thread '<unnamed>' panicked at 'attempt to subtract with overflow'

[sigaloid]

thread '<unnamed>' panicked at 'attempt to subtract with overflow', src/util.rs:28:28
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==47284== ERROR: libFuzzer: deadly signal
    #0 0x563fd05f28f1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x563fd07294f8 in fuzzer::PrintStackTrace() (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x2684f8)
    #2 0x563fd0718db5 in fuzzer::Fuzzer::CrashCallback() (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x257db5)
    #3 0x7fed80c8b86f  (/usr/lib/libpthread.so.0+0x1386f)
    #4 0x7fed8099bd21 in raise (/usr/lib/libc.so.6+0x3cd21)
    #5 0x7fed80985861 in abort (/usr/lib/libc.so.6+0x26861)
    #6 0x563fd07a58d6 in std::sys::unix::abort_internal::h106ba9527f7605ac /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/sys/unix/mod.rs:259:14
    #7 0x563fd056c575 in std::process::abort::h3948a505910fa8be /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/process.rs:1975:5
    #8 0x563fd0712a55 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::hd349c15f96591b5f (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x251a55)
    #9 0x563fd0799f88 in std::panicking::rust_panic_with_hook::h01febc308b2b313b /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/panicking.rs:606:17
    #10 0x563fd0799a11 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h24a6d13f5560b71f /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/panicking.rs:497:13
    #11 0x563fd07969c3 in std::sys_common::backtrace::__rust_end_short_backtrace::h3e2917f0da9fbc5c /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/sys_common/backtrace.rs:139:18
    #12 0x563fd07999a8 in rust_begin_unwind /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/panicking.rs:495:5
    #13 0x563fd056d6d0 in core::panicking::panic_fmt::h7b8580d81fcbbacd /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/core/src/panicking.rs:107:14
    #14 0x563fd056d61c in core::panicking::panic::h50b51d19800453c0 /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/core/src/panicking.rs:50:5
    #15 0x563fd0704d79 in vial::util::percent_decode::h28ff2598049a60af (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x243d79)
    #16 0x563fd070379f in vial::util::decode_form_value::h527d24bbbe8dbae9 (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x24279f)
    #17 0x563fd06da70c in vial::request::Request::parse_form::hc487b974266e14cd (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x21970c)
    #18 0x563fd06271a3 in vial::request::Request::from_reader::h7ae1110a744bd9ce (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1661a3)
    #19 0x563fd062f144 in rust_fuzzer_test_input (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x16e144)
    #20 0x563fd0712ba8 in __rust_try (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x251ba8)
    #21 0x563fd0712078 in LLVMFuzzerTestOneInput (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x251078)
    #22 0x563fd07192f1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x2582f1)
    #23 0x563fd071eb7f in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x25db7f)
    #24 0x563fd071fa78 in fuzzer::Fuzzer::MutateAndTestOne() (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x25ea78)
    #25 0x563fd0721e77 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x260e77)
    #26 0x563fd0741790 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x280790)
    #27 0x563fd056dea2 in main (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0xacea2)
    #28 0x7fed80986b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #29 0x563fd056e04d in _start (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0xad04d)

The issue is https://github.com/sigaloid/vial/blob/5e94552375/src/util.rs#L28 trying to subtract 2 from a number less than zero.

From https://github.com/nic-hartley/httpserv/blob/585c020/src/http.rs#L40

[sigaloid]

Its possible that fix should be { inp.len() } not { 0 } I'll investigate 😦. Though #7 fixes it regardless (limits the loop to 512) it would be better to fix it at the root cause of the issue.

[sigaloid]

For clarification I believe that the percent check should not return 0 as that causes it to infinitely loop. This was caused by my fix of the other header issue, technically capping it at 512 fixes it but I need to refactor that fix