Panic in lzma.writeRep

[ulikunitz]

@pmezard reported a panic in the master tree that he has found using go-fuzz. Many thanks for that. I have asked for the go-fuzz code and the crasher sequence to check what caused the bug and to fix it in the dev tree.

[ulikunitz]

Just to make clear the panic indicates a bug in the encoder that needs to be fixed.

[pmezard]

The issue is not with the encoder but with the decoder. The input generated by go-fuzz is certainly malformed but I believe decoding libraries should not panic upon invalid inputs when possible (exception might be when allocating buffers but even these can be mitigated). The panic can be reproduced manually by running:

cd lzma
go run lzmareader/lzmareader.go corpus/bad_dist_out_of_range.lzma

using this as input:

https://github.com/pmezard/xz/blob/fuzz/lzma/corpus/bad_dist_out_of_range.lzma

in the fuzzing branch I pushed here:

https://github.com/pmezard/xz/tree/fuzz

The trivial reader code is here:

https://github.com/pmezard/xz/blob/fuzz/lzma/lzmareader/lzmareader.go

and go-fuzz function:

https://github.com/pmezard/xz/blob/fuzz/lzma/fuzz.go

[ulikunitz]

Hi, many thanks for the comprehensive information. I will have to work on it, but can't start before Sunday.

[ulikunitz]

The code has been rewritten and and tested against multiple corpora. I'm planning fuzzing tests for v0.7.

[ulikunitz]

I labeled the issue as enhancement, because the open action is fuzzing the bug is fixed.