Closed
Description
Found by cargo-fuzz by @frewsxcv
extern crate quick_xml;
use quick_xml::reader::Reader;
use std::io::Cursor;
fn main() {
let data : &[u8] = b"\xe9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\n(\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00<>\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00<<\x00\x00\x00";
let cursor = Cursor::new(data);
let mut reader = Reader::from_reader(cursor);
let mut buf = vec![];
loop {
match reader.read_event(&mut buf) {
Ok(quick_xml::events::Event::Eof) | Err(..) => break,
_ => buf.clear(),
}
}
}🐇 RUST_BACKTRACE=1 ../target/debug/read_xml
thread 'main' panicked at 'attempt to subtract with overflow', /home/manishearth/.cargo/git/checkouts/quick-xml-df13d551d3762172/0fd7fbb/src/reader.rs:368
stack backtrace:
1: 0x560c727f24b9 - std::sys::imp::backtrace::tracing::imp::write::hbb14611794d3841b
at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:42
2: 0x560c727f44ce - std::panicking::default_hook::{{closure}}::h6ed906c7818ac88c
at /checkout/src/libstd/panicking.rs:351
3: 0x560c727f40d4 - std::panicking::default_hook::h23eeafbf7c1c05c3
at /checkout/src/libstd/panicking.rs:367
4: 0x560c727f48cb - std::panicking::rust_panic_with_hook::hd0067971b6d1240e
at /checkout/src/libstd/panicking.rs:545
5: 0x560c727f4754 - std::panicking::begin_panic::h1fd1f10a3de8f902
at /checkout/src/libstd/panicking.rs:507
6: 0x560c727f46c9 - std::panicking::begin_panic_fmt::haa043917b5d6f21b
at /checkout/src/libstd/panicking.rs:491
7: 0x560c727f4657 - rust_begin_unwind
at /checkout/src/libstd/panicking.rs:467
8: 0x560c72819c5d - core::panicking::panic_fmt::he9c7f335d160b59d
at /checkout/src/libcore/panicking.rs:69
9: 0x560c72819b94 - core::panicking::panic::hb790668694ff6b20
at /checkout/src/libcore/panicking.rs:49
10: 0x560c727c56d1 - <quick_xml::reader::Reader<B>>::read_start::h4ca5c41cb76479cf
at /home/manishearth/.cargo/git/checkouts/quick-xml-df13d551d3762172/0fd7fbb/src/reader.rs:368
11: 0x560c727c6635 - <quick_xml::reader::Reader<B>>::read_until_close::hfbfc33da61c25d63
at /home/manishearth/.cargo/git/checkouts/quick-xml-df13d551d3762172/0fd7fbb/src/reader.rs:209
12: 0x560c727c4fe7 - <quick_xml::reader::Reader<B>>::read_event::h44d5632c6f14e52c
at /home/manishearth/.cargo/git/checkouts/quick-xml-df13d551d3762172/0fd7fbb/src/reader.rs:393
13: 0x560c727d1729 - read_xml::main::h4120cc96af0987c8
at /home/manishearth/mozilla/fuzz/targets/quick-xml/read_xml.rs:12
14: 0x560c727fb1fa - __rust_maybe_catch_panic
at /checkout/src/libpanic_unwind/lib.rs:98
15: 0x560c727f4e16 - std::rt::lang_start::hb7fc7ec87b663023
at /checkout/src/libstd/panicking.rs:429
at /checkout/src/libstd/panic.rs:361
at /checkout/src/libstd/rt.rs:57
16: 0x560c727d1852 - main
17: 0x7fbb9807082f - __libc_start_main
18: 0x560c727c2a58 - _start
19: 0x0 - <unknown>
cc @pnkfelix
Metadata
Metadata
Assignees
Labels
No labels