search

Serial-ATA / lofty-rs

Audio metadata library
Apache License 2.0
187 stars 35 forks source link

Some panics found by fuzzing #295

Closed WIZeaz closed 6 months ago

WIZeaz commented 10 months ago

Reproducer

This case panicked at 'internal error: entered unreachable code'

    let data=[1,0,0,0];
    let _local0 = lofty::id3::v2::Id3v2Tag::new();
    let _local1_param0_helper1 = &(_local0);
    let _local1 = lofty::id3::v2::Id3v2Tag::original_version(_local1_param0_helper1);
    let _local2_param0_helper1 = &mut (&data[..]);
    let _: lofty::error::Result::<std::option::Option::<lofty::id3::v2::ExtendedTextFrame>> = lofty::id3::v2::ExtendedTextFrame::parse(_local2_param0_helper1, _local1);

Panic information:

thread 'main' panicked at 'internal error: entered unreachable code', /home/jjf/Fuzzing-Target-Generator/experiments/lofty-rs/src/id3/v2/items/extended_text_frame.rs:94:22
stack backtrace:
   0: rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::panicking::panic
   3: lofty::id3::v2::items::extended_text_frame::ExtendedTextFrame::parse
             at ./src/id3/v2/items/extended_text_frame.rs:94:10
   4: replay_lofty16::test_function16
             at ./fuzz_target/build/replay_lofty16/src/main.rs:16:95
   5: replay_lofty16::main
             at ./fuzz_target/build/replay_lofty16/src/main.rs:48:5
   6: core::ops::function::FnOnce::call_once
             at /home/jjf/Fuzzing-Target-Generator/library/core/src/ops/function.rs:251:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

This case panicked at 'attempt to add with overflow'

    let data=[57, 25, 25, 0, 4, 1, 54, 0, 51, 6, 6, 6, 25, 25, 25, 129, 6, 151, 28, 25, 25, 0, 51, 51, 50, 5, 5, 5, 26, 5, 5, 25, 6, 6, 25, 26, 246, 25, 25, 129, 6, 151, 3, 252, 56, 0, 53, 56, 55, 52];
    let _local0 = <lofty::ParsingMode as std::default::Default>::default();
    let _local1_param0_helper1 = &mut (&data[..]);
    let _: lofty::error::Result::<std::option::Option::<lofty::id3::v2::RelativeVolumeAdjustmentFrame>> = lofty::id3::v2::RelativeVolumeAdjustmentFrame::parse(_local1_param0_helper1, _local0);

panic information:

thread 'main' panicked at 'attempt to add with overflow', /home/jjf/Fuzzing-Target-Generator/experiments/lofty-rs/src/id3/v2/items/relative_volume_adjustment_frame.rs:130:47
stack backtrace:
   0: rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::panicking::panic
   3: lofty::id3::v2::items::relative_volume_adjustment_frame::RelativeVolumeAdjustmentFrame::parse
             at ./src/id3/v2/items/relative_volume_adjustment_frame.rs:130:35
   4: replay_lofty11::test_function11
             at ./fuzz_target/build/replay_lofty11/src/main.rs:14:107
   5: replay_lofty11::main
             at ./fuzz_target/build/replay_lofty11/src/main.rs:46:5
   6: core::ops::function::FnOnce::call_once
             at /home/jjf/Fuzzing-Target-Generator/library/core/src/ops/function.rs:251:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Summary

Hi, I am fuzzing this library with afl.rs, and I have found some panics. The version I test is 0.17.1. I hope you can check whether these cases are bugs.

Expected behavior

The first case should not reach unreachable code. Instead it should be reasonable to return an Result::Error. The second case should not panic at 'attempt to add with overflow'.

Assets

No response

Serial-ATA commented 10 months ago

Awesome, thanks for doing this! I don't have many opportunities to do fuzzing myself. :smile:

WIZeaz commented 10 months ago

Thanks for the response, do you think these panics are really bugs? I think unreachable and overflow panics should not appear in any situation.

Serial-ATA commented 10 months ago

Yes, they are bugs. I had not accounted for these situations, so there are instances of unchecked math and broken assumptions from time to time.