Skip to content

std.compress.xz: Integer overflows found via fuzzing #14500

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
squeek502 opened this issue Jan 31, 2023 · 2 comments
Closed

std.compress.xz: Integer overflows found via fuzzing #14500

squeek502 opened this issue Jan 31, 2023 · 2 comments
Labels
bug Observed behavior contradicts documented or intended behavior standard library This issue involves writing Zig code for the standard library.
Milestone
0.11.0

Comments

@squeek502
Copy link
Collaborator

squeek502 commented Jan 31, 2023
edited
Loading

Zig Version

0.11.0-dev.1502+d6b430b52

Steps to Reproduce and Observed Behavior

Meant to do some fuzz testing while this was still a PR (#14434) but didn't get around to it. So far I've only fuzz tested to find crashes, not verify correctness, and I've only found 3 unique integer overflow locations.

The minimized test cases as files can be found here (note: there are some test cases that trigger the same/similar crashes):

xz-fuzzed-crashes-20230202.zip

(if it makes it easier, it's possible to use zigescape to get Zig string literals from each file's contents)

The integer overflows can be reproduced by running the above inputs through the decompress function here:

zig/lib/std/compress/xz/test.zig

Lines 5 to 12 in d6b430b

fn decompress(data: []const u8) ![]u8 {
var in_stream = std.io.fixedBufferStream(data);
var xz_stream = try xz.decompress(testing.allocator, in_stream.reader());
defer xz_stream.deinit();
return xz_stream.reader().readAllAlloc(testing.allocator, std.math.maxInt(usize));
}

Fuzzer code can be found here:

https://github.com/squeek502/zig-std-lib-fuzzing/blob/master/fuzzers/xz.zig

cc @FnControlOption

Expected Behavior

The xz decompressor to avoid integer overflow on all inputs.
@squeek502 squeek502 added the bug Observed behavior contradicts documented or intended behavior label Jan 31, 2023
@squeek502 squeek502 changed the title std.compress.xz: Integer overflows found via fuzzing std.compress.xz: Integer overflows found via fuzzing Jan 31, 2023
@squeek502 squeek502 mentioned this issue Jan 31, 2023
Merged
6 tasks
@andrewrk andrewrk added the standard library This issue involves writing Zig code for the standard library. label Jan 31, 2023
@andrewrk andrewrk added this to the 0.11.0 milestone Jan 31, 2023
@squeek502
Copy link
Collaborator Author

I seem to have screwed up the test cases when I wrote this originally (got too fancy with deduplicating, somehow ended up with test cases that didn't actually crash). Updated the OP with proper test cases that actually trigger the integer overflows.

@squeek502 squeek502 mentioned this issue Feb 3, 2023
Merged
squeek502 added a commit to squeek502/zig that referenced this issue Feb 3, 2023
@squeek502
std.compress.xz: Avoid possible integer overflow in a few places
04b4742 
Closes ziglang#14500
@squeek502 squeek502 mentioned this issue Feb 3, 2023
Closed
@squeek502
Copy link
Collaborator Author

Fixed in d57813e via #14518

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Observed behavior contradicts documented or intended behavior standard library This issue involves writing Zig code for the standard library.
Projects
None yet
Milestone
0.11.0
Development

Successfully merging a pull request may close this issue.

std.compress.xz: Avoid possible integer overflow in a few places squeek502/zig
2 participants
@andrewrk @squeek502