hjson / hjson-rust

Hjson for Rust
https://hjson.github.io/
MIT License
102 stars 33 forks source link

serde_hjson::from_slice panics on subtract with overflow #20

Closed alexanderkjall closed 2 months ago

alexanderkjall commented 4 years ago

testing the from_slice function with valid utf8 gave me this error:

thread '' panicked at 'attempt to subtract with overflow', /home/capitol/project/hjson-rust/hjson/src/de.rs:294:22

complete stacktrace:

    #0 0x55a627176731 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3
    #1 0x55a627837660 in fuzzer::PrintStackTrace() (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x996660)
    #2 0x55a62785399a in fuzzer::Fuzzer::CrashCallback() (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9b299a)
    #3 0x7fb82afe03bf  (/lib/x86_64-linux-gnu/libpthread.so.0+0x153bf)
    #4 0x7fb82ae0418a in __libc_signal_restore_set /build/glibc-YYA7BZ/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
    #5 0x7fb82ae0418a in raise /build/glibc-YYA7BZ/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
    #6 0x7fb82ade3858 in abort /build/glibc-YYA7BZ/glibc-2.31/stdlib/abort.c:79:7
    #7 0x55a6278afb36 in std::sys::unix::abort_internal::h5c8b2a90c624abaf /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/std/src/sys/unix/mod.rs:167:14
    #8 0x55a627898bc5 in std::process::abort::hb13208ae9f5b7133 /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/std/src/process.rs:1623:5
    #9 0x55a6278211b6 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h2ef829035805c4e9 (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9801b6)
    #10 0x55a62789fed7 in std::panicking::rust_panic_with_hook::h2f4c96dfd8ba524a /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/std/src/panicking.rs:581:17
    #11 0x55a62789fa88 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h7740abbe2875cb4d /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/std/src/panicking.rs:484:9
    #12 0x55a62789aebb in std::sys_common::backtrace::__rust_end_short_backtrace::hcad001df0a36db28 /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/std/src/sys_common/backtrace.rs:153:18
    #13 0x55a62789fa48 in rust_begin_unwind /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/std/src/panicking.rs:483:5
    #14 0x55a627905460 in core::panicking::panic_fmt::hb15d6f55e8472f62 /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/core/src/panicking.rs:85:14
    #15 0x55a6279053ac in core::panicking::panic::h5d1c61fed2502a5f /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/core/src/panicking.rs:50:5
    #16 0x55a6271c0f46 in serde_hjson::de::Deserializer$LT$Iter$GT$::parse_ml_string::h6d7ce8a9cfd6f9b5 (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x31ff46)
    #17 0x55a6271a0d95 in serde_hjson::de::Deserializer$LT$Iter$GT$::parse_tfnns::h150292d6fccc2cd0 (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x2ffd95)
    #18 0x55a6271b2891 in serde_hjson::de::Deserializer$LT$Iter$GT$::parse_value::hefb12d656723d8ef (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x311891)
    #19 0x55a6271cef2d in serde_hjson::de::from_iter::hc227fa3539b40986 (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x32df2d)
    #20 0x55a627218118 in rust_fuzzer_test_input (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x377118)
    #21 0x55a6278211e0 in __rust_try (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9801e0)
    #22 0x55a627820e3f in LLVMFuzzerTestOneInput (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x97fe3f)
    #23 0x55a627853edc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9b2edc)
    #24 0x55a62785bec0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9baec0)
    #25 0x55a62785c87c in fuzzer::Fuzzer::MutateAndTestOne() (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9bb87c)
    #26 0x55a62785ec7f in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9bdc7f)
    #27 0x55a62782f239 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x98e239)
    #28 0x55a6270f32e6 in main (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x2522e6)
    #29 0x7fb82ade50b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
    #30 0x55a6270f348d in _start (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x25248d)

Can be reproduced with the following unit test:

#[cfg(test)]
mod test {
    use crate::{Map,Value};
    use crate::error::Result;

    #[test]
    pub fn subtract_overflow() {
        let data: Vec<u8> = vec![39, 39, 39];

        let mut sample: Result<Map<String, Value>> = crate::from_slice(&data);
    }
}