Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Panic in parser found by fuzzing #1098

Closed
Cravtos opened this issue Sep 25, 2024 · 1 comment
Closed

Panic in parser found by fuzzing #1098

Cravtos opened this issue Sep 25, 2024 · 1 comment

Comments

@Cravtos
Copy link

Cravtos commented Sep 25, 2024

Version: 3.9.0

Fuzzing test:

func FuzzParser(f *testing.F) {
	f.Fuzz(func(t *testing.T, script []byte) {
		_, _ = syntax.NewParser().Parse(bytes.NewReader(script), "")
	})
}

Input:
input.txt

Stacktrace:

panic: runtime error: slice bounds out of range [:-1] [recovered]
	panic: runtime error: slice bounds out of range [:-1]

goroutine 5 [running]:
testing.tRunner.func1.2({0x101378660, 0x14000572168})
	/Users/user/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.5.darwin-arm64/src/testing/testing.go:1631 +0x1c4
testing.tRunner.func1()
	/Users/user/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.5.darwin-arm64/src/testing/testing.go:1634 +0x33c
panic({0x101378660?, 0x14000572168?})
	/Users/user/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.5.darwin-arm64/src/runtime/panic.go:770 +0x124
mvdan.cc/sh/v3/syntax.(*Parser).endLit(...)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/lexer.go:827
mvdan.cc/sh/v3/syntax.(*Parser).advanceNameCont(0x140001f8a88, 0x5c)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/lexer.go:862 +0x178
mvdan.cc/sh/v3/syntax.(*Parser).wordPart(0x140001f8a88)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:1064 +0x1c4
mvdan.cc/sh/v3/syntax.(*Parser).wordParts(0x140001f8a88, {0x140002da4b8?, 0x0?, 0x8?})
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:961 +0x40
mvdan.cc/sh/v3/syntax.(*Parser).wordAnyNumber(0x0?)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:475 +0xd8
mvdan.cc/sh/v3/syntax.(*Parser).getWord(...)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:943
mvdan.cc/sh/v3/syntax.(*Parser).doHeredocs(0x140001f8a88)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:613 +0x248
mvdan.cc/sh/v3/syntax.(*Parser).next(0x140001f8a88)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/lexer.go:248 +0x3e8
mvdan.cc/sh/v3/syntax.(*Parser).getLit(0x140001f8a88)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:953 +0x4c
mvdan.cc/sh/v3/syntax.(*Parser).declClause(0x140001f8a88, 0x1400068e240)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:2266 +0x26c
mvdan.cc/sh/v3/syntax.(*Parser).gotStmtPipe(0x140001f8a88, 0x1400068e240, 0x0)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:1753 +0x848
mvdan.cc/sh/v3/syntax.(*Parser).getStmt(0x140001f8a88, 0x1, 0x0, 0x0)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:1646 +0x154
mvdan.cc/sh/v3/syntax.(*Parser).stmts(0x140001f8a88, 0x1400004cc38, {0x1400004cc98, 0x1, 0x14000576240?})
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:883 +0x1d8
mvdan.cc/sh/v3/syntax.(*Parser).stmtList(0x140001f8a88, {0x14000110c98?, 0x14000110d48?, 0x1010f4a44?})
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:903 +0x54
mvdan.cc/sh/v3/syntax.(*Parser).block(0x140001f8a88, 0x14000570ea0)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:1879 +0x6c
mvdan.cc/sh/v3/syntax.(*Parser).gotStmtPipe(0x140001f8a88, 0x14000570ea0, 0x0)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:1703 +0x174
mvdan.cc/sh/v3/syntax.(*Parser).getStmt(0x140001f8a88, 0x0, 0x1, 0x0)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:1646 +0x154
mvdan.cc/sh/v3/syntax.(*Parser).getStmt(0x140001f8a88, 0x1, 0x0, 0x0)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:1663 +0x22c
mvdan.cc/sh/v3/syntax.(*Parser).stmts(0x140001f8a88, 0x1400004cfd8, {0x0, 0x0, 0x1400042e0f0?})
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:883 +0x1d8
mvdan.cc/sh/v3/syntax.(*Parser).stmtList(0x140001f8a88, {0x0?, 0x14000584a00?, 0x14e7?})
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:903 +0x54
mvdan.cc/sh/v3/syntax.(*Parser).wordPart(0x140001f8a88)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:1135 +0x3d0
mvdan.cc/sh/v3/syntax.(*Parser).wordParts(0x140001f8a88, {0x140002d96e8?, 0x50?, 0x10131a7c0?})
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:961 +0x40
mvdan.cc/sh/v3/syntax.(*Parser).wordAnyNumber(0x14e7?)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:475 +0xd8
mvdan.cc/sh/v3/syntax.(*Parser).callExpr(0x140001f8a88, 0x14000570360, 0x140002d96a8, 0x0)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:2408 +0x280
mvdan.cc/sh/v3/syntax.(*Parser).gotStmtPipe(0x140001f8a88, 0x14000570360, 0x0)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:1787 +0x9e4
mvdan.cc/sh/v3/syntax.(*Parser).getStmt(0x140001f8a88, 0x1, 0x0, 0x0)
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:1646 +0x154
mvdan.cc/sh/v3/syntax.(*Parser).stmts(0x140001f8a88, 0x1400004d5b8, {0x0, 0x0, 0x140005761c0?})
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:883 +0x1d8
mvdan.cc/sh/v3/syntax.(*Parser).stmtList(0x140001f8a88, {0x0?, 0x1?, 0x10138cf40?})
	/Users/.../vendor/mvdan.cc/sh/v3/syntax/parser.go:903 +0x54
mvdan.cc/sh/v3/syntax.(*Parser).Parse(0x140001f8a88, {0x1013bc338, 0x140005ce3f0}, {0x0, 0x0})
@mvdan
Copy link
Owner

mvdan commented Sep 26, 2024

Thank you - we already have a fuzzer on master and it found this crash very quickly. I guess I just haven't been fuzzing as often as I should lately.

@mvdan mvdan closed this as completed in 0068634 Sep 28, 2024
@github-actions github-actions bot mentioned this issue Nov 3, 2024
Merged
This was referenced Nov 16, 2024
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Nov 16, 2024
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mvdan @Cravtos