search

tokio-rs / bytes

Utilities for working with bytes
MIT License
1.87k stars 278 forks source link

out-of-memory due to `bytes::BytesMut::with_capacity` #589

Closed bhao-Soo closed 1 year ago

bhao-Soo commented 1 year ago

Version of bytes

1.2.1

Bug description

Out-of-memory found by Address-Sanitizer in fuzzy test because allocating too large bytes. 

=================================================================
==983926==ERROR: AddressSanitizer: out of memory: allocator is trying to allocate 0xffffffeaff bytes
    #0 0x561ae1cbc55e  (/xxx/target/debug/memory+0x8855e) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)
    #1 0x561ae1d072c1  (/xxx/target/debug/memory+0xd32c1) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)
    #2 0x561ae1d09cb0  (/xxx/target/debug/memory+0xd5cb0) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)
    #3 0x561ae1cfc44a  (/xxx/target/debug/memory+0xc844a) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)
    #4 0x561ae1cfedc6  (/xxx/target/debug/memory+0xcadc6) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)
    #5 0x561ae1cffe38  (/xxx/target/debug/memory+0xcbe38) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)
    #6 0x561ae1d01035  (/xxx/target/debug/memory+0xcd035) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)
    #7 0x561ae1ce9f24  (/xxx/target/debug/memory+0xb5f24) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)
    #8 0x561ae1ceaf26  (/xxx/target/debug/memory+0xb6f26) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)
    #9 0x561ae1ce58ca  (/xxx/target/debug/memory+0xb18ca) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)
    #10 0x561ae1ce8a44  (/xxx/target/debug/memory+0xb4a44) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)
    #11 0x561ae1d2c10e  (/xxx/target/debug/memory+0xf810e) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)

==983926==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory (/data1/wubohao/test_crate/bytes_crashes/out-of-memory/memory/target/debug/memory+0x8855e) (BuildId: fd444857df608c05a1b4a0c628bf9d2e42787454)
==983926==ABORTING

Steps to reproduce the behavior

Using auto-generated fuzz target can reproduce the behavior. it was uploaded to the issue platform. out-of-memory.zip

when complier the file with cargo, following the Instruction:

export RUSTFLAGS=-Zsanitizer=address RUSTDOCFLAGS=-Zsanitizer=address
cargo +nightly build

run the executive file with the crash input file to reproduce the behavior

Darksonn commented 1 year ago

The BytesMut::with_capacity function will allocate the number of bytes you asked for. If this makes you run out of memory, then it is expected that your program will crash.