Closed pauldreik closed 3 years ago
It seems that the following returns an error condition...
simdjson::dom::parser parser;
simdjson::padded_string input = decode_base64("CQA5OAo5CgoKCiIiXyIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiJiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiXyIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiJiIiIiIiIiIiIiIiIiIiIiLb29vb29vb29vb29vb29vz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz29vb29vb29vbIiIiIiIiIiIiIiIiIiIiIiIiIiIiJiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiYiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiI=");
print_hex(input);
simdjson::dom::document_stream stream;
auto error = parser.parse_many(input).get(stream);
In hexadecimal, the base64 translates to
09 00 39 38 0A 39 0A 0A 0A 0A 22 22 5F 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 26 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 5F 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 26 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 DB DB DB DB DB DB DB DB DB DB DB DB DB DB DB F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 F3 DB DB DB DB DB DB DB DB DB 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 26 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 26 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 00
See https://cryptii.com/pipes/base64-to-hex to verify. This is clearly invalid.
The stack error fails at simdjson::dom::document_stream::iterator::operator++()
but it should never make it to the iterator since parse_many
reveals an error.
Running the tests with sanitizers does not appear to reveal an issue...
$ git checkout dlemire/document_stream_fuzz_issues
$ cmake -DSIMDJSON_SANITIZE=ON -Bstream_issues
$ cmake --build stream_issues --target document_stream_tests
$ ./stream_issues/tests/document_stream_tests
Reference: https://github.com/simdjson/simdjson/pull/1318/files
Accidentally, one could set the batch size to an unreasonable value (e.g., 0): let us guard against it: https://github.com/simdjson/simdjson/pull/1319
@pauldreik
It seems that we may have had a thread safety issue in the sense that the buffer could be deleted before the thread was stopped.
Closing (assumed fixed).
Use the fuzzer in https://github.com/simdjson/simdjson/pull/1304
To reproduce, checkout that branch and then:
It should crash easily, within seconds.
Threads=On
base64 of non-minimized crashing input: