A showcase of bugs found via fuzz testing Rust codebases. It serves multiple purposes:
- Help the community see what issues are common in Rust codebases (useful when e.g. designing APIs)
- Increase visibility of effective fuzz testing targets so people can reuse testing strategies
- Provide insight into common issues they can expect to find if they use a certain fuzzer
These bugs aren't nearly as serious as the memory-safety issues afl has discovered in C and C++ projects. That's because Rust is memory-safe by default, but also because not many people have tried fuzzing yet! Over time we will update this section with the most interesting bugs, whether they're logic errors or memory-safety problems arising from unsafe code. Pull requests are welcome!
Security issues are marked with a ❗️ in the "Security?" column. Denial of service, including panics and out-of-memory, are not considered security issues.
| Crate | Information | Fuzzer | Category | Security? |
|---|---|---|---|---|
| bmfont | panic on unwrapping | libfuzzer | panic |
|
| brotli-rs | #10 | afl | panic |
|
| brotli-rs | #11 | afl | panic |
|
| brotli-rs | #12 | afl | panic |
|
| brotli-rs | #2 | afl | panic |
|
| brotli-rs | #3 | afl | panic |
|
| brotli-rs | #4 | afl | panic |
|
| brotli-rs | #5 | afl | oor |
|
| brotli-rs | #6 | afl | arith |
|
| brotli-rs | #7 | afl | oor |
|
| brotli-rs | #8 | afl | arith |
|
| brotli-rs | #9 | afl | arith |
|
| bson | multiple bugs, including arithmetic overflow | libfuzzer | arith, other, unwrap |
|
| bson | #116 | libfuzzer | oom |
|
| capnproto-rust | Multiple bugs, including a memory safety bug | libfuzzer | ❗️ | |
| capnproto-rust | reddit, e72746c |
libfuzzer | logic |
|
| claxon | c036944 | libfuzzer | logic |
|
| claxon | 875c3b2 | libfuzzer | logic |
|
| claxon | 21b1db4 | libfuzzer | oor |
|
| claxon | 0fd8815 | libfuzzer | unwrap |
|
| claxon | Massive slowdown on malformed input | libfuzzer | other |
|
| claxon | Memory disclosure on malformed input | afl + libdiffuzz | uninit |
❗️ |
| comrak | #65 | libfuzzer | oor |
|
| cpp_demangle | Multiple panics | afl | unwrap, arith |
|
| cranelift | #418 | libfuzzer | logic |
|
| cssparser | floating-point parsing imprecision | libfuzzer | logic |
|
| der-parser | arithmetic overflow | libfuzzer | arith |
|
| dhcp4r | #6 | libfuzzer | oor |
|
| flac | #3 | afl | oom |
|
| flac | index out of bounds | libfuzzer | oor |
|
| flif | #26 | libfuzzer | oom |
|
| h2 | #260 | honggfuzz | oor |
|
| h2 | #261 | honggfuzz | panic |
|
| h2 | #262 | honggfuzz | panic |
|
| httparse | #9 | afl | arith |
|
| httpdate | panic on "no character boundary" | libfuzzer | utf-8 |
|
| httpdate | accepted dates like "May 35" | libfuzzer | logic, arith |
|
| hyper | arithmetic overflow | libfuzzer | arith |
|
| image | #414 | afl | logic |
|
| image | #473 | afl | arith |
|
| image | #474 | afl | unwrap |
|
| image | #477 | afl | oor |
|
| image | #622 | libfuzzer | oom |
|
| image | #623 | libfuzzer | oom |
|
| image | #624 | libfuzzer | oom |
|
| image | #625 | libfuzzer | oor |
|
| image | Failed to break on an EOF | afl | oor |
|
| image | #876 | afl | oor |
|
| image | #877 | afl | arith |
|
| image | #878 | afl | oor |
|
| inflate | arithmetic overflow | libfuzzer | arith |
|
| ipfix | index out of bounds | libfuzzer | oor |
|
| jpeg-decoder | #38 | afl | unwrap |
|
| jpeg-decoder | #50 | afl | oom |
|
| jpeg-decoder | arithmetic overflow | libfuzzer | arith |
|
| json-rust | arithmetic overflow | afl | arith |
|
| just | #363 | libfuzzer | logic |
|
| lexical | arithmetic overflow | libfuzzer | arith |
|
| lexical | arithmetic overflow | libfuzzer | arith |
|
| lexical | Out-of-bounds read in unsafe code | libfuzzer | oor |
|
| lewton | index out of bounds | honggfuzz | oor |
|
| lewton | index out of bounds | afl | oor |
|
| lewton | index out of bounds | afl | oor |
|
| lewton | index out of bounds | afl | oor |
|
| lewton | memory exhaustion | afl | oom |
|
| lewton | memory exhaustion due to integer underflow | afl | arith, oom |
|
| lewton | enormous CPU and memory consumption on crafted input | afl | other |
|
| libflate | 258cf44 | honggfuzz | oor |
|
| libflate | 6157daa | honggfuzz | panic |
|
| libflate | dc77163 | honggfuzz | unwrap |
|
| libflate | Out-of-bounds read in unsafe code | afl | oor |
|
| libpnet | arithmetic overflow | libfuzzer | arith |
|
| lodepng-rust | memory leak | libfuzzer | oom |
|
| minidump | #7 | libfuzzer | panic |
|
| Molten | #41 | libfuzzer | utf-8 |
|
| Molten | #42 | libfuzzer | oor |
|
| mongo_driver | #55 | libfuzzer | unwrap |
|
| mp3-metadata | Multiple panics | afl | oor |
|
| mp4parse-rust | #2 | afl | panic |
|
| mp4parse-rust | #4 | afl | panic |
|
| mp4parse-rust | #5 | afl | panic |
|
| mp4parse-rust | #6 | afl | panic |
|
| msgpack-rust | #151 | afl | oom |
|
| nom | arithmetic overflow | libfuzzer | arith |
|
| npy-rs | arithmetic overflow due to incorrect parameter declaration | libfuzzer | arith, logic |
|
| ntp | panic caused by unwrap on invalid input | libfuzzer | unwrap |
|
| num | panic on BigInt parsing |
libfuzzer | unwrap |
|
| parity | panic on BasicDecoder unchecked addition |
libfuzzer | arith |
|
| pcapng | arithmetic overflow | libfuzzer | arith |
|
| png | panic on malformed input | libfuzzer | unwrap |
|
| png | panic on malformed input | libfuzzer | oor |
|
| png | panic on malformed input | afl | unwrap, logic |
|
| png | incorrect buffer size due to integer overflow | afl | arith, oom |
|
| png | crash on malformed input | afl | oom |
|
| proc-macro2 | #54 | afl | utf-8 |
|
| proc-macro2 | #55 | afl | so |
|
| pulldown-cmark | Overflow ParseIntError | libfuzzer | unwrap |
|
| pulldown-cmark | Panics and infinite loop | libfuzzer | loop, utf-8, oor |
|
| quick-xml | arithmetic overflow | libfuzzer | arith |
|
| quick-xml | arithmetic overflow | libfuzzer | arith |
|
| quick-xml | index out of bounds | libfuzzer | oor |
|
| regex | #84 | afl | unwrap |
|
| regex | regex parsing panics with blog post | libfuzzer | unwrap |
|
| regex | #417 | afl | utf-8 |
|
| regex | index out of bounds | honggfuzz | oor |
|
| regex | Unexpected match branch | honggfuzz | logic |
|
| regex | called Option::unwrap() on a None value | honggfuzz | unwrap |
|
| roughenough | reject messages with zero tags | afl | logic, oor |
|
| roughenough | reject short single tag messages | afl | logic, oor |
|
| roughenough | return Error instead of panicking | afl | panic |
|
| roughenough | validate tag offset not past end of message | afl | logic |
|
| roughenough | validate value offset not pass end of message | afl | logic |
|
| roughenough | handle truncated message | afl | oor |
|
| roughenough | incorrect range check fix | libfuzzer | logic |
|
| rust-asn1 | #32 | afl | oom |
|
| rust-url | #108 | afl | oor |
|
| rustc | #24275 | afl | other |
|
| rustc | #50577 | prog-fuzz | logic |
|
| rustc | #50582 | prog-fuzz | logic |
|
| rustc | #50585 | prog-fuzz | logic |
|
| rustc | #50600 | prog-fuzz | logic |
|
| rustc | #50637 | prog-fuzz | loop |
|
| rustc | #51070 | prog-fuzz | logic |
|
| rustc-demangle | multiply with overflow | libfuzzer | arith |
|
| rustc-serialize | #109 | afl | arith |
|
| rustc-serialize | #110 | afl | panic |
|
| rust-snappy | #12 | libfuzzer | oor |
|
| semver | logic error | libfuzzer | logic |
|
| serde | #75 | afl | arith |
|
| serde | #77 | afl | arith |
|
| serde | #82 | afl | so |
|
| serde-yaml | #49 | libfuzzer | so |
|
| serde-yaml | #88 | libfuzzer | logic |
|
| sleep-parser | #3 | honggfuzz | oor, utf-8 |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| smoltcp | arithmetic underflow | libfuzzer | arith |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| snmp-parser | panic on unwrapping | libfuzzer | unwrap |
|
| ssh-keys | panic on slice indexing | libfuzzer | oor |
|
| ssh-parser | arithmetic overflow | libfuzzer | arith |
|
| svgparser | arithmetic overflow, bound checking panic, incorrect result | libfuzzer | arith, oor, logic |
|
| svgparser | endless loop | libfuzzer | loop |
|
| sxd-document | use after free | libfuzzer | uaf |
❗️ |
| tar-rs | #23 | afl | arith |
|
| tiff | index out of bounds | afl | oor |
|
| tiff | memory exhaustion on malformed input | afl | oom |
|
| tiff | infinite loop on malformed input | afl | loop |
|
| tiff | panic on attempt to divide by zero | afl | arith |
|
| todotxt.rs | index out of bounds | libfuzzer | oor |
|
| toml | #178 | libfuzzer | logic |
|
| toml | #179 | libfuzzer | logic |
|
| toml | #180 | libfuzzer | logic |
|
| toml | #181 | libfuzzer | logic |
|
| toml | #185 | libfuzzer | logic |
|
| toml | #186 | libfuzzer | logic |
|
| unicode-segmentation | grapheme boundary correctness | libfuzzer | logic |
|
| unicode-segmentation | word boundary correctness | libfuzzer | logic |
|
| uuid | index out of bounds | libfuzzer | oor |
|
| vosub | invalid slice | libfuzzer | oor |
|
| vosub | invalid slice | libfuzzer | panic |
|
| vosub | arithmetic overflow | libfuzzer | arith |
|
| vosub | invalid slice | libfuzzer | oor |
|
| vosub | shift overflow | libfuzzer | arith |
|
| wasmparser.rs | arithmetic overflow | libfuzzer | arith |
|
| wayland-rs | #187 | libfuzzer | oor |
|
| ws-rs | arithmetic overflow | libfuzzer | arith |
|
| xml-rs | #93 | afl | utf-8 |
|
| zip-rs | arithmetic overflow | libfuzzer | arith |
arith: Arithmetic error, eg. overflowslogic: Logic bugloop: Infinite loopoom: Out of memoryoor: Out of range accesssegfault: Program segfaultedso: Stack overflowuaf: Use after freeuninit: Program discloses contents of uninitialized memoryunwrap: Call tounwraponNoneorErr(_)utf-8: Problem with UTF-8 strings handling, eg. get a char not at a char boundarypanic: A panic not covered by any of the aboveother: Anything that does not fit in another category, or unclear what the problem is