NegativeArraySizeException and IndexOutOfBoundsException in certificate decoding

[mmeinander]

Hi, While running fuzz testing (with afl and Kelinci) on the jasn1 generated java classes for PKIX1Explicit88.asn (ftp://ftp3.itu.int/t/fl/ietf/rfc/rfc3280/PKIX1Explicit88.html), crashes were discovered in five different locations during certificate decoding.

This was the Driver class used for the fuzzing:

import pkix1explicit88.Certificate; import java.io.*;

public class Driver { public static void main (String[] args) { if (args.length != 1) { System.err.println("driver: usage: driver file"); System.exit(1); } FileInputStream fis = null; try { fis = new FileInputStream(args[0]); } catch (FileNotFoundException e) { System.err.println("FileNotFound: " + args[0]); System.exit(1); } try { Certificate c = new Certificate(); c.decode(fis); } catch (IOException e) { System.err.println(e); } try { fis.close(); } catch (IOException e) { } } }

Crashes (inputs, i.e the der encoded certificates, to be decoded are in hex format):

1. Input: 3082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e6 96365bca300d06092a864886f70d01010b05803039310b30090603550406 13025553310f300d060355040a1306416d617a6f6e311930170603550403 1310416d617a6f6e20526f6f742043412031301e170d3135303532363030 303030305a170d3338303131373030303030305a3039310b300906035504 0613025553310f300d060355040a1306416d617a6f6e3119301706035504 031310416d617a6f6e20526f6f74204341203130820122300d06092a8648 86f70d01010105000382010f003082010a0282010100b2788071ca78d5e3 71af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0 437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f8 4968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c 9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8 bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f9 48dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843 fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb 2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b2426 8e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530 030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604 148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f7 0d01010b0500038201010098f2375a4190a11ac57651282036230eaee628 bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e3 9825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d41 8e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7 dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74bef a3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d172433475 6e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262 a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d797 7860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9

Crash location: Exception occurred: java.lang.IndexOutOfBoundsException (uncaught)"thread=main", java.io.FileInputStream.readBytes(), line=-1 bci=-1

main[1] where [1] java.io.FileInputStream.readBytes (native method) [2] java.io.FileInputStream.read (FileInputStream.java:255) [3] org.openmuc.jasn1.ber.internal.Util.readFully (Util.java:18) [4] org.openmuc.jasn1.ber.types.BerAny.decode (BerAny.java:61) [5] pkix1explicit88.AlgorithmIdentifier.decode (AlgorithmIdentifier.java:121) [6] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:238) [7] pkix1explicit88.Certificate.decode (Certificate.java:119) [8] pkix1explicit88.Certificate.decode (Certificate.java:98) [9] Driver.main (Driver.java:19)

2. Input: 3082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e6 96365bca300d06092a864886f70d01010b05003039310b30090603550406 13025553310f300d060355040a1306416d617a6f6e311930170603550403 1310416d617a6f6e20526f6f742043412031301e170d3135303532363030 303030305a170d3338303131373030303030305a3039310b300906035504 0613025553310f300d060355040a1306416d617a6f6e3119301706035504 031310416d617a6f6e20526f6f74204341203130820122300d06092a8648 86f70d01010105000380010f003082010a0282010100b2788071ca78d5e3 71af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0 437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f8 4968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c 9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8 bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f9 48dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843 fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb 2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b2426 8e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530 030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604 148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f7 0d01010b0500038201010098f2375a4190a11ac57651282036230eaee628 bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e3 9825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d41 8e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7 dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74bef a3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d172433475 6e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262 a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d797 7860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9

Crash location: Exception occurred: java.lang.NegativeArraySizeException (uncaught)"thread=main", org.openmuc.jasn1.ber.types.BerBitString.decode(), line=126 bci=42

main[1] where [1] org.openmuc.jasn1.ber.types.BerBitString.decode (BerBitString.java:126) [2] pkix1explicit88.SubjectPublicKeyInfo.decode (SubjectPublicKeyInfo.java:117) [3] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:264) [4] pkix1explicit88.Certificate.decode (Certificate.java:119) [5] pkix1explicit88.Certificate.decode (Certificate.java:98) [6] Driver.main (Driver.java:19)

3. Input: 3082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e6 96365bca300d06802a864886f70d01010b05003039310b30090603550406 13025553310f300d060355040a1306416d617a6f6e311930170603550403 1310416d617a6f6e20526f6f742043412031301e170d3135303532363030 303030305a170d3338303131373030303030305a3039310b300906035504 0613025553310f300d060355040a1306416d617a6f6e3119301706035504 031310416d617a6f6e20526f6f74204341203130820122300d06092a8648 86f70d01010105000382010f003082010a0282010100b2788071ca78d5e3 71af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0 437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f8 4968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c 9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8 bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f9 48dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843 fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb 2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b2426 8e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530 030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604 148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f7 0d01010b0500038201010098f2375a4190a11ac57651282036230eaee628 bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e3 9825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d41 8e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7 dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74bef a3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d172433475 6e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262 a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d797 7860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9

Crash location: Exception occurred: java.lang.NegativeArraySizeException (uncaught)"thread=main", org.openmuc.jasn1.ber.types.BerObjectIdentifier.decode(), line=123 bci=56

main[1] where [1] org.openmuc.jasn1.ber.types.BerObjectIdentifier.decode (BerObjectIdentifier.java:123) [2] pkix1explicit88.AlgorithmIdentifier.decode (AlgorithmIdentifier.java:110) [3] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:238) [4] pkix1explicit88.Certificate.decode (Certificate.java:119) [5] pkix1explicit88.Certificate.decode (Certificate.java:98) [6] Driver.main (Driver.java:19)

4. Input: 3082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e6 96365bca300d06092a864886f70d01010b05003039310b30090603550406 13025553310f300d060355040a1306416d617a6f6e311930170603550403 1310416d617a6f6e20526f6f742043412031301e17803135303532363030 303030305a170d3338303131373030303030305a3039310b300906035504 0613025553310f300d060355040a1306416d617a6f6e3119301706035504 031310416d617a6f6e20526f6f74204341203130820122300d06092a8648 86f70d01010105000382010f003082010a0282010100b2788071ca78d5e3 71af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0 437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f8 4968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c 9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8 bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f9 48dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843 fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb 2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b2426 8e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530 030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604 148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f7 0d01010b0500038201010098f2375a4190a11ac57651282036230eaee628 bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e3 9825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d41 8e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7 dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74bef a3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d172433475 6e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262 a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d797 7860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9

Crash location: Exception occurred: java.lang.NegativeArraySizeException (uncaught)"thread=main", org.openmuc.jasn1.ber.types.string.BerVisibleString.decode(), line=67 bci=40

main[1] where [1] org.openmuc.jasn1.ber.types.string.BerVisibleString.decode (BerVisibleString.java:67) [2] org.openmuc.jasn1.ber.types.BerUtcTime.decode (BerUtcTime.java:57) [3] pkix1explicit88.Time.decode (Time.java:92) [4] pkix1explicit88.Validity.decode (Validity.java:107) [5] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:251) [6] pkix1explicit88.Certificate.decode (Certificate.java:119) [7] pkix1explicit88.Certificate.decode (Certificate.java:98) [8] Driver.main (Driver.java:19)

5. Input: 3082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e6 96365bca300d06092a864886f70d01010b05003039310b30090603550406 13025553310f300d060355040a1306416d617a6f6e311930170603550403 1310416d617a6f6e20526f6f742043412031301e170d3135303532363030 303030305a170d3338303131373030303030305a3039310b300906035504 0613025553310f300d060355040a1306416d617a6f6e3119301706035504 031310416d617a6f6e20526f6f74204341203130820122300d06092a8648 86f70d01010105000382010f003082010a0282010100b2788071ca78d5e3 71af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0 437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f8 4968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c 9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8 bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f9 48dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843 fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb 2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b2426 8e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff048030 030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604 148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f7 0d01010b0500038201010098f2375a4190a11ac57651282036230eaee628 bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e3 9825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d41 8e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7 dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74bef a3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d172433475 6e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262 a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d797 7860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9

Crash location: Exception occurred: java.lang.NegativeArraySizeException (uncaught)"thread=main", org.openmuc.jasn1.ber.types.BerOctetString.decode(), line=64 bci=40

main[1] where [1] org.openmuc.jasn1.ber.types.BerOctetString.decode (BerOctetString.java:64) [2] pkix1explicit88.Extension.decode (Extension.java:136) [3] pkix1explicit88.Extensions.decode (Extensions.java:92) [4] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:295) [5] pkix1explicit88.Certificate.decode (Certificate.java:119) [6] pkix1explicit88.Certificate.decode (Certificate.java:98) [7] Driver.main (Driver.java:19)

[sfeuerhahn]

what makes you sure that the given bytes you used are correct?

[mmeinander]

The thinking behind the fuzz testing was to verify that the library would cleanly handle all error scenarios, also when the given input bytes are tampered. The tampering might be accidential or malicious.