Added fuzzy testing

[newpavlov]

It is quite important for decoder to be robust in face of malicious input and fuzzy tests is a good helper for improving our chances.

Short fuzzer runs exposed two serious problems which can be exploited for performing DoS attack:

• In metadata.rs there is no checks on requested chunk_size which can lead to requesting a huge memory chunk. I've fixed it and limited chunk_size by 1 MB. (probably this value should be configurable in future)
• There is an input which leads to a growing memory usage, probably by creating huge maniac tree. See fuzz/artifacts/fuzz_flif/crash-8d04f4ab0c66838d13561517a34fc18cdf062439, if you'll uncomment line in tests/fuzz.rs it will run fuzzing artifacts.

[ZoeyR]

Did you check if the official FLIF library has a similar limit?

[newpavlov]

No, at first glance I couldn't find such checks, but I am not exactly proficient with C++.

[newpavlov]

In general I think it will be a good idea to limit value which read_varint can produce, e.g. with 56 bits (8*7), or at least perform overflow checks.

[ZoeyR]

read_varint is already performing a checked add, so it should be immune to overflow. Is this not the case?

[newpavlov]

Ah, yes, you are right.

[newpavlov]

I'll revert this change, and instead will create configurable limits in the next PR.

[ZoeyR]

Nit: revert this formatting change.

It clutters the PR

[ZoeyR]

So the artifact in this test both tests the crash in #15 and triggers growing memory usage?

[newpavlov]

This artifact only triggers growing memory usage in non_interlaced_pixels, IIUC fuzzer kills it long before OOM. I will remove it from this PR and will create a separate bug.

[ZoeyR]

I'm not too familiar with the cargo fuzzing library. But I assume this is not meant to be added to the workspace?

[newpavlov]

fuzz/Cargo.toml was created automatically and it creates its own workspace with the following comment: "Prevent this from interfering with workspaces", so yes.

[ZoeyR]

I'm trying to run this locally with cargo +nightly fuzz run fuzz_target_1 but it fails with:

error: could not decode the manifest file at "C:\\Users\\dagriffe\\Documents\\flif.rs\\Cargo.toml" caused by: redefinition of table `workspace` for key `workspace` at line 24

Any idea whats going on?

[newpavlov]

Command is cargo fuzz run fuzz_flif, but looks like your problem is not related to it. (I am using Linux, so currently can't test this on Windows)

Hm, strange... Google can't find similar errors. UPD: Closest one is rust-lang/cargo#4760.

[ZoeyR]

I think my issue was running it from the fuzz directory, which seems to be wrong. I use windows machines myself which seems like it will cause issues since cargo-fuzz only supports linux/macOS.

[ZoeyR]

Now that the limits are in this branch should we run the fuzzer again? I don't have access to a linux machine currently so I can't do it.

[newpavlov]

Short fuzzing revealed use of unimplemented!() macro in permute_planes.rs. (probably it's worth to temporarily disable this transform if implementations is not complete) I think this PR can be merged as is. I will try to fuzz this crate from time to time and will report any found issues.

UPD: This is the input which triggers it, if you are interested:

b"FLIF11\x00\x00\x00@FLIreeip\xb6\x00\x00\x04\x08\x00\x00\x00\x00"