fuzzer fixes

Author: abenso

CMakeLists.txt

@@ -113,6 +113,13 @@ if(ENABLE_SANITIZERS)
 
     string(APPEND CMAKE_C_FLAGS " -fstack-protector-strong")
     string(APPEND CMAKE_CXX_FLAGS " -fstack-protector-strong")
+
+    # Disable sanitizers for crypto_helper.c as it uses picohash, which triggers many sanitizer warnings.
+    # This is a workaround to allow using sanitizers for the rest of the codebase during fuzzing.
+    set_property(SOURCE ${CMAKE_CURRENT_SOURCE_DIR}/app/src/crypto_helper.c
+        APPEND PROPERTY
+        COMPILE_FLAGS "-fno-sanitize=address,undefined,integer,bounds"
+    )
 endif()
 
 set (RETRIEVE_MAJOR_CMD

app/src/common/parser.h

@@ -25,6 +25,9 @@ extern "C" {
 const char *parser_getErrorDescription(parser_error_t err);
 const char *parser_getMsgPackTypeDescription(uint8_t type);
 
+//// initializes the parser context
+parser_error_t parser_init_context(parser_context_t *ctx, const uint8_t *buffer, uint16_t bufferSize);
+
 //// parses a tx buffer
 parser_error_t parser_parse(parser_context_t *ctx, const uint8_t *data, size_t dataLen, parser_tx_t *tx_obj);
 

app/src/schema_proof.c

@@ -278,6 +278,10 @@ parser_error_t get_root_hash(const merkle_proof_t *metadata, uint8_t *hash) {
     CHECK_INPUT(metadata);
     CHECK_INPUT(hash);
 
+    if (metadata->lemmas.entries == 0) {
+        return parser_unexpected_buffer_end;
+    }
+
     proof_t proof = {0};
     proof.leaves = metadata->leaves;
     proof.lemmas = metadata->lemmas;
@@ -294,6 +298,12 @@ parser_error_t get_root_hash(const merkle_proof_t *metadata, uint8_t *hash) {
     return parser_ok;
 }
 
+/**
+ * @brief Verify the merkle proofs.
+ *
+ * @param metadata Pointer to the merkle_proof_t structure containing the necessary data.
+ * @return parser_error_t Error code indicating the result of the operation.
+ */
 parser_error_t verify_merkle_proofs(const merkle_proof_t *metadata) {
     CHECK_INPUT(metadata);
     CHECK_INPUT(metadata->root_hash.ptr);

app/src/schema_reader.c

@@ -16,6 +16,7 @@
 
 #include "schema_reader.h"
 
+#include <stdint.h>
 #include "borsh.h"
 #include "crypto_helper.h"
 #include "schema_helper.h"
@@ -812,6 +813,11 @@ parser_error_t schema_merkle_proofs_read(parser_context_t *ctx, parser_tx_t *txO
 
     // read lemmas
     CHECK_ERROR(read_u32(ctx, &txObj->merkle_proof.lemmas.entries));
+
+    if (txObj->merkle_proof.lemmas.entries > UINT16_MAX / 32) {
+        return parser_value_out_of_range;
+    }
+
     txObj->merkle_proof.lemmas.data.buffer.ptr = ctx->buffer.ptr + ctx->offset;
     txObj->merkle_proof.lemmas.data.buffer.len = txObj->merkle_proof.lemmas.entries * 32;
     CTX_CHECK_AND_ADVANCE(ctx, txObj->merkle_proof.lemmas.data.buffer.len);

app/src/schema_txn_parser.c

@@ -482,7 +482,11 @@ parser_error_t schema_parser_transaction(parser_context_t *ctx, parser_tx_t *txO
     uint64_t root_index = 0;
     CHECK_ERROR(schema_get_unsigned_transaction_index(txObj, &root_index));
 
-    CHECK_ERROR(schema_display_generic_by_index(ctx, txObj, root_index));
+    if (root_index > UINT32_MAX) {
+        return parser_value_out_of_range;
+    }
+
+    CHECK_ERROR(schema_display_generic_by_index(ctx, txObj, (uint32_t)root_index));
 
     txObj->unsigned_transaction_raw.buffer.len = ctx->offset - offset_mem_txn;
 

fuzz/run-fuzz-crashes.py

@@ -58,12 +58,36 @@ def analyze_crash(fuzzer, crash_file, fuzz_path):
     print(f"Command: {' '.join(shlex.quote(c) for c in cmd)}")
 
     try:
+        # Read crash file data
+        with open(crash_file, 'rb') as f:
+            crash_data = f.read()
+        
         # Run with timeout and capture output
         with open(log_file, 'w') as log:
             log.write(f"Crash analysis for: {crash_file}\n")
             log.write(f"Command: {' '.join(cmd)}\n")
             log.write(f"Timestamp: {time.strftime('%Y-%m-%d %H:%M:%S')}\n")
             log.write("=" * 50 + "\n\n")
+            
+            # Log the crash data blob
+            log.write("CRASH DATA BLOB:\n")
+            log.write(f"Size: {len(crash_data)} bytes\n")
+            
+            # Hex string format
+            hex_string = ''.join(f'{b:02x}' for b in crash_data)
+            log.write(f'\nBlob: "{hex_string}"\n')
+            
+            log.write("\nHex dump:\n")
+            # Write hex dump with ASCII representation
+            for i in range(0, len(crash_data), 16):
+                hex_part = ' '.join(f'{b:02x}' for b in crash_data[i:i+16])
+                ascii_part = ''.join(chr(b) if 32 <= b <= 126 else '.' for b in crash_data[i:i+16])
+                log.write(f"{i:08x}: {hex_part:<48} |{ascii_part}|\n")
+            
+            log.write("\nRaw bytes (Python repr):\n")
+            log.write(repr(crash_data))
+            log.write("\n")
+            log.write("=" * 50 + "\n\n")
             log.flush()
 
             result = subprocess.run(

tests/parser_impl.cpp

@@ -281,16 +281,16 @@ TEST(SCALE, MultiProofTest) {
     EXPECT_EQ(memcmp(tx_obj.schema.chain_hash.ptr, expected_hash, CX_SHA256_SIZE), 0) << "Chain hash mismatch";
 }
 
-TEST(SCALE, Fuzzer) {
-    parser_context_t ctx = {0};
-    parser_tx_t tx_obj = {0};
-    parser_error_t err;
-    uint8_t buffer[12000];
-    auto bufferLen = parseHexString(buffer, sizeof(buffer), "0a");
+// TEST(SCALE, test_parser_impl) {
+//     parser_context_t ctx = {0};
+//     parser_tx_t tx_obj = {0};
+//     parser_error_t err;
+//     uint8_t buffer[12000];
+//     auto bufferLen = parseHexString(buffer, sizeof(buffer), "000000000000000002000000000000000000000000008181818181818181818581818181818181818181818183818181818a8181816c5f02007060000081818181e70000ff00818181818181818100000000000000000093939393939393939393939393939393939393939393939393939393939393939393939393939393939393139393939393939393939393939300000d8181");
 
-    ctx.buffer.ptr = buffer;
-    ctx.buffer.len = bufferLen;
+//     ctx.buffer.ptr = buffer;
+//     ctx.buffer.len = bufferLen;
 
-    // err = parser_parse(&ctx, ctx.buffer.ptr, ctx.buffer.len, &tx_obj);
-    // EXPECT_EQ(err, parser_ok) << parser_getErrorDescription(err);
-}
+//     err = parser_parse(&ctx, buffer, bufferLen, &tx_obj);
+//     EXPECT_EQ(err, parser_ok) << parser_getErrorDescription(err);
+// }