search

LeastAuthority / go-ipld-prime

MIT License
0 stars 0 forks source link

[fuzzing] dagjson Decode/Encode panic on encode #5

Open bryanchriswhite opened 3 years ago

bryanchriswhite commented 3 years ago

Context

The fuzz function attempts to decode the input and then re-encode it multiple times to then compares the results. In this case, it has discovered an input which can be decoded but then crashes when re-encoding. It looks like this particular case is of a number that gets parsed as a float which isn't supported by refmts encoder.

Mitigation

I see two options:

  1. Expect the possibility of a panic from refmt and recover appropriately.
  2. Fork and/or patch refmt.

Crasher

000036f68ed70e91bd3deb021ba4e07a8539e4ab

Quoted Input

        "60000001090190000000"

Output

panic: TODO finish more jsonEncoder primitives support: unhandled token <f:6.000000109019e+19>              
goroutine 6 [running]:
runtime/debug.Stack(0xc0001917c0, 0x6e0200, 0xc00007a490)
        /usr/local/go/src/runtime/debug/stack.go:24 +0x9f
github.com/leastauthority/fleece/fuzzing.(*Crasher).Recover(0xc00007c000, 0xc000191d90)
        /home/bwhite/go/pkg/mod/github.com/leastauthority/fleece@v0.0.1-alpha/fuzzing/crasher.go:23 +0x57
panic(0x6e0200, 0xc00007a490)
        /usr/local/go/src/runtime/panic.go:969 +0x175
github.com/polydawn/refmt/json.(*Encoder).flushValue(0xc0000c22c0, 0xc0001b6000)
        /home/bwhite/go/pkg/mod/github.com/polydawn/refmt@v0.0.0-20190807091052-3d65705ee9f1/json/jsonEncode
r.go:211 +0x226
github.com/polydawn/refmt/json.(*Encoder).Step(0xc0000c22c0, 0xc0001b6000, 0x0, 0x0, 0xc017f80000)
        /home/bwhite/go/pkg/mod/github.com/polydawn/refmt@v0.0.0-20190807091052-3d65705ee9f1/json/jsonEncode
r.go:69 +0x50b
github.com/ipld/go-ipld-prime/codec/dagjson.Marshal(0x78ff00, 0xc0001160a0, 0x789260, 0xc0000c22c0, 0xc0000a
af30, 0x7f05ecdc18e0)
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagjson/marshal.go:102 +0x7f4
github.com/ipld/go-ipld-prime/codec/dagjson.Encoder(0x78ff00, 0xc0001160a0, 0x7890a0, 0xc0000aaf30, 0x0, 0x0
)
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagjson/multicodec.go:59 +0x1b3
github.com/ipld/go-ipld-prime/codec/dagjson.FuzzJSONDecodeEncode(0xc028d7a000, 0x14, 0x214, 0x0)
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagjson/multicodec_fuzz.go:23 +0x17d
github.com/leastauthority/fleece/fuzzing.(*Crasher).Test(0xc00007c000, 0xc000085d90)
        /home/bwhite/go/pkg/mod/github.com/leastauthority/fleece@v0.0.1-alpha/fuzzing/crasher.go:31 +0x7b
github.com/leastauthority/fleece/fuzzing.CrasherIterator.TestFailingLimit(0xc00007b140, 0x1, 0x0, 0xc00000e7
c0, 0x3, 0x4, 0xc007780000, 0x14f9e5, 0x14f9e5, 0x746188, ...)
        /home/bwhite/go/pkg/mod/github.com/leastauthority/fleece@v0.0.1-alpha/fuzzing/iterator.go:109 +0xf0
github.com/ipld/go-ipld-prime/codec/dagjson.TestFuzzJSONDecodeEncode(0xc000001b00)
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagjson/multicodec_fuzz_test.go:52 +0xf1
testing.tRunner(0xc000001b00, 0x746190)
        /usr/local/go/src/testing/testing.go:1108 +0xef
created by testing.(*T).Run 
        /usr/local/go/src/testing/testing.go:1159 +0x386
warpfork commented 3 years ago

(This is embarrassing, and I should make that json codec implementation less crap -- but in context and priority right now, I don't think filecoin actually exposes any paths where a user could trigger this to my knowledge, so this might not be a huge priority to address.)

warpfork commented 3 years ago

Addressed in https://github.com/polydawn/refmt/pull/53 .