Hang when parsing malformed URL
5225225 opened this issue · 3 comments
5225225 commented
Reproducing program:
fn main() {
let url = "ftp:xn--f\u{34a}-PTP";
let _ = url::Url::parse(url);
}I've tested this against 2.2.1 on crates.io as well as adding it as a test and running it from a clone of this repo (commit 89876ff)
Fuzzing timeout backtrace:
==3432763== ERROR: libFuzzer: timeout after 1 seconds
#0 0x557162429571 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3
#1 0x55716261bd78 in fuzzer::PrintStackTrace() (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x39dd78)
#2 0x5571625f508c in fuzzer::Fuzzer::AlarmCallback() (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x37708c)
#3 0x7fd4fdaf095f (/usr/lib/libpthread.so.0+0x1395f)
#4 0x557162541060 in _$LT$idna..punycode..Decode$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::h707ba2686f4c0413 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2c3060)
#5 0x55716253aaa0 in _$LT$alloc..string..String$u20$as$u20$core..iter..traits..collect..Extend$LT$char$GT$$GT$::extend::h923761dbd3e4f86e (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2bcaa0)
#6 0x5571625490ee in idna::uts46::processing::hf0541b4f9c7dabca (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2cb0ee)
#7 0x55716254a8db in idna::uts46::Idna::to_ascii::h6545fa8cbb62b9bb (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2cc8db)
#8 0x55716254cfeb in idna::uts46::Config::to_ascii::h5bd26c12b4570947 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2cefeb)
#9 0x55716254e991 in idna::domain_to_ascii::h7fd957715a8f1950 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2d0991)
#10 0x55716249420b in url::host::Host::parse::h3b5d357909f06891 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x21620b)
#11 0x5571624b6ccb in url::parser::Parser::parse_host::he9cb313349af39d9 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x238ccb)
#12 0x5571624b4485 in url::parser::Parser::parse_host_and_port::hdaeea756732a80b3 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x236485)
#13 0x5571624b1640 in url::parser::Parser::after_double_slash::h6d4eddedd7e92ea8 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x233640)
#14 0x5571624a52eb in url::parser::Parser::parse_with_scheme::hc4d4e7f763875ffb (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2272eb)
#15 0x5571624a2e7d in url::parser::Parser::parse_url::h0675246c0377db61 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x224e7d)
#16 0x5571624d063c in url::ParseOptions::parse::hcc9fa3d84e062250 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x25263c)
#17 0x55716245b5f7 in rust_fuzzer_test_input (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x1dd5f7)
#18 0x5571625feed0 in __rust_try (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x380ed0)
#19 0x5571625feb2f in LLVMFuzzerTestOneInput (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x380b2f)
#20 0x5571625f5384 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x377384)
#21 0x5571625e989a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x36b89a)
#22 0x5571625ed836 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x36f836)
#23 0x5571623a5022 in main (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x127022)
#24 0x7fd4fd7e9b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#25 0x5571623a51cd in _start (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x1271cd)
valenting commented
Thanks for the report! I'm surprised this is the first time this came up 😄