Added yaml-cpp to OSS-Fuzz project

zamazan4ik commented 6 years ago

Hello.

Do you want to add your project to oss-fuzz test system? https://github.com/google/oss-fuzz

It can help with searching possible bugs in the project.

I tried to add LibFuzzer to your project, but get some errors:

#include "yaml-cpp/yaml.h"

void parse(const std::string& str) 
{
    try 
    {
        auto nodes = YAML::LoadAll(str);
    }
    catch(...)
    {
    }
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
    std::string str((const char*)data, size);
    parse(str);
    return 0;
}

I got an error:

INFO: Loaded 1 modules   (45 inline 8-bit counters): 45 [0x7d50a0, 0x7d50cd), 
INFO: Loaded 1 PC tables (45 PCs): 45 [0x5a9420,0x5a96f0), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2      INITED cov: 18 ft: 19 corp: 1/1b exec/s: 0 rss: 37Mb
        NEW_FUNC[0/12]: 0x559640  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x559640)
        NEW_FUNC[1/12]: 0x559700  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x559700)
#5      NEW    cov: 36 ft: 38 corp: 2/3b exec/s: 0 rss: 38Mb L: 2/2 MS: 2 CopyPart-ChangeBinInt-
#11     NEW    cov: 37 ft: 40 corp: 3/4099b exec/s: 0 rss: 39Mb L: 4096/4096 MS: 1 CrossOver-
#36     REDUCE cov: 37 ft: 40 corp: 3/2656b exec/s: 0 rss: 40Mb L: 2653/2653 MS: 4 CrossOver-ShuffleBytes-ChangeByte-CrossOver-
#38     REDUCE cov: 37 ft: 40 corp: 3/2018b exec/s: 0 rss: 41Mb L: 2015/2015 MS: 2 CopyPart-EraseBytes-
#40     REDUCE cov: 37 ft: 40 corp: 3/1639b exec/s: 0 rss: 41Mb L: 1636/1636 MS: 2 ChangeBinInt-EraseBytes-
#53     REDUCE cov: 37 ft: 40 corp: 3/1638b exec/s: 0 rss: 41Mb L: 1/1636 MS: 3 ShuffleBytes-EraseBytes-ChangeBit-
#54     REDUCE cov: 37 ft: 40 corp: 3/1118b exec/s: 0 rss: 41Mb L: 1116/1116 MS: 1 EraseBytes-
#55     REDUCE cov: 37 ft: 40 corp: 3/985b exec/s: 0 rss: 41Mb L: 983/983 MS: 1 EraseBytes-
a.out: /home/zamazan4ik/OpenSource/yaml-cpp/src/scanner.cpp:32: YAML::Token& YAML::Scanner::peek(): Assertion `!m_tokens.empty()' failed.
==607== ERROR: libFuzzer: deadly signal
    #0 0x52d9ad  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x52d9ad)
    #1 0x43872a  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x43872a)
    #2 0x438783  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x438783)
    #3 0x7f2ddbe33fbf  (/lib64/libpthread.so.0+0x11fbf)
    #4 0x7f2ddb475f2a  (/lib64/libc.so.6+0x36f2a)
    #5 0x7f2ddb460560  (/lib64/libc.so.6+0x21560)
    #6 0x7f2ddb460430  (/lib64/libc.so.6+0x21430)
    #7 0x7f2ddb46e691  (/lib64/libc.so.6+0x2f691)
    #8 0x564113  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x564113)
    #9 0x57375b  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x57375b)
    #10 0x573d73  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x573d73)
    #11 0x55c949  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x55c949)
    #12 0x55adc0  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x55adc0)
    #13 0x55b050  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x55b050)
    #14 0x55927a  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x55927a)
    #15 0x5594d6  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x5594d6)
    #16 0x438b9a  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x438b9a)
    #17 0x439b70  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x439b70)
    #18 0x43b2b7  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x43b2b7)
    #19 0x43e497  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x43e497)
    #20 0x42ce3f  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x42ce3f)
    #21 0x4220a6  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x4220a6)
    #22 0x7f2ddb46218a  (/lib64/libc.so.6+0x2318a)
    #23 0x422dc9  (/home/zamazan4ik/OpenSource/yaml-cpp/fuzzer/a.out+0x422dc9)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 4 CopyPart-ChangeBinInt-ChangeByte-InsertByte-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0x21,0x0,0x27,
!\x00'
artifact_prefix='./'; Test unit written to ./crash-857840673390192387fa8c9f58305cb81ba120b0
Base64: IQAn

How can I fix it?

jbeder commented 6 years ago

What was the input?

zamazan4ik commented 6 years ago

&('(

jbeder / yaml-cpp

Added yaml-cpp to OSS-Fuzz project #599