vector<Image, std::allocator<Image> >&) (/fuzzing/FLIF/src/libflif.so.0+0x1ff904)
    #14 0x7f6ddf236fd9 in bool flif_decode<BlobReader>(BlobReader&, std::vector<Image, std::allocator<Image> >&, unsigned int (*)(unsigned int, long, unsigned char, void*, void*), void*, int, std::vector<Image, std::allocator<Image> >&, flif_options&, metadata_options&, FLIF_INFO*) (/fuzzing/FLIF/src/libflif.so.0+0x1fbfd9)
    #15 0x7f6ddf4dc987 in FLIF_DECODER::decode_memory(void const*, unsigned long) (/fuzzing/FLIF/src/libflif.so.0+0x4a1987)
    #16 0x7f6ddf4dda48 in flif_decoder_decode_memory (/fuzzing/FLIF/src/libflif.so.0+0x4a2a48)
    #17 0x5085f5 in LLVMFuzzerTestOneInput /fuzzing/FLIF/src/fuzzer.cc:6:3
    #18 0x50f17c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/FLIF/src/fuzzer+0x50f17c)
    #19 0x50e93e in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) (/fuzzing/FLIF/src/fuzzer+0x50e93e)
    #20 0x50879d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) (/fuzzing/FLIF/src/fuzzer+0x50879d)
    #21 0x509c6f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/FLIF/src/fuzzer+0x509c6f)
    #22 0x50864c in main (/fuzzing/FLIF/src/fuzzer+0x50864c)
    #23 0x7f6ddddf62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #24 0x41dd09 in _start (/fuzzing/FLIF/src/fuzzer+0x41dd09)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team