fuzzer fixes

abenso · abenso · commit 80cea444f44d · 2025-06-10T10:44:08.000+02:00
diff --git a/app/src/borsh.c b/app/src/borsh.c
@@ -105,7 +105,7 @@ void print_string(const char *str) {
     MEMCPY(print, str, strlen(str));
     ZEMU_LOGF(100, "%s\n", print);
 #else
-    printf("%s\n", str);
+    // printf("%s\n", str);
 #endif
 }
 
diff --git a/app/src/schema_proof.c b/app/src/schema_proof.c
@@ -112,6 +112,11 @@ static parser_error_t hash_index_leaf(merkle_leaves_data_t *leaves, uint64_t ind
     uint32_t data_length = 0;
     CHECK_ERROR(read_u32(&leaves->data, &data_length));
 
+    // Bounds check to prevent buffer overflow
+    if (leaves->data.offset + data_length > leaves->data.buffer.len) {
+        return parser_unexpected_buffer_end;
+    }
+
     // Compute hash from entry and store it in proof->hash
     crypto_sha256_init();
     crypto_sha256_update(&LEAF_PREFIX, 1);
diff --git a/app/src/schema_reader.c b/app/src/schema_reader.c
@@ -115,14 +115,17 @@ parser_error_t read_structured_display_overrides(parser_context_t *ctx, structur
     CHECK_INPUT(ctx);
 
     // read has_title_elements
-    CHECK_ERROR(read_u8(ctx, (uint8_t *)&display->has_title_elements));
+    uint8_t tmp = 0;
+    CHECK_ERROR(read_u8(ctx, &tmp));
+    display->has_title_elements = (tmp != 0);
     if (display->has_title_elements) {
         // read title_elements
         CHECK_ERROR(read_u64(ctx, (uint64_t *)&display->title_elements));
     }
 
     // read has_title_lines
-    CHECK_ERROR(read_u8(ctx, (uint8_t *)&display->has_title_lines));
+    CHECK_ERROR(read_u8(ctx, &tmp));
+    display->has_title_lines = (tmp != 0);
     if (display->has_title_lines) {
         // read title_lines
         CHECK_ERROR(read_u64(ctx, (uint64_t *)&display->title_lines));
@@ -155,7 +158,9 @@ parser_error_t read_primitive_byte_array(parser_context_t *ctx, primitive_byte_a
     CHECK_ERROR(read_byte_display(ctx, &primitive->display));
 
     // read has_name_registry
-    CHECK_ERROR(read_u8(ctx, (uint8_t *)&primitive->has_name_registry));
+    uint8_t tmp = 0;
+    CHECK_ERROR(read_u8(ctx, &tmp));
+    primitive->has_name_registry = (tmp != 0);
 
     // read name_registry
     if (primitive->has_name_registry) {
@@ -177,7 +182,9 @@ parser_error_t read_primitive_byte_vec(parser_context_t *ctx, primitive_byte_vec
     CHECK_ERROR(read_byte_display(ctx, &primitive->display));
 
     // read has_name_registry
-    CHECK_ERROR(read_u8(ctx, (uint8_t *)&primitive->has_name_registry));
+    uint8_t tmp = 0;
+    CHECK_ERROR(read_u8(ctx, &tmp));
+    primitive->has_name_registry = (tmp != 0);
 
     // read name_registry
     if (primitive->has_name_registry) {
@@ -269,7 +276,9 @@ parser_error_t read_enum_variant(parser_context_t *ctx, enum_variant_t *variant)
     CHECK_ERROR(read_u8(ctx, (uint8_t *)&variant->hide_tag));
 
     // read has_value
-    CHECK_ERROR(read_u8(ctx, (uint8_t *)&variant->has_value));
+    uint8_t tmp = 0;
+    CHECK_ERROR(read_u8(ctx, &tmp));
+    variant->has_value = (tmp != 0);
     if (variant->has_value) {
         // read value
         CHECK_ERROR(read_link(ctx, &variant->value));
@@ -374,7 +383,9 @@ parser_error_t read_struct(parser_context_t *ctx, schema_struct_t *schema_struct
     }
 
     // read has_show_as
-    CHECK_ERROR(read_u8(ctx, (uint8_t *)&schema_struct->has_show_as));
+    uint8_t tmp = 0;
+    CHECK_ERROR(read_u8(ctx, &tmp));
+    schema_struct->has_show_as = (tmp != 0);
     if (schema_struct->has_show_as) {
         CHECK_ERROR(read_u32(ctx, (uint32_t *)&schema_struct->show_as.len));
         if (schema_struct->show_as.len == 0) {
@@ -387,7 +398,8 @@ parser_error_t read_struct(parser_context_t *ctx, schema_struct_t *schema_struct
     }
 
     // read has_structured_show_as
-    CHECK_ERROR(read_u8(ctx, (uint8_t *)&schema_struct->has_structured_show_as));
+    CHECK_ERROR(read_u8(ctx, &tmp));
+    schema_struct->has_structured_show_as = (tmp != 0);
     if (schema_struct->has_structured_show_as) {
         CHECK_ERROR(read_u32(ctx, (uint32_t *)&schema_struct->structured_show_as.len));
         if (schema_struct->structured_show_as.len == 0) {
@@ -424,7 +436,9 @@ parser_error_t read_tuple(parser_context_t *ctx, schema_tuple_t *schema_tuple) {
     CHECK_INPUT(ctx);
 
     // read has_show_as
-    CHECK_ERROR(read_u8(ctx, (uint8_t *)&schema_tuple->has_show_as));
+    uint8_t tmp = 0;
+    CHECK_ERROR(read_u8(ctx, &tmp));
+    schema_tuple->has_show_as = (tmp != 0);
     if (schema_tuple->has_show_as) {
         CHECK_ERROR(read_u32(ctx, (uint32_t *)&schema_tuple->show_as.len));
         if (schema_tuple->show_as.len == 0) {
@@ -437,7 +451,8 @@ parser_error_t read_tuple(parser_context_t *ctx, schema_tuple_t *schema_tuple) {
     }
 
     // read has_structured_show_as
-    CHECK_ERROR(read_u8(ctx, (uint8_t *)&schema_tuple->has_structured_show_as));
+    CHECK_ERROR(read_u8(ctx, &tmp));
+    schema_tuple->has_structured_show_as = (tmp != 0);
     if (schema_tuple->has_structured_show_as) {
         CHECK_ERROR(read_u32(ctx, (uint32_t *)&schema_tuple->structured_show_as.len));
         if (schema_tuple->structured_show_as.len == 0) {
@@ -762,6 +777,10 @@ parser_error_t schema_merkle_proofs_read(parser_context_t *ctx, parser_tx_t *txO
     CHECK_INPUT(ctx);
     CHECK_INPUT(txObj);
 
+    if (ctx->buffer.len < 4) {
+        return parser_no_data;
+    }
+
     // read leaf data
     CHECK_ERROR(read_u32(ctx, &txObj->merkle_proof.leaves.entries));
     const uint8_t *ptr_mem = ctx->buffer.ptr + ctx->offset;
diff --git a/app/src/ui_item_manager.c b/app/src/ui_item_manager.c
@@ -149,11 +149,5 @@ parser_error_t push_item(parser_tx_t *txObj, primitive_t *primitive, parser_cont
     txObj->ui_items_new.items[txObj->ui_items_new.qty].data_context = *data_context;
     txObj->ui_items_new.qty++;
 
-    for (uint16_t i = 0; i < txObj->ui_items_new.qty; i++) {
-        print_string("Push item NEW: ");
-        print_string(txObj->ui_items_new.items[i].title);
-        print_buffer(&txObj->ui_items_new.items[i].data_context.buffer, "data context");
-    }
-
     return parser_ok;
 }
diff --git a/fuzz/run-fuzzers.py b/fuzz/run-fuzzers.py
@@ -30,7 +30,7 @@
     env['UBSAN_OPTIONS'] = 'halt_on_error=1:print_stacktrace=1'
 
     cmd = [fuzz_path, f'-max_total_time={max_time}',
-           f'-jobs=2'
+           f'-jobs=1'
            f'-max_len={max_len}',
            f'-mutate_depth={MUTATE_DEPTH}',
            f'-artifact_prefix={artifact_dir}/',
diff --git a/tests/parser_impl.cpp b/tests/parser_impl.cpp
@@ -282,3 +282,17 @@ TEST(SCALE, MultiProofTest) {
 
     EXPECT_EQ(memcmp(tx_obj.schema.chain_hash.ptr, expected_hash, CX_SHA256_SIZE), 0) << "Chain hash mismatch";
 }
+
+TEST(SCALE, Fuzzer) {
+    parser_context_t ctx = {0};
+    parser_tx_t tx_obj = {0};
+    parser_error_t err;
+    uint8_t buffer[12000];
+    auto bufferLen = parseHexString(buffer, sizeof(buffer), "0a");
+
+    ctx.buffer.ptr = buffer;
+    ctx.buffer.len = bufferLen;
+
+    // err = parser_parse(&ctx, ctx.buffer.ptr, ctx.buffer.len, &tx_obj);
+    // EXPECT_EQ(err, parser_ok) << parser_getErrorDescription(err);
+}

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ void print_string(const char *str) {`
`105`	`105`	`MEMCPY(print, str, strlen(str));`
`106`	`106`	`ZEMU_LOGF(100, "%s\n", print);`
`107`	`107`	`#else`
`108`		`- printf("%s\n", str);`
	`108`	`+ // printf("%s\n", str);`
`109`	`109`	`#endif`
`110`	`110`	`}`
`111`	`111`