Closed stevenjohnstone closed 6 years ago
Hi,
Didn't know about go-fuzz. It's a great tool. A fix will be issued today for the crashers found. Thanks a lot!
Fixed crashers found. Ran go-fuzz, it ran more than 42000000 times and didn't find any crasher. Merging the branch and closing the issue. Thank you!
Ran go-fuzz with the following fuzzer (based on an example in the README):
This is meant to reflect a deployment where the input JSON comes from an untrusted source.
After a few minutes, the fuzzer found issues like the following: this
causes
The problem here seems to be Decoder's Int() method isn't robust against this input? I'd expect the method to fail with a error indicating that the input isn't a well-formed string representation of an integer.