Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

null dereference when formatting chrono duration #1132

Closed
pauldreik opened this issue Apr 28, 2019 · 2 comments
Closed

null dereference when formatting chrono duration #1132

pauldreik opened this issue Apr 28, 2019 · 2 comments

Comments

@pauldreik
Copy link
Contributor

pauldreik commented Apr 28, 2019
edited
Loading

Hi,
I added a fuzzer for chrono durations. It found a segfault. I inserted the fuzzers into my fork of fmt and would be happy to merge my fuzzers into fmt, if you are interested.
Here is how to reproduce the segfault: https://github.com/pauldreik/fmt/blob/fuzz/fuzzing/README.md#reproduce

paul@torsken:~/code/privat/fmt/fuzzing/build-fuzzers-reproduce$ gdb bin/fuzzer_chrono_duration 
GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from bin/fuzzer_chrono_duration...done.
(gdb) run ../crashes/chrono_duration/minimized-from-
minimized-from-7e98543e5070cb98869b6d73a090dea26042c503  minimized-from-8166484b39aaef77757ec2c94b6f7a94039cdafd
(gdb) run ../crashes/chrono_duration/minimized-from-7e98543e5070cb98869b6d73a090dea26042c503 
Starting program: /home/paul/code/privat/fmt/fuzzing/build-fuzzers-reproduce/bin/fuzzer_chrono_duration ../crashes/chrono_duration/minimized-from-7e98543e5070cb98869b6d73a090dea26042c503

Program received signal SIGSEGV, Segmentation fault.
0x00005555555580eb in std::char_traits<char>::length (__s=0x0) at /usr/include/c++/8/bits/char_traits.h:322
322		return __builtin_strlen(__s);
(gdb) bt
#0  0x00005555555580eb in std::char_traits<char>::length (__s=0x0) at /usr/include/c++/8/bits/char_traits.h:322
#1  0x00005555555630eb in fmt::v5::basic_string_view<char>::basic_string_view (this=0x7fffffffd2f0, s=0x0) at ../../include/fmt/core.h:410
#2  0x000055555555fd29 in fmt::v5::to_string_view<char> (s=0x0) at ../../include/fmt/core.h:505
#3  0x000055555558c2b4 in fmt::v5::internal::string_view_metadata::to_view<char const*&, 0> (this=0x7fffffffd408, str=@0x7fffffffd368: 0x0)
    at ../../include/fmt/format.h:1821
#4  0x000055555558c397 in fmt::v5::internal::handle_dynamic_spec<fmt::v5::internal::width_checker, unsigned int, fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> > (value=@0x7fffffffd710: 0, ref=..., ctx=..., format_str=0x0) at ../../include/fmt/format.h:2289
#5  0x000055555556f3b0 in fmt::v5::formatter<std::chrono::duration<char, std::ratio<1l, 1000000000000000000l> >, char, void>::format<fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> > (this=0x7fffffffd710, d=..., ctx=...) at ../../include/fmt/chrono.h:621
#6  0x000055555556b8ac in fmt::v5::internal::value<fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> >::format_custom_arg<std::chrono::duration<char, std::ratio<1l, 1000000000000000000l> >, fmt::v5::formatter<std::chrono::duration<char, std::ratio<1l, 1000000000000000000l> >, char, void> > (
    arg=0x7fffffffddaf, parse_ctx=..., ctx=...) at ../../include/fmt/core.h:755
#7  0x000055555558cd0c in fmt::v5::basic_format_arg<fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> >::handle::format (
    this=0x7fffffffd7a0, parse_ctx=..., ctx=...) at ../../include/fmt/core.h:936
#8  0x000055555556f857 in fmt::v5::internal::custom_formatter<fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> >::operator() (this=0x7fffffffd890, h=...) at ../../include/fmt/format.h:1588
#9  0x000055555556bc96 in fmt::v5::visit_format_arg<fmt::v5::internal::custom_formatter<fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> >&, fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> > (vis=..., arg=...) at ../../include/fmt/core.h:998
#10 0x0000555555569ad7 in fmt::v5::format_handler<fmt::v5::arg_formatter<fmt::v5::back_insert_range<fmt::v5::internal::buffer<char> > >, char, fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> >::on_format_specs (this=0x7fffffffd9b0, begin=0x5555557590d2 "{o}", end=0x5555557590d5 "")
    at ../../include/fmt/format.h:3271
#11 0x0000555555566b7b in fmt::v5::internal::parse_format_string<false, char, fmt::v5::format_handler<fmt::v5::arg_formatter<fmt::v5::back_insert_range<fmt::v5::internal::buffer<char> > >, char, fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> >&> (format_str=..., handler=...)
    at ../../include/fmt/format.h:2177
#12 0x0000555555564ea6 in fmt::v5::vformat_to<fmt::v5::arg_formatter<fmt::v5::back_insert_range<fmt::v5::internal::buffer<char> > >, char, fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> > (out=..., format_str=..., args=..., loc=...) at ../../include/fmt/format.h:3298
#13 0x00005555555632c1 in fmt::v5::internal::vformat_to<char> (buf=warning: RTTI symbol not found for class 'fmt::v5::basic_memory_buffer<char, 500ul, std::allocator<char> >'
..., format_str=..., args=...) at ../../include/fmt/format.h:3401
#14 0x000055555555fe4a in fmt::v5::internal::vformat<char> (format_str=..., args=...) at ../../include/fmt/format.h:3575
#15 0x000055555555c8e9 in fmt::v5::format<char const*, std::chrono::duration<char, std::ratio<1l, 1000000000000000000l> >, 0> (
    format_str=@0x7fffffffdd78: 0x5555557590d0 "{:{o}", args#0=...) at ../../include/fmt/core.h:1469
--Type <RET> for more, q to quit, c to continue without paging--
#16 0x0000555555559dd5 in doit_impl<char, std::ratio<1l, 1000000000000000000l> > (formatstring=0x5555557590d0 "{:{o}", item=0 '\000') at ../chrono_duration.cpp:15
#17 0x00005555555589fb in doit<char> (Data=0x5555557590b2 "{:{o}", Size=5) at ../chrono_duration.cpp:35
#18 0x00005555555575ec in LLVMFuzzerTestOneInput (Data=0x5555557590b1 "", Size=6) at ../chrono_duration.cpp:66
#19 0x000055555555784d in main (argc=2, argv=0x7fffffffe1a8) at ../chrono_duration.cpp:109
(gdb)
vitaut added a commit that referenced this issue Apr 28, 2019
@vitaut
Fix chrono formatting with invalid argument id (#1132)
4c721e3
@vitaut
Copy link
Contributor

vitaut commented Apr 28, 2019

Fixed in 4c721e3, thanks!

@vitaut vitaut closed this as completed Apr 28, 2019
@vitaut
Copy link
Contributor

vitaut commented Apr 28, 2019

I inserted the fuzzers into my fork of fmt and would be happy to merge my fuzzers into fmt, if you are interested.

That would be awesome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vitaut @pauldreik