Panic on overflow in subtraction

Question

Panic on overflow in subtraction

daniellockyer opened this issue 8 years ago · 0 comments

Found using cargo-fuzz.

extern crate der_parser;

fn main() {
    let data = b"\x03\x00\x00kk\x00\x00\x00\x00\x00\x00\x00.\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff;\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x00\x00\x00\xff\x0a\xff";
    let _ = der_parser::parse_der(data);
}

thread '<unnamed>' panicked at 'attempt to subtract with overflow', /home/neo/dev/work/der-parser/src/der.rs:496
stack backtrace:
   0:     0x55a334805553 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hf9ed9ccfd9f14c2b
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x55a334801ea4 - std::sys_common::backtrace::_print::hd8a1b72dcf3955ef
                               at /checkout/src/libstd/sys_common/backtrace.rs:71
   2:     0x55a334806527 - std::panicking::default_hook::{{closure}}::h5ff605bba7612658
                               at /checkout/src/libstd/sys_common/backtrace.rs:60
                               at /checkout/src/libstd/panicking.rs:355
   3:     0x55a3348060ab - std::panicking::default_hook::h9bc4f6dfee57d6bd
                               at /checkout/src/libstd/panicking.rs:371
   4:     0x55a33480698b - std::panicking::rust_panic_with_hook::hdc01585dc2bf7122
                               at /checkout/src/libstd/panicking.rs:549
   5:     0x55a334806864 - std::panicking::begin_panic::hf84f4975d9f9b642
                               at /checkout/src/libstd/panicking.rs:511
   6:     0x55a334806799 - std::panicking::begin_panic_fmt::hcc3f360b2ba80419
                               at /checkout/src/libstd/panicking.rs:495
   7:     0x55a334806727 - rust_begin_unwind
                               at /checkout/src/libstd/panicking.rs:471
   8:     0x55a3348f8e3d - core::panicking::panic_fmt::h795d9a9608ddc2bb
                               at /checkout/src/libcore/panicking.rs:69
   9:     0x55a3348f8d74 - core::panicking::panic::hcab3e0dfa81beee9
                               at /checkout/src/libcore/panicking.rs:49
  10:     0x55a3347d963e - der_parser::der::der_read_element_content_as::hec8b190837fd2b88
                               at /home/neo/dev/work/der-parser/src/der.rs:494
  11:     0x55a3347db053 - der_parser::der::der_read_element_content::h4613f91403cc33be
                               at /home/neo/dev/work/der-parser/src/der.rs:612
  12:     0x55a3347f7a99 - der_parser::der::parse_der::h012b5d2e9c9f1cdb
                               at /home/neo/dev/work/der-parser/src/der.rs:834
  13:     0x55a334766b01 - rust_fuzzer_test_input
                               at /home/neo/dev/work/der-parser/fuzz/fuzzers/fuzzer_script_1.rs:7
  14:     0x55a33476a71a - libfuzzer_sys::test_input_wrap::{{closure}}::h01afe675cf6a0c88
                               at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
  15:     0x55a3347687df - std::panicking::try::do_call::hfeac5113da58e53b
                               at /checkout/src/libstd/panicking.rs:454
  16:     0x55a33480c67b - <unknown>
                               at /checkout/src/libpanic_abort/lib.rs:40
==5893== ERROR: libFuzzer: deadly signal
    #0 0x55a3348d80d9 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x55a33477bb11 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x55a33477ba5b in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x55a33479924d in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7fa3147ecfdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7fa31424ea0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7fa314250139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x55a33480c688 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x55a33480c688 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 5 CrossOver-PersAutoDict-ChangeBinInt-InsertByte-PersAutoDict- DE: "\x01\x00\x00\x00"-"\x00\x00"-; base unit: 2bdab388248e0d022b7b852c59983788a3ee86e4
0x3,0x0,0x0,0x6b,0x6b,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2e,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x3b,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x1,0x0,0x0,0x0,0xff,0xa,0xff,
\x03\x00\x00kk\x00\x00\x00\x00\x00\x00\x00.\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff;\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x00\x00\x00\xff\x0a\xff
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-99d752339e4c2516982a7eba4ddbe586ee4972dc
Base64: AwAAa2sAAAAAAAAALgD///////////////////////87////////////AQAAAP8K/w==