search

mindeng / nom-exif

Exif/metadata parsing library written in pure Rust, both image (jpeg/heif/heic/jpg/tiff etc.) and video/audio (mov/mp4/3gp/webm/mkv/mka, etc.) files are supported.
https://crates.io/crates/nom-exif
MIT License
43 stars 6 forks source link

Six various fuzzer-detected crashes #6

Closed sigaloid closed 2 months ago

sigaloid commented 2 months ago

Hi, tossed this crate's fuzzer onto my home server and let it run for a while, and it found a few more crashes. Not sure which of these are duplicates (looks like all have unique error messages except 1 and 2), but these inputs all panic and crash:

crashes.zip

Here's what they look like:

mattop@mattop ~/n/afl-fuzz (main)> cargo afl run ./target/release/afl-fuzz < out/default/crashes/id:000000*
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/afl-fuzz ./target/release/afl-fuzz`
memory allocation of 10071698309156 bytes failed
mattop@mattop ~/n/afl-fuzz (main) [1]> cargo afl run ./target/release/afl-fuzz < out/default/crashes/id:000001*
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/afl-fuzz ./target/release/afl-fuzz`
box size of box 'AoEx' is too big: 4292411361
box size of box 'AoEx' is too big: 4292411361
thread 'main' panicked at /home/mattop/nom-exif/src/exif/ifd.rs:163:55:
range end index 2 out of range for slice of length 0
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
mattop@mattop ~/n/afl-fuzz (main) [1]> cargo afl run ./target/release/afl-fuzz < out/default/crashes/id:000002*
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/afl-fuzz ./target/release/afl-fuzz`
box size of box 'AoEx' is too big: 4292411361
box size of box 'AoEx' is too big: 4292411361
thread 'main' panicked at /home/mattop/nom-exif/src/exif/ifd.rs:163:55:
range end index 2 out of range for slice of length 0
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
mattop@mattop ~/n/afl-fuzz (main) [1]> cargo afl run ./target/release/afl-fuzz < out/default/crashes/id:000003*
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/afl-fuzz ./target/release/afl-fuzz`
thread 'main' panicked at /home/mattop/nom-exif/src/bbox/mvhd.rs:39:9:
attempt to multiply with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
mattop@mattop ~/n/afl-fuzz (main) [1]> cargo afl run ./target/release/afl-fuzz < out/default/crashes/id:000004*
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/afl-fuzz ./target/release/afl-fuzz`
box size of box 'EiEx' is too big: 4292411361
box size of box 'EiEx' is too big: 4292411361
thread 'main' panicked at /home/mattop/nom-exif/src/exif/ifd.rs:163:55:
range end index 2 out of range for slice of length 0
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
mattop@mattop ~/n/afl-fuzz (main)> cargo afl run ./target/release/afl-fuzz < out/default/crashes/id:000005*
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/afl-fuzz ./target/release/afl-fuzz`
memory allocation of 10071698309124 bytes failed
mindeng commented 2 months ago

Thank you very much for your help testing and reporting these crash issues!

I also found these problems in the test. They are all slice-related out-of-bounds problems. They have been fixed. Please refer to this commit.

I have tested all the crash reports in the attachment you uploaded and they have all been fixed.

If you encounter any other problems, or have other suggestions, please feel free to give feedback, thanks again!

sigaloid commented 2 months ago

Awesome, thanks for the quick fix!