search

hjson / hjson-rust

Hjson for Rust
https://hjson.github.io/
MIT License
102 stars 33 forks source link

serde_hjson::from_slice panics at 'removal index (is 0) should be < len (is 0)' #21

Closed alexanderkjall closed 2 months ago

alexanderkjall commented 4 years ago

more testing of the from_slice function with valid utf8 gave me this error:

thread '' panicked at 'removal index (is 0) should be < len (is 0)', library/alloc/src/vec.rs:1057:13

complete stacktrace is:

==1202250== ERROR: libFuzzer: deadly signal
    #0 0x55c30665a731 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3
    #1 0x55c306d1b660 in fuzzer::PrintStackTrace() (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x996660)
    #2 0x55c306d3799a in fuzzer::Fuzzer::CrashCallback() (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9b299a)
    #3 0x7f714cb733bf  (/lib/x86_64-linux-gnu/libpthread.so.0+0x153bf)
    #4 0x7f714c99718a in __libc_signal_restore_set /build/glibc-YYA7BZ/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
    #5 0x7f714c99718a in raise /build/glibc-YYA7BZ/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
    #6 0x7f714c976858 in abort /build/glibc-YYA7BZ/glibc-2.31/stdlib/abort.c:79:7
    #7 0x55c306d93b36 in std::sys::unix::abort_internal::h5c8b2a90c624abaf /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/std/src/sys/unix/mod.rs:167:14
    #8 0x55c306d7cbc5 in std::process::abort::hb13208ae9f5b7133 /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/std/src/process.rs:1623:5
    #9 0x55c306d051b6 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h2ef829035805c4e9 (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9801b6)
    #10 0x55c306d83ed7 in std::panicking::rust_panic_with_hook::h2f4c96dfd8ba524a /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/std/src/panicking.rs:581:17
    #11 0x55c306d83a88 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h7740abbe2875cb4d /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/std/src/panicking.rs:484:9
    #12 0x55c306d7eebb in std::sys_common::backtrace::__rust_end_short_backtrace::hcad001df0a36db28 /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/std/src/sys_common/backtrace.rs:153:18
    #13 0x55c306d83a48 in rust_begin_unwind /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/std/src/panicking.rs:483:5
    #14 0x55c306de9460 in core::panicking::panic_fmt::hb15d6f55e8472f62 /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/core/src/panicking.rs:85:14
    #15 0x55c306de12a5 in alloc::vec::Vec$LT$T$GT$::remove::assert_failed::h2c0d56e327999482 /rustc/d006f5734f49625c34d6fc33bf6b9967243abca8/library/alloc/src/vec.rs:1057:13
    #16 0x55c3066c55fd in serde_hjson::util::StringReader$LT$Iter$GT$::parse_whitespace::hf7084d7b3ccb8e69 (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x3405fd)
    #17 0x55c306693981 in serde_hjson::de::Deserializer$LT$Iter$GT$::parse_value::h9b2c32860cf298a3 (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x30e981)
    #18 0x55c3066b28ba in serde_hjson::de::from_iter::hc227fa3539b40986 (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x32d8ba)
    #19 0x55c3066fc118 in rust_fuzzer_test_input (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x377118)
    #20 0x55c306d051e0 in __rust_try (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9801e0)
    #21 0x55c306d04e3f in LLVMFuzzerTestOneInput (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x97fe3f)
    #22 0x55c306d37edc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9b2edc)
    #23 0x55c306d3fec0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9baec0)
    #24 0x55c306d4087c in fuzzer::Fuzzer::MutateAndTestOne() (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9bb87c)
    #25 0x55c306d42c7f in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x9bdc7f)
    #26 0x55c306d13239 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x98e239)
    #27 0x55c3065d72e6 in main (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x2522e6)
    #28 0x7f714c9780b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
    #29 0x55c3065d748d in _start (/home/capitol/project/hjson-rust/hjson/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x25248d)

Can be reproduced with this unit test

#[cfg(test)]
mod test {
    use crate::{Map,Value};
    use crate::error::Result;

    #[test]
    pub fn removal_index() {
        let data: Vec<u8> = vec![47, 42, 44, 45];

        let mut sample: Result<Map<String, Value>> = crate::from_slice(&data);
    }
}