We found several undefined-behaviors after testing one of the harnesses provided on the OSS-Fuzz repository (ia-fuzz).
During our tests, we found:
left shift cannot be represented by destination type in function r_sleb128() (uleb128.c:165)
signed integer overflow in function PE_(r_bin_pe_get_sections)(RBinPEObj* pe) (pe.c:4331)
left shift cannot be represented by destination type in function r_bin_te_get_main_paddr() (te.c:71)
signed integer overflow in function reloc_convert() (bin_elf.inc.c:540)
shift exponent is too large in function r_uleb128_decode() (uleb128.c:78)
signed integer overflow in function reloc_convert() (bin_elf.inc.c:542)
left shift cannot be represented by destination type in function r_buf_sleb128() (buf.c:758)
left shift cannot be represented by destination type in function PE_(r_bin_pe_get_entrypoint)(RBinPEObj* pe)() (pe.c:3483)
left shift of negative value in function PE_(r_bin_pe_get_entrypoint)(RBinPEObj* pe)() (pe.c:3483)
To Reproduce
In the attached archive you will find a directory bugs containing the several inputs that triggered the aforementioned bugs and their respective UBSan log, enumerated as the list above.
Unfortunately, we could not share the binary we used for testing in the zip archive as its size is greater than the maximum size allowed for attachments on this report. We ran our tests on the fuzzing harness you made available for OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag --sanitizer=undefined.
To reproduce the errors, simply run the given binary on the provided testcase files with a command like ./ia_fuzz /path_to_testcases/input
The hash commit used to perform the tests is 2e2f7aa.
Environment
OS: Linux
Version/Distribution: Ubuntu 20.04
Architecture: x86_64
We are aware that reporting many bugs at once may be inconvenient, and we remain available to assist you in the bug fixing process.
Describe the bug
We found several undefined-behaviors after testing one of the harnesses provided on the OSS-Fuzz repository (ia-fuzz).
During our tests, we found:
r_sleb128()
(uleb128.c:165)PE_(r_bin_pe_get_sections)(RBinPEObj* pe)
(pe.c:4331)r_bin_te_get_main_paddr()
(te.c:71)reloc_convert()
(bin_elf.inc.c:540)r_uleb128_decode()
(uleb128.c:78)reloc_convert()
(bin_elf.inc.c:542)r_buf_sleb128()
(buf.c:758)PE_(r_bin_pe_get_entrypoint)(RBinPEObj* pe)()
(pe.c:3483)PE_(r_bin_pe_get_entrypoint)(RBinPEObj* pe)()
(pe.c:3483)To Reproduce
In the attached archive you will find a directory
bugs
containing the several inputs that triggered the aforementioned bugs and their respective UBSan log, enumerated as the list above.Unfortunately, we could not share the binary we used for testing in the zip archive as its size is greater than the maximum size allowed for attachments on this report. We ran our tests on the fuzzing harness you made available for OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag
--sanitizer=undefined
. To reproduce the errors, simply run the given binary on the provided testcase files with a command like./ia_fuzz /path_to_testcases/input
The hash commit used to perform the tests is
2e2f7aa
.Environment
We are aware that reporting many bugs at once may be inconvenient, and we remain available to assist you in the bug fixing process.