Stackoverflow via raw_deserialize fuzz target found by oss-fuzz

[manunio]

Versions/Environment

1. What version of Rust are you using?
   rustc 1.64.0 (a55dd71d5 2022-09-19)
   binary: rustc
   commit-hash: a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52
   commit-date: 2022-09-19
   host: x86_64-unknown-linux-gnu
   release: 1.64.0
   LLVM version: 14.0.6

2. What operating system are you using?
   Ubuntu 20.04.5 LTS

3. What versions of the driver and its dependencies are you using? (Run
   cargo pkgid mongodb & cargo pkgid bson)
   bson@2.4.0

Describe the bug

stack overflows were reported by oss-fuzz in following reports.

• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52817
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52650
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52626
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52577

Raised by following target:

bson-rust/fuzz/fuzz_targets/raw_deserialize.rs

Line 7 in 8952194

let _ = bson::from_slice::<Document>(buf);

To Reproduce

Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52817

input: clusterfuzz-testcase-minimized-raw_deserialize-5117201896308736.txt

use std::fs;
use bson::Document;

fn main() {
    // Issue 52817 
    let testcase = "clusterfuzz-testcase-minimized-raw_deserialize-5117201896308736.txt";
    let data = fs::read(testcase).unwrap();
    let _ = bson::from_slice::<Document>(&data);
}

Stacktrace from oss-fuzz:

==9391==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd9a290f78 (pc 0x55908a3ac70b bp 0x7ffd9a2917b0 sp 0x7ffd9a290f80 T0)
        #0 0x55908a3ac70b in __asan_memset /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3
        #1 0x55908a706e17 in alloc::vec::Vec$LT$T$C$A$GT$::with_capacity_in::h91993c27457f12ee /rustc/42325c525b9d3885847a3f803abe53c562d289da/library/alloc/src/vec/mod.rs:673:9
        #2 0x55908a706e17 in alloc::vec::Vec$LT$T$GT$::with_capacity::h55aef06b654d3f85 /rustc/42325c525b9d3885847a3f803abe53c562d289da/library/alloc/src/vec/mod.rs:483:9
        #3 0x55908a706e17 in _$LT$serde..__private..de..content..ContentVisitor$u20$as$u20$serde..de..Visitor$GT$::visit_map::h2be5f6965d500378 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/private/de.rs:488:27
        #4 0x55908a48cc9f in bson::de::raw::Deserializer::deserialize_next::h6429396b2680e8c0 [bson-rust/src/de/raw.rs:265](https://github.com/mongodb/bson-rust/blob/89521946106e1d6c3af390175bb0485ef578664a/src/de/raw.rs#L265):25
        #5 0x55908a5097ce in _$LT$$RF$mut$u20$bson..de..raw..Deserializer$u20$as$u20$serde..de..Deserializer$GT$::deserialize_any::hc7f52e77742ce4d0 [bson-rust/src/de/raw.rs:394](https://github.com/mongodb/bson-rust/blob/89521946106e1d6c3af390175bb0485ef578664a/src/de/raw.rs#L394):9
        #6 0x55908a5097ce in serde::de::Deserializer::__deserialize_content::hedb31bd9bda44235 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1235:9
        #7 0x55908a5097ce in _$LT$serde..__private..de..content..Content$u20$as$u20$serde..de..Deserialize$GT$::deserialize::ha8016b2aad96756f /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/p
[clusterfuzz-testcase-minimized-raw_deserialize-5117201896308736.txt](https://github.com/mongodb/bson-rust/files/9995817/clusterfuzz-testcase-minimized-raw_deserialize-5117201896308736.txt)
rivate/de.rs:298:13
        #8 0x55908a5097ce in _$LT$core..marker..PhantomData$LT$T$GT$$u20$as$u20$serde..de..DeserializeSeed$GT$::deserialize::h75ed4dfc8c1da04e /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:792:9
        #9 0x55908a5097ce in bson::de::raw::DocumentAccess::read_next_value::_$u7b$$u7b$closure$u7d$$u7d$::h3d046c2d6d55eecb [bson-rust/src/de/raw.rs:529](https://github.com/mongodb/bson-rust/blob/89521946106e1d6c3af390175bb0485ef578664a/src/de/raw.rs#L529):23
        #10 0x55908a5097ce in bson::de::raw::DocumentAccess::read::he264107c83f444be [bson-rust/src/de/raw.rs:514](https://github.com/mongodb/bson-rust/blob/89521946106e1d6c3af390175bb0485ef578664a/src/de/raw.rs#L514):19
        #11 0x55908a60159d in bson::de::raw::DocumentAccess::read_next_value::h39be94149dcc8755 [bson-rust/src/de/raw.rs:529](https://github.com/mongodb/bson-rust/blob/89521946106e1d6c3af390175bb0485ef578664a/src/de/raw.rs#L529):9
        #12 0x55908a60159d in _$LT$bson..de..raw..DocumentAccess$u20$as$u20$serde..de..MapAccess$
[clusterfuzz-testcase-minimized-raw_deserialize-4857237554462720.txt](https://github.com/mongodb/bson-rust/files/10032173/clusterfuzz-testcase-minimized-raw_deserialize-4857237554462720.txt)
GT$::next_value_seed::h844c6386ae10548a [bson-rust/src/de/raw.rs:556](https://github.com/mongodb/bson-rust/blob/89521946106e1d6c3af390175bb0485ef578664a/src/de/raw.rs#L556):9
        #13 0x55908a60159d in serde::de::MapAccess::next_entry_seed::h47f17a50131aca24 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1837:34
        #14 0x55908a709240 in
[clusterfuzz-testcase-minimized-raw_deserialize-4836406434594816.txt](https://github.com/mongodb/bson-rust/files/10032183/clusterfuzz-testcase-minimized-raw_deserialize-4836406434594816.txt)
serde::de::MapAccess::next_entry::h5fd2be9f1d80e22e /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1885:9
        #15 0x55908a709240 in _$LT$serde..__private..de..content..ContentVisitor$u20$as$u20$serde..de..Visitor$GT$::visit_map::ha21372886463c904 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/private/de.rs:489:39

Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52650

input: clusterfuzz-testcase-minimized-raw_deserialize-4857237554462720.txt

use std::fs;
use bson::Document;

fn main() {
    // Issue 52650;
    let testcase = "clusterfuzz-testcase-minimized-raw_deserialize-4857237554462720.txt";
    let data = fs::read(testcase).unwrap();
    let _ = bson::from_slice::<Document>(&data);
}

Stacktrace from oss-fuzz:

==744==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc6a9fd400 (pc 0x55e2acb17624 bp 0x7ffc6a9ff310 sp 0x7ffc6a9fd400 T0)
	    #0 0x55e2acb17624 in bson::de::raw::Deserializer::deserialize_next::h882e280f53fb0a4a [bson-rust/src/de/raw.rs:0](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L0)
	    #1 0x55e2acb6c43e in _$LT$$RF$mut$u20$bson..de..raw..Deserializer$u20$as$u20$serde..de..Deserializer$GT$::deserialize_any::h7a4bd62580148f8b [bson-rust/src/de/raw.rs:394](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L394):9
	    #2 0x55e2acb6c43e in serde::de::Deserializer::__deserialize_content::h9ecb32214c39783f /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1235:9
	    #3 0x55e2acb6c43e in _$LT$serde..__private..de..content..Content$u20$as$u20$serde..de..Deserialize$GT$::deserialize::he42e0c66f86b4d1a /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/private/de.rs:298:13
	    #4 0x55e2acb6c43e in _$LT$core..marker..PhantomData$LT$T$GT$$u20$as$u20$serde..de..DeserializeSeed$GT$::deserialize::h5a644791fce37639 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:792:9
	    #5 0x55e2acb6c43e in bson::de::raw::DocumentAccess::read_next_value::_$u7b$$u7b$closure$u7d$$u7d$::hf27a7f2cb2fa8813 [bson-rust/src/de/raw.rs:529](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L529):23
	    #6 0x55e2acb6c43e in bson::de::raw::DocumentAccess::read::h3843ebaba5b3dc28 [bson-rust/src/de/raw.rs:514](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L514):19
	    #7 0x55e2acc6db8d in bson::de::raw::DocumentAccess::read_next_value::ha711dac4185ef7b0 [bson-rust/src/de/raw.rs:529](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L529):9
	    #8 0x55e2acc6db8d in _$LT$bson..de..raw..DocumentAccess$u20$as$u20$serde..de..MapAccess$GT$::next_value_seed::h37898bcf10c45a49 [bson-rust/src/de/raw.rs:556](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L556):9
	    #9 0x55e2acc6db8d in serde::de::MapAccess::next_entry_seed::h80c95a819ea1ace8 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1837:34
	    #10 0x55e2acd76a40 in serde::de::MapAccess::next_entry::h2011998cb3add332 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1885:9

Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52626
input: clusterfuzz-testcase-minimized-raw_deserialize-4836406434594816.txt

use std::fs;
use bson::Document;

fn main() {
    // Issue 52626;
    let testcase = "clusterfuzz-testcase-minimized-raw_deserialize-4836406434594816.txt"; 
    let data = fs::read(testcase).unwrap();
    let _ = bson::from_slice::<Document>(&data);
}

Stacktrace from oss-fuzz:

==11728==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc9918df98 (pc 0x5614035c87eb bp 0x7ffc9918e7d0 sp 0x7ffc9918dfa0 T0)
	SCARINESS: 10 (stack-overflow)
	    #0 0x5614035c87eb in __asan_memset /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3
	    #1 0x5614039269fc in alloc::vec::Vec$LT$T$C$A$GT$::with_capacity_in::h7954380e66d603c0 /rustc/a00f8ba7fcac1b27341679c51bf5a3271fa82df3/library/alloc/src/vec/mod.rs:673:9
	    #2 0x5614039269fc in alloc::vec::Vec$LT$T$GT$::with_capacity::h0fc2b517892301b1 /rustc/a00f8ba7fcac1b27341679c51bf5a3271fa82df3/library/alloc/src/vec/mod.rs:483:9
	    #3 0x5614039269fc in _$LT$serde..__private..de..content..ContentVisitor$u20$as$u20$serde..de..Visitor$GT$::visit_map::h8c91294fb3f4d9f6 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/private/de.rs:488:27
	    #4 0x561403691bb7 in bson::de::raw::Deserializer::deserialize_document::_$u7b$$u7b$closure$u7d$$u7d$::hfeecf6c34d727547 [bson-rust/src/de/raw.rs:164](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L164):48
	    #5 0x561403691bb7 in bson::de::raw::Deserializer::access_document::hf5ba42f424e5de49 [bson-rust/src/de/raw.rs:179](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L179):19
	    #6 0x5614037090f2 in bson::de::raw::Deserializer::deserialize_document::h40074c69c1e27c9d [bson-rust/src/de/raw.rs:164](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L164):18
	    #7 0x5614036c8931 in bson::de::raw::Deserializer::deserialize_next::h882e280f53fb0a4a [bson-rust/src/de/raw.rs:0](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L0)
	    #8 0x56140371c43e in _$LT$$RF$mut$u20$bson..de..raw..Deserializer$u20$as$u20$serde..de..Deserializer$GT$::deserialize_any::h7a4bd62580148f8b [bson-rust/src/de/raw.rs:394](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L394):9
	    #9 0x56140371c43e in serde::de::Deserializer::__deserialize_content::h9ecb32214c39783f /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1235:9
	    #10 0x56140371c43e in _$LT$serde..__private..de..content..Content$u20$as$u20$serde..de..Deserialize$GT$::deserialize::he42e0c66f86b4d1a /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/private/de.rs:298:13

Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52577
input: clusterfuzz-testcase-minimized-raw_deserialize-6190399018631168.txt

use std::fs;
use bson::Document;

fn main() {
    // Issue 52577;
    let testcase = "clusterfuzz-testcase-minimized-raw_deserialize-6190399018631168.txt";
    let data = fs::read(testcase).unwrap();
    let _ = bson::from_slice::<Document>(&data);
}

Stacktrace from oss-fuzz:

==3055==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe0ee9be80 (pc 0x560d4b0684be bp 0x7ffe0ee9c270 sp 0x7ffe0ee9be80 T0)
	    #0 0x560d4b0684be in bson::de::raw::Deserializer::deserialize_document::h5b8f7843671e8310 [bson-rust/src/de/raw.rs:0](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L0)
	    #1 0x560d4b02d5d1 in bson::de::raw::Deserializer::deserialize_next::h9adad8288f7a9a43 [bson-rust/src/de/raw.rs:0](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L0)
	    #2 0x560d4b07b9ae in _$LT$$RF$mut$u20$bson..de..raw..Deserializer$u20$as$u20$serde..de..Deserializer$GT$::deserialize_any::h352f94485c5303cd [bson-rust/src/de/raw.rs:394](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L394):9
	    #3 0x560d4b07b9ae in bson::de::serde::_$LT$impl$u20$serde..de..Deserialize$u20$for$u20$bson..bson..Bson$GT$::deserialize::hdbbe86a3a78f964e [bson-rust/src/de/serde.rs:125](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/serde.rs#L125):9
	    #4 0x560d4b07b9ae in _$LT$core..marker..PhantomData$LT$T$GT$$u20$as$u20$serde..de..DeserializeSeed$GT$::deserialize::hdad341661e035275 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:792:9
	    #5 0x560d4b07b9ae in bson::de::raw::DocumentAccess::read_next_value::_$u7b$$u7b$closure$u7d$$u7d$::h4e1f7e156f4e2faf [bson-rust/src/de/raw.rs:529](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L529):23
	    #6 0x560d4b07b9ae in bson::de::raw::DocumentAccess::read::h668384ae23654d4d [bson-rust/src/de/raw.rs:514](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L514):19
	    #7 0x560d4b1d4d73 in bson::de::raw::DocumentAccess::read_next_value::h7ea104877d7a2aec [bson-rust/src/de/raw.rs:529](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L529):9
	    #8 0x560d4b1d4d73 in _$LT$bson..de..raw..DocumentAccess$u20$as$u20$serde..de..MapAccess$GT$::next_value_seed::h57d0146be3e7ab2b [bson-rust/src/de/raw.rs:556](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L556):9
	    #9 0x560d4b1d4d73 in serde::de::MapAccess::next_value::h7f9ea60461f6e885 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1871:9
	    #10 0x560d4b1d4d73 in _$LT$bson..de..serde..BsonVisitor$u20$as$u20$serde..de..Visitor$GT$::visit_map::hf4c99b1011a9ce33 [bson-rust/src/de/serde.rs:482](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/serde.rs#L482):29

[manunio]

As mentioned in issue #374, to access above mentioned reports a mail id(google account) is needed, and it should be present at oss-fuzz bson project's config file. for time being i'm using my mail id, but it would be great if a mail id from your ended is provided.

[abr-egn]

Hi! Thanks for reporting this. It looks like this is a crash rather than exploitable behavior, so while it's certainly something we want to fix, it's likely to be a little while before we get to it.

[isabelatkinson]

Using the SeededVisitor introduced in #433 to deserialize into non-raw documents may address this issue. See RUST-1773.

[manunio]

Hi, Following issues were fixed in rev range: 6b3ee6a...283ecb3

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52817
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52577

And these issues have not marked as fixed.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52650
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52626

You can get list of open issues by following this link(see #385 (comment) to get access)
https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=status&q=bson-rust&can=2