Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hang when parsing malformed URL #692

Closed
5225225 opened this issue Mar 23, 2021 · 3 comments
Closed

Hang when parsing malformed URL #692

5225225 opened this issue Mar 23, 2021 · 3 comments
Assignees
@valenting

Comments

@5225225
Copy link

5225225 commented Mar 23, 2021

Reproducing program:

fn main() {
    let url = "ftp:xn--f\u{34a}-PTP";
    let _ = url::Url::parse(url);
}

I've tested this against 2.2.1 on crates.io as well as adding it as a test and running it from a clone of this repo (commit 89876ff)

Fuzzing timeout backtrace:

==3432763== ERROR: libFuzzer: timeout after 1 seconds
    #0 0x557162429571 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3
    #1 0x55716261bd78 in fuzzer::PrintStackTrace() (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x39dd78)
    #2 0x5571625f508c in fuzzer::Fuzzer::AlarmCallback() (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x37708c)
    #3 0x7fd4fdaf095f  (/usr/lib/libpthread.so.0+0x1395f)
    #4 0x557162541060 in _$LT$idna..punycode..Decode$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::h707ba2686f4c0413 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2c3060)
    #5 0x55716253aaa0 in _$LT$alloc..string..String$u20$as$u20$core..iter..traits..collect..Extend$LT$char$GT$$GT$::extend::h923761dbd3e4f86e (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2bcaa0)
    #6 0x5571625490ee in idna::uts46::processing::hf0541b4f9c7dabca (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2cb0ee)
    #7 0x55716254a8db in idna::uts46::Idna::to_ascii::h6545fa8cbb62b9bb (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2cc8db)
    #8 0x55716254cfeb in idna::uts46::Config::to_ascii::h5bd26c12b4570947 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2cefeb)
    #9 0x55716254e991 in idna::domain_to_ascii::h7fd957715a8f1950 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2d0991)
    #10 0x55716249420b in url::host::Host::parse::h3b5d357909f06891 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x21620b)
    #11 0x5571624b6ccb in url::parser::Parser::parse_host::he9cb313349af39d9 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x238ccb)
    #12 0x5571624b4485 in url::parser::Parser::parse_host_and_port::hdaeea756732a80b3 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x236485)
    #13 0x5571624b1640 in url::parser::Parser::after_double_slash::h6d4eddedd7e92ea8 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x233640)
    #14 0x5571624a52eb in url::parser::Parser::parse_with_scheme::hc4d4e7f763875ffb (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x2272eb)
    #15 0x5571624a2e7d in url::parser::Parser::parse_url::h0675246c0377db61 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x224e7d)
    #16 0x5571624d063c in url::ParseOptions::parse::hcc9fa3d84e062250 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x25263c)
    #17 0x55716245b5f7 in rust_fuzzer_test_input (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x1dd5f7)
    #18 0x5571625feed0 in __rust_try (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x380ed0)
    #19 0x5571625feb2f in LLVMFuzzerTestOneInput (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x380b2f)
    #20 0x5571625f5384 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x377384)
    #21 0x5571625e989a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x36b89a)
    #22 0x5571625ed836 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x36f836)
    #23 0x5571623a5022 in main (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x127022)
    #24 0x7fd4fd7e9b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #25 0x5571623a51cd in _start (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/parse+0x1271cd)
@valenting valenting self-assigned this Mar 26, 2021
@valenting
Copy link
Collaborator

Thanks for the report! I'm surprised this is the first time this came up 😄

@djc
Copy link
Contributor

djc commented Apr 6, 2021

Oops, I regressed this in 5bc0e60.

djc added a commit to djc/rust-url that referenced this issue Apr 6, 2021
@djc
idna: fix hang with unicode character before delimiter (fixes servo#692)
305682d 
Regressed in 5bc0e60.
@djc
Copy link
Contributor

djc commented Apr 6, 2021

Should be fixed in #694.

valenting added a commit that referenced this issue Apr 7, 2021
@valenting
Merge pull request #694 from djc/fix-unicode-before-delimiter
7304286 
idna: fix hang with unicode character before delimiter (fixes #692)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@valenting valenting

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@djc @valenting @5225225