iximeow / yaxpeax-x86

x86 decoders for the yaxpeax project
BSD Zero Clause License
132 stars 23 forks source link

Panic when parsing fuzzed instruction (multiply with overflow) #12

Closed 5225225 closed 2 years ago

5225225 commented 2 years ago

The following code panics when run on yaxpeax-x86 1.1.1

fn main() {
    let decoder = yaxpeax_x86::amd64::InstDecoder::default();
    drop(decoder.decode_slice(&[98, 98, 101, 164, 0, 89, 167, 98, 101, 10]));
}

The panic:

thread 'main' panicked at 'attempt to multiply with overflow', /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/yaxpeax-x86-1.1.1/src/long_mode/evex.rs:14:5
stack backtrace:
   0: rust_begin_unwind
             at /rustc/8f117a77d0880ed59afcc1a19c72ec5c1e44b97c/library/std/src/panicking.rs:498:5
   1: core::panicking::panic_fmt
             at /rustc/8f117a77d0880ed59afcc1a19c72ec5c1e44b97c/library/core/src/panicking.rs:107:14
   2: core::panicking::panic
             at /rustc/8f117a77d0880ed59afcc1a19c72ec5c1e44b97c/library/core/src/panicking.rs:48:5
   3: yaxpeax_x86::long_mode::evex::apply_disp_scale
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/yaxpeax-x86-1.1.1/src/long_mode/evex.rs:14:5
   4: yaxpeax_x86::long_mode::evex::read_evex
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/yaxpeax-x86-1.1.1/src/long_mode/../shared/evex.in:243:11
   5: yaxpeax_x86::long_mode::read_with_annotations
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/yaxpeax-x86-1.1.1/src/long_mode/mod.rs:7623:21
   6: <yaxpeax_x86::long_mode::InstDecoder as yaxpeax_arch::Decoder<yaxpeax_x86::long_mode::Arch>>::decode
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/yaxpeax-x86-1.1.1/src/long_mode/mod.rs:4155:9
   7: yaxpeax_x86::long_mode::InstDecoder::decode_slice
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/yaxpeax-x86-1.1.1/src/long_mode/mod.rs:2830:9
   8: scratchhXLguhiJy::main
             at ./main.rs:3:10
   9: core::ops::function::FnOnce::call_once
             at /rustc/8f117a77d0880ed59afcc1a19c72ec5c1e44b97c/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
iximeow commented 2 years ago

thanks for the report! this one's pretty awkward: in release builds it does the right thing and i missed this in my own fuzzing. i've fixed this in f063f74.

(edit: and published as 1.1.2)