search

InteractiveAdvertisingBureau / GDPR-Transparency-and-Consent-Framework

Technical specifications for IAB Europe Transparency and Consent Framework that will help the digital advertising industry interpret and comply with EU rules on data protection and privacy - notably the General Data Protection Regulation (GDPR) that comes into effect on May 25, 2018.
855 stars 359 forks source link

Go support for GDPR v1.12.0 crashes with Go Fuzz test #358

Closed ntframeplay closed 6 months ago

ntframeplay commented 7 months ago

Using the fuzz test string below (or similar)

go test fuzz v1 string("C0000000000000000000000000000000000AAdA000000000000")

the following crash & stack trace occurs:

image

Fuzz test func:

func FuzzTCF(f *testing.F) {
    // Only one function to be tested
    f.Fuzz(func(t *testing.T, tcfStr string) {
        _, _ = tcf(tcfStr)
    })
}

and tcf func

func tcf(tcf_str string) (tcfData, error) {
    if len(tcf_str) == 0 {
        return tcfData{}, nil
    }
    consent, err := vendorconsent.ParseString(tcf_str) // string is base64 encoded
    if err != nil {
        return tcfData{}, err
    }

    return tcfData{
        tcf_str,
        consent.VendorListVersion(),
        consent.VendorConsent(uint16(TCFFramePlayVendorID)),
        consent.PurposeAllowed(3),
    }, nil
}

index out of range occurs in return value of /go-gdpr/vendorconsent/tcf2.isSet(...)

HeinzBaumann commented 7 months ago

@ntframeplay IAB doesn't support a GO library. Please raise this issue against the respective GO library that you are using. Thanks

ntframeplay commented 7 months ago

thanks, moved to proper lib https://github.com/prebid/go-gdpr/issues/40#issue-2073351278

HeinzBaumann commented 6 months ago

Closed. Issues is tracked here: https://github.com/prebid/go-gdpr/issues/40#issue-2073351278