protobom/protobom

Crashes found by fuzzing

Closed this issue · 2 comments

Nifury commented

Hello, I'd like to report three issues found by fuzzing. They are all triggered by malformed JSON or protobuf files.

Issue 1
A malformed licenses field causes the lc.License field to be nil, and thus crashes the program.

      "licenses": [
        {
          "lecinse": {
            "id": "Apache-2.0"
          }
        }
      ],

protobom/pkg/native/unserializers/unserializer_cdx.go

Lines 249 to 251 in 8ee8b9f

if lc.Expression == "" && lc.License.ID == "" {
continue
}

protobom/pkg/native/unserializers/unserializer_cdx.go

Lines 278 to 280 in 8ee8b9f

if lc.Expression == "" && lc.License.ID == "" {
continue
}

Issue 2
When the document metadata is nil (unmarshaled from an empty .proto file for example), CDX serialization will crash. SPDX serializer checks if bom or bom.Metadata is nil so it is not affected.

protobom/pkg/native/serializers/serializer_cdx.go

Line 47 in 8ee8b9f

doc.SerialNumber = bom.Metadata.Id

Issue 3
(*comps)[i].Components points to itself, leading to infinite recursion and eventually stack overflow.
I wasn't able to locate the root cause of this issue. I've attached the code and the file that triggers this issue.

func main() {
	w := writer.New()
	r := reader.New()
	bom, err := r.ParseFile("crash.json")
	if err != nil {
		fmt.Println("fail!")
	}
	w.WriteFileWithOptions(bom, "dummy.json", &writer.Options{Format: formats.CDX15JSON})
}

crash.json

protobom/pkg/native/serializers/serializer_cdx.go

Lines 189 to 191 in 8ee8b9f

if (*comps)[i].Components != nil && len(*(*comps)[i].Components) != 0 {
clearAutoRefs((*comps)[i].Components)
}

BTW we should use os.Create here 😄

protobom/pkg/writer/writer.go

Lines 129 to 133 in 8ee8b9f

func (w *Writer) WriteFileWithOptions(bom *sbom.Document, path string, o *Options) error {
f, err := os.Open(path)
if err != nil {
return err
}

github-actions commented

Stale issue message

github-actions commented

Stale issue message