Crashes found by fuzzing
Closed this issue · 2 comments
Hello, I'd like to report three issues found by fuzzing. They are all triggered by malformed JSON or protobuf files.
Issue 1
A malformed licenses field causes the lc.License
field to be nil, and thus crashes the program.
"licenses": [
{
"lecinse": {
"id": "Apache-2.0"
}
}
],
protobom/pkg/native/unserializers/unserializer_cdx.go
Lines 249 to 251
in
8ee8b9f
protobom/pkg/native/unserializers/unserializer_cdx.go
Lines 278 to 280
in
8ee8b9f
protobom/pkg/native/unserializers/unserializer_cdx.go
Lines 249 to 251 in 8ee8b9f
protobom/pkg/native/unserializers/unserializer_cdx.go
Lines 278 to 280 in 8ee8b9f
Issue 2
When the document metadata is nil (unmarshaled from an empty .proto file for example), CDX serialization will crash. SPDX serializer checks if bom or bom.Metadata is nil so it is not affected.
Issue 3
(*comps)[i].Components
points to itself, leading to infinite recursion and eventually stack overflow.
I wasn't able to locate the root cause of this issue. I've attached the code and the file that triggers this issue.
func main() {
w := writer.New()
r := reader.New()
bom, err := r.ParseFile("crash.json")
if err != nil {
fmt.Println("fail!")
}
w.WriteFileWithOptions(bom, "dummy.json", &writer.Options{Format: formats.CDX15JSON})
}
protobom/pkg/native/serializers/serializer_cdx.go
Lines 189 to 191 in 8ee8b9f
BTW we should use os.Create
here 😄
Lines 129 to 133 in 8ee8b9f
Stale issue message
Stale issue message