search

servo / rust-url

URL parser for Rust
https://docs.rs/url/
Apache License 2.0
1.27k stars 317 forks source link

The input urls generated by the fuzzer can be problematic as it causes very long parse times #918

Open goldds96 opened 3 months ago

goldds96 commented 3 months ago

Describe the bug

I performed fuzzing for rust-url using afl.rs in the following way.

cargo new --bin url-fuzz-target
cd url-fuzz-target
cargo afl build

While performing fuzzing, I discovered a bug where the input generated by the fuzzer caused a very long parse times, preventing the program from terminating.

poc.zip

I reproduced this process as follows.

(1) unzip the attached poc.zip

(2) run 

cargo afl run url-fuzz-target < ./id:000000,src:002523,time:11346358,execs:197688102,op:havoc,rep:1

Then the program will not terminate as follows.

Screenshot from 2024-04-01 11-25-43