Open
Description
Description
While fuzzing utf8proc with AFL++, we discovered that pass invalid option flags to utf8proc_normalize_utf32, the API may trigger a segmentation fault.
// Valid option test - works correctly
utf8proc_option_t valid_options =
UTF8PROC_STRIPCC |
UTF8PROC_NLF2LS |
UTF8PROC_NLF2PS;
utf8proc_normalize_utf32(copy, num_codepoints, valid_options);
// Invalid option test - triggers crash
utf8proc_option_t invalid_options = 0xFFFF;
utf8proc_normalize_utf32(copy, num_codepoints, invalid_options);
Environment
- OS: Ubuntu 22.04
- Compiler: Clang 16.0.6
- AFL++ Version: afl-fuzz++4.22a
Reproduction
afl-clang-fast -o fuzzer_afl fuzzer_afl.c \
-I/path/to/utf8proc/include \
-L/path/to/utf8proc/lib \
-lutf8proc \
-fsanitize=address
./fuzzer_afl
ASAN Log
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3853974==ERROR: AddressSanitizer: SEGV on unknown address 0x558dccc4294c (pc 0x558dcbbee9c7 bp 0x00007f000617 sp 0x7ffc0d45aeb0 T0)
==3853974==The signal is caused by a READ memory access.
#0 0x558dcbbee9c7 in unsafe_get_property /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/utf8proc.c:237:7
#1 0x558dcbbee9c7 in utf8proc_normalize_utf32 /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/utf8proc.c:655:53
#2 0x558dcbbea291 in main /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/Fuzz/reproduce/fuzzer_afl.c:79:13
#3 0x7fb067499249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#4 0x7fb067499304 in __libc_start_main csu/../csu/libc-start.c:360:3
#5 0x558dcbb2a3e0 in _start (/srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/Fuzz/reproduce/fuzzer_afl+0x223e0) (BuildId: e62e3f9342618db53c46bbabc796a818d12e19b0)Fuzz file and input
The utf8proc_reencode function may have similar crash behavior with invalid options
Metadata
Metadata
Assignees
Labels
No labels