Closed odeke-em closed 4 years ago
Thanks @odeke-em. Are you able to work on a fix? If not I'll make sure our team gets to it.
@odeke-em would you be able to provide the original unmarshalled struct?
Sorry for the late replies, I've debugged this and it looks like another case where my fuzz pass generated a struct, mutated it, proto marshalled and also mutated that output before writing it to file. The reasoning is because that crash is when unmarshalling field 4 which is a slice of []*testutil/testdata.TestVersion1 https://github.com/cosmos/cosmos-sdk/blob/97df8b605ce2839e496cf97ab783f89c72874289/testutil/testdata/proto.pb.go#L1461 but with a claimed length of >= 3949355340974291851 which is >=1.8 billion times larger than sizeof(int) which is what length can store. and that's impossible to handle in memory and even judging by the number of bytes left before that EOF.
My apologies again, but I'll refine the fuzzer in the next rounds. Stargate lives on!
Summary of Bug
Coming here from fuzzing ProtoCodec, I generated a serialized version of a struct that was successfully produced by ProtoCodec.MarshalBinaryLengthPrefixed Given this program
where proto definitions in testutil/testdata/proto.proto are
Running this program produces
and this input
Version
Steps to Reproduce
For Admin Use