-
-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crash in decompression, strlen(NULL) #47
Comments
Hi, I agree the decompress code should check for NULL, but is the input valid? Was it obtained from |
The input is invalid. In my case, it may come from untrusted parties. |
ok, I will fix the code to check NULL. Even if it might fix this and not crash, I am not sure if there will be other cases where it might crash for invalid input. I will check those too, but validating the input using a checksum mechanism may be the safest option. |
The input is unknown so a malicious attacker can generate any checksum they like along with a malicious input. |
:-o |
Also crashes with input 310a (two bytes with those hex values) in a different place. |
If the former, you can build unishox2 with -fsanitize=address, and buikd this test program:
Then run:
This will leave all crashing inputs in the fuzz-data directory for you to look at. |
You need to install ASAN (for -fsanitize=address) and American fuzzy lop (for afl-fuzz). |
This is very nice! 🥇 I will run this and fix the issues. Thanks! |
Hi, I have fixed the issues that showed up on AFL but it is still running and does not look like it will finish anytime soon. But I have gone through the code and think there aren't any more issues. I have made a release with the fixes 1.0.3. |
That was fast, thanks! AFL will run for a loooong time. It may find more crashes as it finds data that exercises different code paths. It's an exploration with a very short view range. I notice it only executes 6 times a second. That is very slow, the test program executes more than 100 times a second for me, on a not too recent laptop. This makes finding new crashes |
Hm.. I am running it on Macbook Air 2017. I tried compiling it with -O3 and on a Ramdisk but not much improvement. looks like I will have to find a better machine to run it on. If there are more crashes I will update here again. Thanks !! |
Possibly runtime linking ? Loading/linking at every process start is quite heavy. |
Unishox does not depend on other libraries. I ran the equivalent of ldd and got this: % otool -L a.out
a.out:
@rpath/libclang_rt.asan_osx_dynamic.dylib (compatibility version 0.0.0, current version 0.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1311.0.0) and I could not find a way of statically linking them. Also it seems it won't make much difference even if I did so. So looks like the only choice to find a faster machine :) |
Fair enough. Running on my laptop atm, I'm at 9.6 million execs and zero crashes so far, so it looks like you did a very good job :) |
Forgot to mention it when I stopped, but I ran the test till about 116 million runs IIRC, no further issues. It did slow down a lot from the starting 1k/second unfortunately, as afl started generating large test cases (like 80kB). |
@moneromooo-monero Thats great news! Thanks for letting me know!! This exercise was a good one also because I am working on other such projects, especially Unishox3, which is expected to surpass GZip for compression ratio and hopefully reach closer to its speed (I am no Jean-loup Gailly :)), but it would have some demands on RAM/Flash proportionate to desired compression ratio. |
will be great if u have some benchmarks on performance of unishox in time and memory used other than just the obvious storage savings like this just compare with lz4 and snappy will do i guess coz the rest we can reference here: but please do make unishox 3 available first coz seems exciting to have it as production ready |
The following program dies dereferencing USX_TEMPLATES[4], which is NULL.
The text was updated successfully, but these errors were encountered: