Panic on overflow in subtraction
daniellockyer opened this issue · 0 comments
daniellockyer commented
Found using cargo-fuzz
.
extern crate der_parser;
fn main() {
let data = b"\x03\x00\x00kk\x00\x00\x00\x00\x00\x00\x00.\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff;\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x00\x00\x00\xff\x0a\xff";
let _ = der_parser::parse_der(data);
}
thread '<unnamed>' panicked at 'attempt to subtract with overflow', /home/neo/dev/work/der-parser/src/der.rs:496
stack backtrace:
0: 0x55a334805553 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hf9ed9ccfd9f14c2b
at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
1: 0x55a334801ea4 - std::sys_common::backtrace::_print::hd8a1b72dcf3955ef
at /checkout/src/libstd/sys_common/backtrace.rs:71
2: 0x55a334806527 - std::panicking::default_hook::{{closure}}::h5ff605bba7612658
at /checkout/src/libstd/sys_common/backtrace.rs:60
at /checkout/src/libstd/panicking.rs:355
3: 0x55a3348060ab - std::panicking::default_hook::h9bc4f6dfee57d6bd
at /checkout/src/libstd/panicking.rs:371
4: 0x55a33480698b - std::panicking::rust_panic_with_hook::hdc01585dc2bf7122
at /checkout/src/libstd/panicking.rs:549
5: 0x55a334806864 - std::panicking::begin_panic::hf84f4975d9f9b642
at /checkout/src/libstd/panicking.rs:511
6: 0x55a334806799 - std::panicking::begin_panic_fmt::hcc3f360b2ba80419
at /checkout/src/libstd/panicking.rs:495
7: 0x55a334806727 - rust_begin_unwind
at /checkout/src/libstd/panicking.rs:471
8: 0x55a3348f8e3d - core::panicking::panic_fmt::h795d9a9608ddc2bb
at /checkout/src/libcore/panicking.rs:69
9: 0x55a3348f8d74 - core::panicking::panic::hcab3e0dfa81beee9
at /checkout/src/libcore/panicking.rs:49
10: 0x55a3347d963e - der_parser::der::der_read_element_content_as::hec8b190837fd2b88
at /home/neo/dev/work/der-parser/src/der.rs:494
11: 0x55a3347db053 - der_parser::der::der_read_element_content::h4613f91403cc33be
at /home/neo/dev/work/der-parser/src/der.rs:612
12: 0x55a3347f7a99 - der_parser::der::parse_der::h012b5d2e9c9f1cdb
at /home/neo/dev/work/der-parser/src/der.rs:834
13: 0x55a334766b01 - rust_fuzzer_test_input
at /home/neo/dev/work/der-parser/fuzz/fuzzers/fuzzer_script_1.rs:7
14: 0x55a33476a71a - libfuzzer_sys::test_input_wrap::{{closure}}::h01afe675cf6a0c88
at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
15: 0x55a3347687df - std::panicking::try::do_call::hfeac5113da58e53b
at /checkout/src/libstd/panicking.rs:454
16: 0x55a33480c67b - <unknown>
at /checkout/src/libpanic_abort/lib.rs:40
==5893== ERROR: libFuzzer: deadly signal
#0 0x55a3348d80d9 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
#1 0x55a33477bb11 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
#2 0x55a33477ba5b in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
#3 0x55a33479924d in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
#4 0x7fa3147ecfdf (/usr/lib/libpthread.so.0+0x11fdf)
#5 0x7fa31424ea0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
#6 0x7fa314250139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
#7 0x55a33480c688 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
#8 0x55a33480c688 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 5 CrossOver-PersAutoDict-ChangeBinInt-InsertByte-PersAutoDict- DE: "\x01\x00\x00\x00"-"\x00\x00"-; base unit: 2bdab388248e0d022b7b852c59983788a3ee86e4
0x3,0x0,0x0,0x6b,0x6b,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2e,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x3b,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x1,0x0,0x0,0x0,0xff,0xa,0xff,
\x03\x00\x00kk\x00\x00\x00\x00\x00\x00\x00.\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff;\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x00\x00\x00\xff\x0a\xff
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-99d752339e4c2516982a7eba4ddbe586ee4972dc
Base64: AwAAa2sAAAAAAAAALgD///////////////////////87////////////AQAAAP8K/w==