[BUG] A SEGV at `Net/src/MultipartReader.cpp:164:1`

[JJLeo]

Description

• Version: Latest commit 530c2ef
• Environment:Ubuntu 20.04.6 LTS, Clang 18.1.8

Steps to reproduce

export CC="clang"
export CXX="clang++"
export CFLAGS="-fsanitize=address -g -O0"
export CXXFLAGS="-fsanitize=address -g -O0 -stdlib=libc++"
export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"
mkdir -p cmake-build
cd cmake-build
cmake -DBUILD_SHARED_LIBS=OFF -DENABLE_TESTS=OFF -DENABLE_FUZZING=ON \
      -DENABLE_ACTIVERECORD=OFF -DENABLE_PAGECOMPILER=OFF \
      -DENABLE_PAGECOMPILER_FILE2PAGE=OFF -DENABLE_DATA_SQLITE=OFF \
      -DENABLE_REDIS=OFF -DENABLE_MONGODB=OFF -DENABLE_PROMETHEUS=OFF \
      -DENABLE_ACTIVERECORD_COMPILER=OFF \
      ..
make -j$(nproc)
./bin/Net-http-parser-fuzzer $POC

Sanitizer output

root@cc40ae2b4ad2:/src/poco/cmake-build# ./bin/Net-http-parser-fuzzer /root/poco_crash.txt
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2743659395
./bin/Net-http-parser-fuzzer: Running 1 inputs 1 time(s) each.
Running: /root/poco_crash.txt
AddressSanitizer:DEADLYSIGNAL
=================================================================
==105185==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x5cff3f9a70f8 bp 0x7ffface1c2d0 sp 0x7ffface1c220 T0)
==105185==The signal is caused by a READ memory access.
==105185==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x5cff3f9a70f8 in std::__1::ios_base::~ios_base() (/src/poco/cmake-build/bin/Net-http-parser-fuzzer+0x4100f8)
    #1 0x5cff3f7da332 in Poco::Net::MultipartInputStream::MultipartInputStream(std::__1::basic_istream<char, std::__1::char_traits<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) /src/poco/Net/src/MultipartReader.cpp:164:1
    #2 0x5cff3f7da332 in Poco::Net::MultipartReader::nextPart(Poco::Net::MessageHeader&) /src/poco/Net/src/MultipartReader.cpp:213:14
    #3 0x5cff3f79129d in Poco::Net::HTMLForm::readMultipart(std::__1::basic_istream<char, std::__1::char_traits<char>>&, Poco::Net::PartHandler&) /src/poco/Net/src/HTMLForm.cpp:353:10
    #4 0x5cff3f78f8e1 in Poco::Net::HTMLForm::load(Poco::Net::HTTPRequest const&, std::__1::basic_istream<char, std::__1::char_traits<char>>&, Poco::Net::PartHandler&) /src/poco/Net/src/HTMLForm.cpp:159:4
    #5 0x5cff3f78fc9a in Poco::Net::HTMLForm::load(Poco::Net::HTTPRequest const&, std::__1::basic_istream<char, std::__1::char_traits<char>>&) /src/poco/Net/src/HTMLForm.cpp:172:2
    #6 0x5cff3f78fc9a in Poco::Net::HTMLForm::HTMLForm(Poco::Net::HTTPRequest const&, std::__1::basic_istream<char, std::__1::char_traits<char>>&) /src/poco/Net/src/HTMLForm.cpp:100:2
    #7 0x5cff3f786f11 in LLVMFuzzerTestOneInput::$_2::operator()() const /src/poco/Net/fuzzing/HTTPParse.cpp:72:13
    #8 0x5cff3f786f11 in void catchExceptions<LLVMFuzzerTestOneInput::$_2>(LLVMFuzzerTestOneInput::$_2 const&) /src/poco/Net/fuzzing/HTTPParse.cpp:20:3
    #9 0x5cff3f786f11 in LLVMFuzzerTestOneInput /src/poco/Net/fuzzing/HTTPParse.cpp:64:2
    #10 0x5cff3f63b200 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #11 0x5cff3f626475 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #12 0x5cff3f62bf0f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #13 0x5cff3f6571b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #14 0x747e8f002082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58)
    #15 0x5cff3f61e65d in _start (/src/poco/cmake-build/bin/Net-http-parser-fuzzer+0x8765d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/src/poco/cmake-build/bin/Net-http-parser-fuzzer+0x4100f8) in std::__1::ios_base::~ios_base()
==105185==ABORTING

POC

poco_crash.txt

Credit

Reported by Yifan Zhang, PLL

[JJLeo]

Please let me know if you encounter any issues reproducing it — I can upload a Docker image to help.