search

stcorp / harp

Data harmonization toolset for scientific earth observation data
http://stcorp.github.io/harp/doc/html/index.html
BSD 3-Clause "New" or "Revised" License
55 stars 18 forks source link

Fuzzer found use-of-uninitialized-value in harp-geometry-sphere-line.c:110 #280

Closed schwehr closed 1 year ago

schwehr commented 1 year ago

This is just a sign that something isn't being error checked that should. The fuzzer derived junk input is:

area_covers_area((0180,0,0),(3,3,3e844))

Stack trace:

stcorp_harp-fuzz-corpus-program_from_string-7-7853ccaa0c6be2a8f240ab1cdcaa8aa1744c4781 (40 bytes)
==10019==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x5615c159d55e in spherical_line_equal libharp/harp-geometry-sphere-line.c:110:9
    #1 0x5615c159c5f2 in harp_spherical_line_spherical_line_relationship libharp/harp-geometry-sphere-line.c:168:9
    #2 0x5615c15984d7 in harp_spherical_polygon_check libharp/harp-geometry-sphere-polygon.c:236:28
    #3 0x5615c159be1f in harp_spherical_polygon_from_latitude_longitude_bounds libharp/harp-geometry-sphere-polygon.c:1145:13
    #4 0x5615c158d895 in add_latitude_longitude_bounds_to_area_mask libharp/harp-operation.c:114:13
    #5 0x5615c158d59b in harp_operation_area_covers_area_filter_new libharp/harp-operation.c:1464:13
    #6 0x5615c1579d33 in harp_operation_parser_parse libharp/harp-operation-parser.y:612:17
    #7 0x5615c157f631 in harp_program_from_string libharp/harp-operation-parser.y:1702:9
    #8 0x5615c15756aa in LLVMFuzzerTestOneInput fuzz/harp_program_from_string_fuzzer.cc:19:7
svniemeijer commented 1 year ago

I have an idea where this could come from, but could you clarify how you are able to provide 3e844 as input? This is not a value that can be represented by a double. (or is it a typo and dit you mean 3e84?)

svniemeijer commented 1 year ago

Never mind. This is of course the parsing from text to number by HARP itself. I will look into it.

svniemeijer commented 1 year ago

This should be fixed with 2fc80f33612850eb01117e7d1df86563f0ca5018. Let me know if this is the case.

schwehr commented 1 year ago

Thanks! That particular issue is resolved. And then it trips up on something else.

==9594==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x563bc839f35f in vector3d_apply_euler_transformation libharp/harp-geometry-sphere-euler.c:233:13
    #1 0x563bc839f35f in harp_spherical_point_apply_euler_transformation libharp/harp-geometry-sphere-euler.c:292:5
    #2 0x563bc839d413 in harp_spherical_line_begin libharp/harp-geometry-sphere-line.c:142:5
    #3 0x563bc839d413 in harp_spherical_line_spherical_line_relationship libharp/harp-geometry-sphere-line.c:202:5
    #4 0x563bc8398917 in harp_spherical_polygon_check libharp/harp-geometry-sphere-polygon.c:236:28
    #5 0x563bc839c5df in harp_spherical_polygon_from_latitude_longitude_bounds libharp/harp-geometry-sphere-polygon.c:1186:13
    #6 0x563bc838dcd5 in add_latitude_longitude_bounds_to_area_mask libharp/harp-operation.c:114:13
    #7 0x563bc838d9db in harp_operation_area_covers_area_filter_new libharp/harp-operation.c:1464:13
    #8 0x563bc837a293 in harp_operation_parser_parse libharp/harp-operation-parser.y:612:17
    #9 0x563bc837fb91 in harp_program_from_string libharp/harp-operation-parser.y:1702:9

The fuzzer code is super basic.

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  const std::string operations(reinterpret_cast<const char *>(data), size);

  harp_init();
  auto done = absl::MakeCleanup([] { harp_done(); });

  harp_program *program = nullptr;
  if (harp_program_from_string(operations.c_str(), &program) != 0) {
    return 0;
  }

  harp_program_delete(program);

  return 0;
}
svniemeijer commented 1 year ago

Should be fixed in e9936e24a5f4760cbd7cc5c4b3586677383c37c5

schwehr commented 1 year ago

That's all of them. Much appreciated