search

pcercuei / libini

Library to read INI configuration files
GNU Lesser General Public License v2.1
18 stars 14 forks source link

Segmentation fault while testing with AFL fuzzer #3

Open tysonite opened 3 years ago

tysonite commented 3 years ago

I was just interested to play with AFL fuzzer on some library. Instrumented and run libini's example under AFL, there were few crashes for inputs below.

Inputs:

Core dump might be reproduced by running example/test <input>.txt.

The back trace looks like that:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  ini_next_section (ini=0x55d0bc8264c0, name=0x7fffd0e2af10, name_len=0x7fffd0e2af18)
    at /home/tysonite/libini/libini.c:163
163         if (ini->curr == ini->end || *ini->curr == '\n')
(gdb) bt
#0  ini_next_section (ini=0x55d0bc8264c0, name=0x7fffd0e2af10, name_len=0x7fffd0e2af18)
    at /home/tysonite/libini/libini.c:163
#1  0x000055d0ba74ac8f in main (argc=<optimized out>, argv=<optimized out>) at test.c:27
pcercuei commented 3 years ago

The library kinds of expect the input to be at least a little bit correct :)

mthuurne commented 3 years ago

Still, it should just return -EIO instead of segfaulting...

I think the problem might be that on line 160 the ini->curr pointer is increased and on line 162 it is increased again, so if the last character in the string is [, it will read past the end of the input.

If that is indeed the problem, a possible fix would be to replace ++ini->curr by ini->curr + 1 on line 160.