-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Various crashes from fuzzing #396
Comments
Thanks, should be easy to fix! |
I'm finding more issues. Would you like an issue for each or should I start one parent issue for all my fuzzing finds? |
You can probably convert this issue to be about all fuzzing errors and I will go through them |
Sounds good. I'll check upstream with the fuzzing trophy case on how best to track that since I already committed this issue on there. I'll do that when I get into the office. For now I also have:
which generates:
|
which generates
|
This one looks like another easy fix, changing: |
causes
|
I uploaded a patch. It is incomplete, as you can even see in the diff. There are some places where I would fix a problem just to leave another example of the same style of unwrap alone. I was just fixing each individual issue to get the fuzzer to move along the find the next one. I wanted to make the patch available to you, but don't expect it to be merged in due to how incomplete it is so I didn't even bother making a PR. IIRC I fixed all the issues in this thread except {{22220222222022222220}}. Once I saw that code it looked like it would need more than just a simple one liner so I stepped away. If that gets fixed up and you'd like me to continue fuzzing just @ me and I'd be happy to pop back in or I can provide the code I'm using and some instructions. |
I pushed tests + fixes for all the one mentioned in the thread, can you share the code used to fuzz? |
I added the code here: stusmall@30e211b To run it use this project: https://github.com/rust-fuzz/cargo-fuzz and kick it off with cargo fuzz run fuzz_template |
Thanks, it's running now! |
Found a couple more issues thanks to |
Did you end up chasing those errors coming from outside tera? If not I'd like to take a look. |
I didn't look further, please do! |
What was the input that caused the heap-buffer-overflow on address issue? |
No clue sorry, it did look like a crash of the fuzzer itself rather than Tera. I changed laptop since then so can't re-run it right now. |
No problem. Thanks! Since these issues got fixed I'm going to close this out. If I find anything else I'll just reopen this issue. |
"{_{{W~1+11}}k{" causes a panic |
"{{n~n<n.11}}}" |
Just to be sure, are you running it on the |
Yes. Commit hash 470badb |
Both are fixed at the grammar level in the v1 branch. I love those issues, it really highlights some poor decisions in the grammar :p |
That's good to hear! I was afraid I was bringing a bunch of small, pedantic issues. I'll rebase and fire up the fuzzer again. Also I found the heap buffer overflow issue, thanks for calling that one out. I've got a bug with the project and will work with them on the fix. Hopefully should get something in soonish, but until them I've got a crummy work around so I can keep moving. |
Not at all! They were all kind of huge issues in the parser. |
I have seen your post on the v-htmlescape about the overflow since I ran into it as well. |
Someone else in another thread called out that it might be a false positive from asan/rust interaction. I plan on getting to the root of that one this weekend. I wouldn't want to get them remove as a dependency prematurely over a false positive. I'll have a confirmation on it soon. |
I followed up on the v_htmlescape issue. It isn't a false positive. |
On commit 8c694a8 I found two more:
|
Thanks, I fixed the first one but the second one doesn't panic for me? |
Weird. Me either. Sorry about that. |
Beta 5 released with the latest changes. How do you work around the v-htmlescape bug? Just commenting out the code? |
I'd found a switch that looked like it would turn off the SIMD optimizations. I thought that would turn it off but it's still hitting a buffer overflow on that avx instruction. Either the switch isn't respected or I misunderstood what it did. That was a dead end, sorry about that. |
No worries, I'm going to have a look at alternatives for the escaping. I've noticed that pulldown-cmark wrote their own version of escape_html/escape_href as well for example. |
Found |
It doesn't like I can trigger another panic, except from the v-htmlescape |
I'll go ahead and close this out then! Thank you so much. If a fuzzer finds a new issue we can reopen this issue. |
This is an issue I found while fuzzing this morning. Here is a simplified test case:
The text was updated successfully, but these errors were encountered: