Fix bugs uncovered by AFL

.gitignore

@@ -2,3 +2,4 @@ target
 Cargo.lock
 *.rs.bk
 out
+tests/afl_seeds.rs

Cargo.toml

@@ -1,5 +1,6 @@
 [package]
 authors = ["Nick Fitzgerald <fitzgen@gmail.com>", "Jim Blandy <jimb@red-bean.com>"]
+build = "build.rs"
 categories = ["development-tools::debugging", "development-tools::ffi"]
 description = "A crate for demangling C++ symbols"
 documentation = "https://docs.rs/cpp_demangle"

build.rs

@@ -0,0 +1,66 @@
+use std::env;
+use std::fs;
+use std::io::{self, Write};
+use std::path;
+
+// Generate tests that ensure that we don't panic when parsing and demangling
+// the seed test cases that we pass to AFL.rs assert (including the failing test
+// cases historically found by AFL.rs).
+fn generate_sanity_tests_from_afl_seeds() -> io::Result<()> {
+    println!("cargo:rerun-if-changed=in/*");
+    println!("cargo:rerun-if-changed=tests/afl_seeds.rs");
+
+    let crate_dir = try!(env::var("CARGO_MANIFEST_DIR")
+        .map_err(|_| io::Error::new(io::ErrorKind::Other, "no CARGO_MANIFEST_DIR")));
+
+    let mut test_path = path::PathBuf::from(&crate_dir);
+    test_path.push("tests");
+    let _ = fs::create_dir(&test_path);
+    test_path.push("afl_seeds.rs");
+    let mut test_file = try!(fs::File::create(test_path));
+
+    try!(writeln!(&mut test_file, "
+extern crate cpp_demangle;
+use std::fs;
+use std::io::Read;
+"));
+
+    let mut in_dir = path::PathBuf::from(crate_dir);
+    in_dir.push("in");
+    assert!(in_dir.is_dir());
+
+    let entries = try!(fs::read_dir(in_dir));
+
+    for entry in entries {
+        let entry = try!(entry);
+
+        let path = entry.path();
+        let file_name = try!(path
+            .file_name()
+            .ok_or(io::Error::new(io::ErrorKind::Other,
+                                  "no file name for AFL.rs seed test case")));
+
+        try!(writeln!(&mut test_file,
+                     r#"
+#[test]
+fn test_afl_seed_{}() {{
+    let mut file = fs::File::open("{}").unwrap();
+    let mut contents = Vec::new();
+    file.read_to_end(&mut contents).unwrap();
+    let _ = cpp_demangle::Symbol::new(contents);
+    assert!(true, "did not panic when parsing");
+}}
+"#,
+                      file_name.to_string_lossy(),
+                      path.to_string_lossy()));
+    }
+
+    Ok(())
+}
+
+fn main() {
+    println!("cargo:rerun-if-changed=build.rs");
+
+    generate_sanity_tests_from_afl_seeds()
+        .expect("should generate sanity tests from AFL.rs seed test cases");
+}

in/afl_crash_0

@@ -0,0 +1 @@
+__Z13Jh_SetEle2Cont99999999999999999999999999999bjJSStringEE

in/afl_crash_1

@@ -0,0 +1 @@
+__Z144444444444444444444SContextN2JS6HandleIP8JSObjectEEjNS2_IP8JSStringEE

in/afl_crash_10

@@ -0,0 +1 @@
+__Z1_zZ1SetEsemZ1SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS_z1_zZ1SetEsemZ1_zZ1SetEseElentx9Z1SetEleS

in/afl_crash_11

@@ -0,0 +1 @@
+__Z13Cal1ClllOPKDpKDpClll5555455555555555555555555555555OPKDpKDptEE

in/afl_crash_12

@@ -0,0 +1 @@
+__Z11CallObjFuncPFTentSCRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRbES

in/afl_crash_13

@@ -0,0 +1 @@
+__Z11CallObjFuncPFTsntSCRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRbES

in/afl_crash_14

@@ -0,0 +1 @@
+__Z11CallObjFuncPFbOOjSCRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRbES

in/afl_crash_16

@@ -0,0 +1 @@
+__Z19JS_neUCFun2_IctionP9JSContextN2JS6HandleIJEESOGGGGGGGGGGGGGGGGGGGGGbjectEEPKDsmPFbA0_jPNS1_5ValueEEjj

in/afl_crash_18

@@ -0,0 +1 @@
+__Z10IsIteratorM2JS6HandlrM2JrM2JS6CCCCCCCCS6CCCCCCCCQCCCCCCCtMS_$

in/afl_crash_19

@@ -0,0 +1 @@
+__Z10IsIteatorN2JS6IandleIJA_5ValueErorN2JS6IandleIJA_5ValueEratorN2JS6IAndle777777777777777770777777777A_5ValueEEE

in/afl_crash_2

@@ -0,0 +1 @@
+__Z13JS_SetElementP9JSContextN2JS6HandlKI3333333333333333333333333333EE

in/afl_crash_20

@@ -0,0 +1 @@
+__Z1_zZ1RAT__eRAleT__9_zZ1letEl99999999999999999999999999999999999999999eRAT__9JSContextN2JS6JdCont

in/afl_crash_21

@@ -0,0 +1 @@
+__Z1_zZ1RAT__iRAteT__9_zZ1SetEleRA66666666666666666666666666666666666T__9JSContextN2JS6JdCont

in/afl_crash_22

@@ -0,0 +1 @@
+__Z1_zZ1RAT__eRAleT_T__9_zZ1SetEl44444444444444444444444444444444444�eRA

in/afl_crash_23

@@ -0,0 +1 @@
+__Z1_zZ1RAT__eRAtiT__9_zZ1SetEleRAT__9JSContexMN2JS68888888888888888888888888JdCont

in/afl_crash_25

@@ -0,0 +1 @@
+__Z10IsIteratorU2JIterFtorU2J5555555555555555555555555555555P55555555S6HanS6HaxdleIN

in/afl_crash_26

@@ -0,0 +1 @@
+__Z1IT_IteratorU277777777777777777777777777777772_IP17777JIterFtorU2JS6HanS6HaPPT_IN

in/afl_crash_27

@@ -0,0 +1 @@
+__Z1IT_IJEEFtorU2JS6Han999999999999999999999999S6HatorU2JIterFtT_IJEEJI

in/afl_crash_29

@@ -0,0 +1 @@
+__Z9IT_IterFlorU2JIterFtU2JIterFtorU2JS6HanS6Ya1ITeSt1ratorU2JIterFtorU2JS6HanS6HaPPT_2222222222222222222222222222222222222222222222222222IN

in/afl_crash_3

@@ -0,0 +1 @@
+__Z1_zZ1SetEleTunt7777777777777777777777f9JSConextN2JS6Haject

in/afl_crash_30

@@ -0,0 +1 @@
+__Z1IT_IterFterFtU2JIItElterFtorF2JSVVVVVVVVViVVVVVVVVV66HllllllllloroaU2lllllllloroaU2JIterFt4IterFterFtU2JIItElterFtorF2JSVVVVVVVVVRVVVVVVVVV66HlwllllllloroaU2lllllllloroaU2JIterFt4_IrU2JIItElterFtorF2J_IrU2JI_IrU2JIItElterFtorF2J_IrU2JIItElte

in/afl_crash_31

@@ -0,0 +1 @@
+__Z1RA8_RAT__eRAteT__222222222222222222222222_222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222229_9JSContZ1RAT__eRAteT__9_zZ1SegEleRAT__9JS�extN2JS2222222222222222222222222222222222222222PU122222222222222222222222222222222222229_9JSContZ1RAT__eRAteT__9_zZ1SegEleRAT__9JS�extN2JStEleRAT__9JSCex|N2J2JStEleRAT__9JSCextN2JJ6J

in/afl_crash_32

@@ -0,0 +1,17 @@
+Command line used to find this crash:
+
+afl-fuzz -i in -o out target/debug/afl_runner
+
+If you can't reproduce a bug outside of afl-fuzz, be sure to set the same
+memory limit. The limit used for this fuzzing session was 50.0 MB.
+
+Need a tool to minimize test cases before investigating the crashes or sending
+them to a vendor? Check out the afl-tmin that comes with the fuzzer!
+
+Found any cool bugs in open-source tools using afl-fuzz? If yes, please drop
+me a mail at <lcamtuf@coredump.cx> once the issues are fixed - I'd love to
+add your finds to the gallery at:
+
+  http://lcamtuf.coredump.cx/afl/
+
+Thanks :-)

in/afl_crash_4

@@ -0,0 +1 @@
+__Z1_zZ1SesxtK2SSSSSSSSSSSSSSSSSSSSJS6Haject

in/afl_crash_5

@@ -0,0 +1 @@
+__Z12NoteWeakEdgeIN2js3jSSSSSSSSSSSSSSSSSSSSSS__ZTVttC~deEEvPNS0_8GCMerEPPT_

in/afl_crash_6

@@ -0,0 +1 @@
+__Z19JS_CopyPropertyFromP9JSContextN2JS6HandleI4jsidEENS2_I19JS_CopyPropertyFromP9JSContextN2JS6HandleI4jsidEENS2CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCyCopyBehavior

in/afl_crash_7

@@ -0,0 +1 @@
+__Z11CallObjFuncIjET_PFSCCCCCCCCCCCCCCCCt6HandleIP8JSObjectEEES2

in/afl_crash_8

@@ -0,0 +1 @@
+__Z15JS_CallFunctionP9JSContextN2JS6HandleIP8JSObjectEENS2_IP10JSFunctionEERKNS1_16HandleValueArrayENSCCCCCCCCCCCCCCCCtINS1_5ValueEEE

in/afl_crash_9

@@ -0,0 +1 @@
+__Z19JS_DefineUCFunctionP9JSContextF2JS6HandleIP8JSObjectEEPKDsmPFbSCCCCCCCCCCCCCCCCtj

in/afl_hang_0

@@ -0,0 +1 @@
+__Z10IsIteratorN2JS6HandleINS_5ValueEE��

in/afl_hang_1

@@ -0,0 +1 @@
+__Z17JS_SetArrayLengt(P9JSContextN2JS6HandleIP8JSObjectEEj

in/afl_hang_10

@@ -0,0 +1 @@
+__Z1_zZ1SetEsemZ1_z1_fZ1SZ1_zZ1SetEseEleZ1SetEseElenetEsemZ1_z1_zZ1GetEsemZ1_zZ1SetEseElentx9Z1XetE9etE9

in/afl_hang_11

@@ -0,0 +1 @@
+__Z10IsIteatorN2JS6IandleIJA_5ValueErorN2JS6IandlehJA_5ValueEratorN2JS6IAndleIJA_5ValueatorN2JS6IAndleIJA_5ValueEEE

in/afl_hang_12

@@ -0,0 +1 @@
+__Z1_zZ1RAT__eRAtwT__9_1RAT__eR��__9_zK1SetEleJdCo

in/afl_hang_13

@@ -0,0 +1 @@
+__Z19JS_DeZ1_zUCPropertyP9JSContextN2JS6HandleIP8JSObjectEEPKDsmijPFjPNS1_5ValueEESB

in/afl_hang_14

@@ -0,0 +1 @@
+__Z24JS_GetObject2_IPt16ArrayP8JSSOGGGGGGGGGb�ectPjPbPP

in/afl_hang_15

@@ -0,0 +1 @@
+__Z19JS_DefineUCFunctionRAtwT__textN2JS6HandleIP8JSObjectEEPKFsmPFbA0_jPNS1_5ValueEEjj

in/afl_hang_16

@@ -0,0 +1 @@
+__Z10IsIteratorM2JS10IsIteralrM2JS6HandleIMS_5V��EMS_d6HmndlrM2JS6HandleIMS_5ValueEMSgd

in/afl_hang_17

@@ -0,0 +1 @@
+__Z10IsIteratorU2JIterFtorU2JS6HanS6HWxdleIN

in/afl_hang_18

@@ -0,0 +1 @@
+__Z1IT_IterFtorU2JS6HanS6Ha1IT_IteratorU2JIterFtT_IrU2JIterFtorU2JS6HanS6Ha1IT_IteratorU2JIterFtorU2JS���S6HaPPT_IN

in/afl_hang_19

@@ -0,0 +1 @@
+__Z1IT_IterFtorU6Ha12JIterFtterFtorU2JS6HanS6Ha1IT_IteratorU2JIterFtorU2JS6HanS6HTent_�N

in/afl_hang_20

@@ -0,0 +1 @@
+__Z1IT_IterFtorU2JS6HanS6Ha1IT_IteratorU2JIteVFtT_IrU2JIterFtorU2JS6HanS6Ha1IT_IteratorU2JIterFtorU2JS6HanS6HaPNT_IN

in/afl_hang_21

@@ -0,0 +1 @@
+__Z1IT_IterFtorU2JS6HanS6Ha1torm2JIterFtT_IJEEJI

in/afl_hang_22

@@ -0,0 +1 @@
+__Z1IT_IterFtorU6Ha12__Z14JIterFtT_IrU2JIterFtorU2JS6HanS6Ha1IT_IteratorU2JIterFtorRAleT_T__U2JS6HanSMHaPPT_IN

in/afl_hang_23

@@ -0,0 +1 @@
+__Z1IT_IterF14JIterFtT_IrU2JIterFtorU2JS6HBnS6Ha1IT_IteratorU2JIterFrFtT_IrU2JIterFtorU2JS6HBnS6Ha1IT_IteratorU2JIterFRAleT_2__T__U2JS6HanSRAleT_2__T__U2JS6HanS6HaPPT_IN

in/afl_hang_24

@@ -0,0 +1 @@
+__Z1IT_IterFtorU2JS6HanS6Ha1IT_IteratorU2JIterFtT_IrU2JIterFTsnt22JS6HanS6Ha1IT_IteratorU2JIterFtT_IrU2JIterFTsnt2JS6HanS6Ha1IT_IteratorU2JIterFtorU2JS6HanS6HaPPT_INJS6HanS6Ha1IT_IteratorU2JIter(torU2JS6HanS6HaPPT_IN

in/afl_hang_25

@@ -0,0 +1 @@
+__Z1IT_IterFtorU2JS6teratorU2JIterFtT_IrU2JIteRAleT_Ty_6HanS6Ha1IT_ItorU

in/afl_hang_26

@@ -0,0 +1 @@
+__Z1IT_IterFtorU2JS6teratorU2JIterFtT_IrU2JIterFtorU2JS6HanS6Ha1tRAleT__erFtorU2BS6HanS6HaPPT_IN

in/afl_hang_27

@@ -0,0 +1 @@
+__Z1IT_IterF14JIterFtT_IrU2JIterFtor6HanS6Ha1IT_TuntOtorterFRAleT_2__T__6HanS6HaPPT_2JIterFtorU2JS6HanS6Ha1IT_IteratorU2JIterFRAleT_2__T__U2JS6HanS6HaPP

in/afl_hang_28

@@ -0,0 +1 @@
+__Z1IT_IterFterFtT_IrU2JIterFtorU2JS6HanS6Ha1IT_IteratorU2JIterFC4JIterFtT_IrU2JIterFtorU2JPKDpnFRAleT_2__T_

in/afl_hang_29

@@ -0,0 +1 @@
+__Z1IT_IterF2JS6HanS6Ha1teratorU2JIterFtT_IrU2JIterFtorU2JS6rarU2JIterFtT_IrU2JIItElterFtorVVVVVVVVVRVVVVVVVVVN2JS6HanS6H

in/afl_hang_30

@@ -0,0 +1 @@
+__Z26AppendUnboxedDenseElementsIL11JSValueType0EEN2js18DenseElementResultEPNS1_18UnboxedArrayObjectEjN2JS1PMutableHandleINS5_8GCVectorINS5_5ValueELm0ENS1_15TempAllocPolicyEEEEE

in/afl_hang_31

@@ -0,0 +1 @@
+__Z26AppendUnboxedDenseElementsIL11JSValueType0EEN2js18DenseElementResultEPNS1_18UnboxedArrayObjectEjEleS13MutableHandleINS5_8GCVectorINS5_5ValueELm0ENS1_15TempAllocPolicyEEEEE

in/afl_hang_4

@@ -0,0 +1 @@
+__Z26JS_MRAT__olveStandardClassRK11JSAtomState4jsidP8JSObject

in/afl_hang_5

@@ -0,0 +1 @@
+__Z11CallObjFuncIbET_PFS0_P9JSContextO�JS6HandleIP8JSObjectEEES2

in/afl_hang_6

@@ -0,0 +1 @@
+__Z13ConvertToBaseIPN2js17EnvironmentObjectEEPN13PtrBiseGCTypeIT_E4typeEPS4_

in/afl_hang_7

@@ -0,0 +1 @@
+__Z16JS_ConcatStringRAT__ContextN2JS6HandleIP8JSStringEES5_

in/afl_hang_8

@@ -0,0 +1 @@
+__Z21ArrayShiftDenseKernelIL11JSValueType4EEN2js18DenseElem�tResultEP9JSContextN2JS6HandleIP8JSObjectEENS5_13MutableHandleINS5_5ValueEEE

src/ast.rs

@@ -4308,8 +4308,7 @@ fn parse_number(base: u32,
         ::std::str::from_utf8_unchecked(head)
     };
 
-    let mut number = isize::from_str_radix(head, base)
-        .expect("We should only have numeric characters");
+    let mut number = try!(isize::from_str_radix(head, base).map_err(|_| Error::Overflow));
     if num_is_negative {
         number = -number;
     }

src/error.rs

@@ -15,6 +15,10 @@ pub enum Error {
     /// Found a back reference that is out-of-bounds of the substitution
     /// table.
     BadBackReference,
+
+    /// An overflow or underflow would occur when parsing an integer in a
+    /// mangled symbol.
+    Overflow,
 }
 
 impl fmt::Display for Error {
@@ -26,6 +30,10 @@ impl fmt::Display for Error {
                 write!(f,
                        "back reference that is out-of-bounds of the substitution table")
             }
+            Error::Overflow => {
+                write!(f,
+                       "an overflow or underflow would occur when parsing an integer in a mangled symbol")
+            }
         }
     }
 }
@@ -36,6 +44,7 @@ impl error::Error for Error {
             Error::UnexpectedEnd => "mangled symbol ends abruptly",
             Error::UnexpectedText => "mangled symbol is not well-formed",
             Error::BadBackReference => "back reference that is out-of-bounds of the substitution table",
+            Error::Overflow => "an overflow or underflow would occur when parsing an integer in a mangled symbol",
         }
     }
 }