Closed d33tah closed 2 years ago
Hi! I have fuzzed the program myself, but I wasn't able to stumble upon this issue. I'll look at it shortly and I think I know what causes it.
To clarify, "extensively tested" means that I had tested if a round trip (hash => compress => decompress => hash) on the data works - the final corpus I put together was well over 100GiB. Fuzzing was a part of a later process which I had admittedly neglected a little.
moved to #14.
Hi! Congratulations on making it to the main page of Hacker News! :) I read the comments and saw some people complain about crashes, so I tried your project out with afl-fuzz.
I basically only gave it one seed, which is a "hello" message compressed as bzip3. Within minutes, I got dozens of unique code paths that crash. Among the crash causes is SIGSEGV, which is a strong hint that there might be a security problem. Here's a look with a debugger:
And the base16-encoded input case:
Sometimes such errors can lead to arbitrary code execution, meaning that decompressing an untrusted archive leads to compromising the user's system. I cannot share all of the crashes with you, but I can assist you with setting up afl-fuzz and investigating the crashes. Anyway, please fuzz the project - otherwise claiming that it has been "extensively tested" is a bit of a dangerous thing to say.