Skip to content

Panic on decoding a crafted input #7

New issue
New issue
Closed
Closed
Panic on decoding a crafted input#7
@Shnatsel

Description

@Shnatsel
Shnatsel
opened on May 7, 2020

With #6 out of the way, decoding fuzzing has discovered another issue in less than 5 minutes - a panic with message 'end drain index (is 7) should be <= len (is 0)'

Sample input triggering the bug, gzipped so that github would accept the upload: lz4-fear-panic.lz4.gz

Code to reproduce is in #5

Backtrace:

thread '<unnamed>' panicked at 'end drain index (is 7) should be <= len (is 0)', src/liballoc/vec.rs:1331:13
stack backtrace:
   0: backtrace::backtrace::libunwind::trace
             at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.46/src/backtrace/libunwind.rs:86
   1: backtrace::backtrace::trace_unsynchronized
             at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.46/src/backtrace/mod.rs:66
   2: std::sys_common::backtrace::_print_fmt
             at src/libstd/sys_common/backtrace.rs:78
   3: <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt
             at src/libstd/sys_common/backtrace.rs:59
   4: core::fmt::write
             at src/libcore/fmt/mod.rs:1069
   5: std::io::Write::write_fmt
             at src/libstd/io/mod.rs:1504
   6: std::sys_common::backtrace::_print
             at src/libstd/sys_common/backtrace.rs:62
   7: std::sys_common::backtrace::print
             at src/libstd/sys_common/backtrace.rs:49
   8: std::panicking::default_hook::{{closure}}
             at src/libstd/panicking.rs:198
   9: std::panicking::default_hook
             at src/libstd/panicking.rs:218
  10: libfuzzer_sys::initialize::{{closure}}
  11: std::panicking::rust_panic_with_hook
             at src/libstd/panicking.rs:515
  12: rust_begin_unwind
             at src/libstd/panicking.rs:419
  13: core::panicking::panic_fmt
             at src/libcore/panicking.rs:111
  14: alloc::vec::Vec<T>::drain::end_assert_failed
             at src/liballoc/vec.rs:1331
  15: lz_fear::framed::decompress::LZ4FrameReader<R>::decode_block
  16: <lz_fear::framed::decompress::LZ4FrameIoReader<R> as std::io::Read>::read
  17: rust_fuzzer_test_input
  18: LLVMFuzzerTestOneInput
  19: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
  20: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
  21: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
  22: main
  23: __libc_start_main
  24: _start

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions