Actions
Bug #5883
closedmime: debug assertion on fuzz input
Affected Versions:
Effort:
Difficulty:
Label:
Description
gdb --args ./src/fuzz_mimedecparseline ~/Downloads/clusterfuzz-testcase-minimized-fuzz_mimedecparseline-5667327394054144 GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 Copyright (C) 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./src/fuzz_mimedecparseline... warning: Missing auto-load script at offset 0 in section .debug_gdb_scripts of file /home/victor/sync/devel/suricata-afl/src/fuzz_mimedecparseline. Use `info auto-load python-scripts [REGEXP]' to list them. (gdb) r Starting program: /home/victor/sync/devel/suricata-afl/src/fuzz_mimedecparseline /home/victor/Downloads/clusterfuzz-testcase-minimized-fuzz_mimedecparseline-5667327394054144 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". fuzz_mimedecparseline: util-decode-mime.c:1389: int ProcessBase64BodyLine(const uint8_t *, uint32_t, MimeDecParseState *): Assertion `!((state->bvr_len != 0))' failed. Program received signal SIGABRT, Aborted. __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737333445184) at ./nptl/pthread_kill.c:44 44 ./nptl/pthread_kill.c: No such file or directory. (gdb) bt #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737333445184) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737333445184) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737333445184, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff726b476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff72517f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff725171b in __assert_fail_base (fmt=0x7ffff7406150 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555576c3980 <str> "!((state->bvr_len != 0))", file=0x5555576c17e0 <str> "util-decode-mime.c", line=1389, function=<optimized out>) at ./assert/assert.c:92 #6 0x00007ffff7262e96 in __GI___assert_fail (assertion=0x5555576c3980 <str> "!((state->bvr_len != 0))", file=0x5555576c17e0 <str> "util-decode-mime.c", line=1389, function=0x5555576c3800 <__PRETTY_FUNCTION__.ProcessBase64BodyLine> "int ProcessBase64BodyLine(const uint8_t *, uint32_t, MimeDecParseState *)") at ./assert/assert.c:101 #7 0x0000555555ec52f0 in ProcessBase64BodyLine (buf=0x612000000064 ' ' <repeats 200 times>..., len=256, state=0x61f000000080) at util-decode-mime.c:1389 #8 0x0000555555ec3c22 in ProcessBodyLine (buf=0x612000000064 ' ' <repeats 200 times>..., len=256, state=0x61f000000080) at util-decode-mime.c:1567 #9 0x0000555555ec19b5 in ProcessMimeBody (buf=0x612000000064 ' ' <repeats 200 times>..., len=256, state=0x61f000000080) at util-decode-mime.c:2309 #10 0x0000555555eb919c in ProcessMimeEntity (buf=0x612000000064 ' ' <repeats 200 times>..., len=256, state=0x61f000000080) at util-decode-mime.c:2370 #11 0x0000555555eb8b41 in MimeDecParseLine (line=0x612000000064 ' ' <repeats 200 times>..., len=256, delim_len=0 '\000', state=0x61f000000080) at util-decode-mime.c:2562 #12 0x0000555555e6c25b in LLVMFuzzerTestOneInput (data=0x612000000040 "Content-Transfer-Encoding:base64\n\n\377\n", ' ' <repeats 164 times>..., size=256) at tests/fuzz/fuzz_mimedecparseline.c:48 #13 0x0000555555e6c7d3 in runOneFile (fname=0x7fffffffe2a8 "/home/victor/Downloads/clusterfuzz-testcase-minimized-fuzz_mimedecparseline-5667327394054144") at tests/fuzz/onefile.c:39 #14 0x0000555555e6c526 in main (argc=2, argv=0x7fffffffdef8) at tests/fuzz/onefile.c:61 (gdb) l 39 in ./nptl/pthread_kill.c (gdb) f 7 #7 0x0000555555ec52f0 in ProcessBase64BodyLine (buf=0x612000000064 ' ' <repeats 200 times>..., len=256, state=0x61f000000080) at util-decode-mime.c:1389 1389 DEBUG_VALIDATE_BUG_ON(state->bvr_len != 0); (gdb)
OSS-Fuzz reference link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54085
Files
Actions