-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lexing a global variable will read beyond the end of the source given to the parser, causing an assertion failure #3345
Comments
I found #463 which looks related but @kddnewton said this was fixed on master in 2023. I am testing with 3c4851c. |
Doing a bit more debugging, this happens if the given memory is of the form:
The lexer then treats This occurs in the
This also explains why cargo-fuzz is not able to minimize the crasher for me (it says the crasher doesn't crash): this assertion failure depends on the contents of memory surrounding the data given to the parser. At least one my machine currently, this test repros: #[cfg(test)]
mod tests {
#[test]
fn test_prism_crasher_2() {
unsafe {
let mut buffer = std::mem::MaybeUninit::<pm_buffer_t>::uninit();
pm_buffer_init(buffer.as_mut_ptr());
let mut buffer = buffer.assume_init();
let mut data = *b"G((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((($-";
pm_serialize_parse(&mut buffer, data.as_mut_ptr(), data.len(), std::ptr::null());
pm_buffer_free(&mut buffer);
}
}
} |
Here is a reliable reproducer which does not rely on memory contents surrounding the Ruby source: #[cfg(test)]
mod tests {
#[test]
fn test_prism_crasher_3() {
unsafe {
let mut buffer = std::mem::MaybeUninit::<pm_buffer_t>::uninit();
pm_buffer_init(buffer.as_mut_ptr());
let mut buffer = buffer.assume_init();
let mut data = *b"$-abc";
pm_serialize_parse(&mut buffer, data.as_mut_ptr(), 2, std::ptr::null());
pm_buffer_free(&mut buffer);
}
}
} |
it appears that the do-while construction with the check for being at parser end after advancing the pointer at least once is the culprit |
Thanks @lopopolo — this pointed out a bunch of stuff I had making incorrect assumptions. I've got a PR attached that should fix this. If you wouldn't mind, after it's merged could you verify that it fixes what you're seeing? |
I've hooked up prism to a rudimentary libFuzzer harness using
cargo-fuzz
and got a crash:This is the harness:
I also got a similar crash with this input:
The text was updated successfully, but these errors were encountered: