You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
thread '<unnamed>' panicked at 'attempt to subtract with overflow', src/util.rs:28:28
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==47284== ERROR: libFuzzer: deadly signal
#0 0x563fd05f28f1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x563fd07294f8 in fuzzer::PrintStackTrace() (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x2684f8)
#2 0x563fd0718db5 in fuzzer::Fuzzer::CrashCallback() (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x257db5)
#3 0x7fed80c8b86f (/usr/lib/libpthread.so.0+0x1386f)
#4 0x7fed8099bd21 in raise (/usr/lib/libc.so.6+0x3cd21)
#5 0x7fed80985861 in abort (/usr/lib/libc.so.6+0x26861)
#6 0x563fd07a58d6 in std::sys::unix::abort_internal::h106ba9527f7605ac /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/sys/unix/mod.rs:259:14
#7 0x563fd056c575 in std::process::abort::h3948a505910fa8be /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/process.rs:1975:5
#8 0x563fd0712a55 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::hd349c15f96591b5f (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x251a55)
#9 0x563fd0799f88 in std::panicking::rust_panic_with_hook::h01febc308b2b313b /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/panicking.rs:606:17
#10 0x563fd0799a11 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h24a6d13f5560b71f /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/panicking.rs:497:13
#11 0x563fd07969c3 in std::sys_common::backtrace::__rust_end_short_backtrace::h3e2917f0da9fbc5c /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/sys_common/backtrace.rs:139:18
#12 0x563fd07999a8 in rust_begin_unwind /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/panicking.rs:495:5
#13 0x563fd056d6d0 in core::panicking::panic_fmt::h7b8580d81fcbbacd /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/core/src/panicking.rs:107:14
#14 0x563fd056d61c in core::panicking::panic::h50b51d19800453c0 /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/core/src/panicking.rs:50:5
#15 0x563fd0704d79 in vial::util::percent_decode::h28ff2598049a60af (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x243d79)
#16 0x563fd070379f in vial::util::decode_form_value::h527d24bbbe8dbae9 (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x24279f)
#17 0x563fd06da70c in vial::request::Request::parse_form::hc487b974266e14cd (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x21970c)
#18 0x563fd06271a3 in vial::request::Request::from_reader::h7ae1110a744bd9ce (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1661a3)
#19 0x563fd062f144 in rust_fuzzer_test_input (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x16e144)
#20 0x563fd0712ba8 in __rust_try (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x251ba8)
#21 0x563fd0712078 in LLVMFuzzerTestOneInput (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x251078)
#22 0x563fd07192f1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x2582f1)
#23 0x563fd071eb7f in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x25db7f)
#24 0x563fd071fa78 in fuzzer::Fuzzer::MutateAndTestOne() (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x25ea78)
#25 0x563fd0721e77 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x260e77)
#26 0x563fd0741790 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x280790)
#27 0x563fd056dea2 in main (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0xacea2)
#28 0x7fed80986b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#29 0x563fd056e04d in _start (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0xad04d)
Its possible that fix should be { inp.len() } not { 0 } I'll investigate 😦. Though #7 fixes it regardless (limits the loop to 512) it would be better to fix it at the root cause of the issue.
For clarification I believe that the percent check should not return 0 as that causes it to infinitely loop. This was caused by my fix of the other header issue, technically capping it at 512 fixes it but I need to refactor that fix
The issue is https://github.com/sigaloid/vial/blob/5e94552375/src/util.rs#L28 trying to subtract 2 from a number less than zero.
From https://github.com/nic-hartley/httpserv/blob/585c020/src/http.rs#L40
The text was updated successfully, but these errors were encountered: