null dereference when formatting chrono duration

[pauldreik]

Hi,
I added a fuzzer for chrono durations. It found a segfault. I inserted the fuzzers into my fork of fmt and would be happy to merge my fuzzers into fmt, if you are interested.
Here is how to reproduce the segfault: https://github.com/pauldreik/fmt/blob/fuzz/fuzzing/README.md#reproduce

paul@torsken:~/code/privat/fmt/fuzzing/build-fuzzers-reproduce$ gdb bin/fuzzer_chrono_duration 
GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from bin/fuzzer_chrono_duration...done.
(gdb) run ../crashes/chrono_duration/minimized-from-
minimized-from-7e98543e5070cb98869b6d73a090dea26042c503  minimized-from-8166484b39aaef77757ec2c94b6f7a94039cdafd
(gdb) run ../crashes/chrono_duration/minimized-from-7e98543e5070cb98869b6d73a090dea26042c503 
Starting program: /home/paul/code/privat/fmt/fuzzing/build-fuzzers-reproduce/bin/fuzzer_chrono_duration ../crashes/chrono_duration/minimized-from-7e98543e5070cb98869b6d73a090dea26042c503

Program received signal SIGSEGV, Segmentation fault.
0x00005555555580eb in std::char_traits<char>::length (__s=0x0) at /usr/include/c++/8/bits/char_traits.h:322
322		return __builtin_strlen(__s);
(gdb) bt
#0  0x00005555555580eb in std::char_traits<char>::length (__s=0x0) at /usr/include/c++/8/bits/char_traits.h:322
#1  0x00005555555630eb in fmt::v5::basic_string_view<char>::basic_string_view (this=0x7fffffffd2f0, s=0x0) at ../../include/fmt/core.h:410
#2  0x000055555555fd29 in fmt::v5::to_string_view<char> (s=0x0) at ../../include/fmt/core.h:505
#3  0x000055555558c2b4 in fmt::v5::internal::string_view_metadata::to_view<char const*&, 0> (this=0x7fffffffd408, str=@0x7fffffffd368: 0x0)
    at ../../include/fmt/format.h:1821
#4  0x000055555558c397 in fmt::v5::internal::handle_dynamic_spec<fmt::v5::internal::width_checker, unsigned int, fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> > (value=@0x7fffffffd710: 0, ref=..., ctx=..., format_str=0x0) at ../../include/fmt/format.h:2289
#5  0x000055555556f3b0 in fmt::v5::formatter<std::chrono::duration<char, std::ratio<1l, 1000000000000000000l> >, char, void>::format<fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> > (this=0x7fffffffd710, d=..., ctx=...) at ../../include/fmt/chrono.h:621
#6  0x000055555556b8ac in fmt::v5::internal::value<fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> >::format_custom_arg<std::chrono::duration<char, std::ratio<1l, 1000000000000000000l> >, fmt::v5::formatter<std::chrono::duration<char, std::ratio<1l, 1000000000000000000l> >, char, void> > (
    arg=0x7fffffffddaf, parse_ctx=..., ctx=...) at ../../include/fmt/core.h:755
#7  0x000055555558cd0c in fmt::v5::basic_format_arg<fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> >::handle::format (
    this=0x7fffffffd7a0, parse_ctx=..., ctx=...) at ../../include/fmt/core.h:936
#8  0x000055555556f857 in fmt::v5::internal::custom_formatter<fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> >::operator() (this=0x7fffffffd890, h=...) at ../../include/fmt/format.h:1588
#9  0x000055555556bc96 in fmt::v5::visit_format_arg<fmt::v5::internal::custom_formatter<fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> >&, fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> > (vis=..., arg=...) at ../../include/fmt/core.h:998
#10 0x0000555555569ad7 in fmt::v5::format_handler<fmt::v5::arg_formatter<fmt::v5::back_insert_range<fmt::v5::internal::buffer<char> > >, char, fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> >::on_format_specs (this=0x7fffffffd9b0, begin=0x5555557590d2 "{o}", end=0x5555557590d5 "")
    at ../../include/fmt/format.h:3271
#11 0x0000555555566b7b in fmt::v5::internal::parse_format_string<false, char, fmt::v5::format_handler<fmt::v5::arg_formatter<fmt::v5::back_insert_range<fmt::v5::internal::buffer<char> > >, char, fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> >&> (format_str=..., handler=...)
    at ../../include/fmt/format.h:2177
#12 0x0000555555564ea6 in fmt::v5::vformat_to<fmt::v5::arg_formatter<fmt::v5::back_insert_range<fmt::v5::internal::buffer<char> > >, char, fmt::v5::basic_format_context<std::back_insert_iterator<fmt::v5::internal::buffer<char> >, char> > (out=..., format_str=..., args=..., loc=...) at ../../include/fmt/format.h:3298
#13 0x00005555555632c1 in fmt::v5::internal::vformat_to<char> (buf=warning: RTTI symbol not found for class 'fmt::v5::basic_memory_buffer<char, 500ul, std::allocator<char> >'
..., format_str=..., args=...) at ../../include/fmt/format.h:3401
#14 0x000055555555fe4a in fmt::v5::internal::vformat<char> (format_str=..., args=...) at ../../include/fmt/format.h:3575
#15 0x000055555555c8e9 in fmt::v5::format<char const*, std::chrono::duration<char, std::ratio<1l, 1000000000000000000l> >, 0> (
    format_str=@0x7fffffffdd78: 0x5555557590d0 "{:{o}", args#0=...) at ../../include/fmt/core.h:1469
--Type <RET> for more, q to quit, c to continue without paging--
#16 0x0000555555559dd5 in doit_impl<char, std::ratio<1l, 1000000000000000000l> > (formatstring=0x5555557590d0 "{:{o}", item=0 '\000') at ../chrono_duration.cpp:15
#17 0x00005555555589fb in doit<char> (Data=0x5555557590b2 "{:{o}", Size=5) at ../chrono_duration.cpp:35
#18 0x00005555555575ec in LLVMFuzzerTestOneInput (Data=0x5555557590b1 "", Size=6) at ../chrono_duration.cpp:66
#19 0x000055555555784d in main (argc=2, argv=0x7fffffffe1a8) at ../chrono_duration.cpp:109
(gdb) 

[vitaut]

Fixed in 4c721e3, thanks!

[vitaut]

I inserted the fuzzers into my fork of fmt and would be happy to merge my fuzzers into fmt, if you are interested.

That would be awesome!