ASSERT: false |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6442098504237056 Fuzzer: libFuzzer_zlib_deflate_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: false _start Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=514044:514045 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6442098504237056 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Nov 12 2017
Max, how do I use this test case to repro locally? I am going to randomly guess it is because the input has 0 length (??). But I would like to run the test case locally and confirm the problem / solution.
,
Nov 13 2017
One way is to use the reproduce tool (suggested on the CF page https://clusterfuzz.com/v2/testcase-detail/6442098504237056?noredirect=1): You can reproduce this crash painlessly with our reproduce tool. For Googlers, install the required libraries and run prodaccess && /google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 6442098504237056. For non-Googlers, see the installation section. Report any issues at clusterfuzz-dev@chromium.org. Another way is to build and run fuzzer manually, build instructions are described at: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md (referenced in the issue description) Then you simply run the fuzzer: ./out/asan_debug/zlib_deflate_fuzzer ./crashy_input
,
Nov 13 2017
The patch for this is here: https://chromium-review.googlesource.com/#/c/chromium/src/+/766474
,
Nov 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0df464cb0780e6cd6ee6e6ad8a1718b5747efc19 commit 0df464cb0780e6cd6ee6e6ad8a1718b5747efc19 Author: Chris Blume <cblume@google.com> Date: Mon Nov 13 21:14:36 2017 Handle zero-length inputs in zlib_deflate_fuzzer zlib's deflate requires non-zero length inputs. As a result, the deflate fuzzer was asserting on the error value indicating an invalid input when the fuzzer provided a zero-length input. This change will exit early when the input is zero-length so it matches the precondition required for deflate. BUG= 784148 Change-Id: I12558bb47c4bc5e5147d07707fe01a0e8feb314b Reviewed-on: https://chromium-review.googlesource.com/766474 Commit-Queue: Chris Blume <cblume@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Cr-Commit-Position: refs/heads/master@{#516048} [modify] https://crrev.com/0df464cb0780e6cd6ee6e6ad8a1718b5747efc19/third_party/zlib/contrib/tests/fuzzers/deflate_fuzzer.cc
,
Nov 13 2017
,
Nov 14 2017
ClusterFuzz has detected this issue as fixed in range 516022:516067. Detailed report: https://clusterfuzz.com/testcase?key=6442098504237056 Fuzzer: libFuzzer_zlib_deflate_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: false _start Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=514044:514045 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=516022:516067 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6442098504237056 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 14 2017
It appears that there is another variant of that crash and it's not fixed yet: https://clusterfuzz.com/v2/testcase-detail/6027945947955200
,
Nov 14 2017
That looks like it should go into a separate bug. But I didn't get any notification about a new bug? I can manually create a bug but I'm being told clusterfuzz will do this for me and it isn't recommended to do it manually. That new issue has a single byte input, 'J'. deflate_set_dictionary()'s documentation is a bit vague about how the input should be formatted. I'll create a patch that doesn't assert (since the input will be mutated) and also make a seed once I figure out what a good format looks like.
,
Nov 14 2017
+cavalcantii@ if he is more familiar with zlib and can help fill my gaps
,
Nov 14 2017
Oh, I found my mistake. I needed to call deflateInit() before deflateSetDictionary(). Is there a separate bug for this?
,
Nov 14 2017
ClusterFuzz testcase 6442098504237056 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e69e4be87ec5639196a20ed99b2b3335f0fdc21e commit e69e4be87ec5639196a20ed99b2b3335f0fdc21e Author: Chris Blume <cblume@google.com> Date: Wed Nov 15 22:43:10 2017 Initialize zlib fuzzer dictionary A call to deflateSetDictionary() must happen immediately after a call to deflateInit(). The zlib_deflate_set_dictionary_fuzzer is currently not calling deflateInit() and thus the stream it wants to use is uninitialized. This patch fixes this by initializing the stream. Bug: 784148 Change-Id: I0bd726201bdf495fbf66bee9e763ca1baaf57ac6 Reviewed-on: https://chromium-review.googlesource.com/769155 Reviewed-by: Adenilson Cavalcanti <cavalcantii@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Max Moroz <mmoroz@chromium.org> Cr-Commit-Position: refs/heads/master@{#516870} [modify] https://crrev.com/e69e4be87ec5639196a20ed99b2b3335f0fdc21e/third_party/zlib/contrib/tests/fuzzers/deflate_set_dictionary_fuzzer.cc |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Nov 12 2017Owner: cblume@google.com
Status: Assigned (was: Untriaged)