Stack-overflow in fuzz_compression_sas_rle.c

[Google-Autofuzz]

Hello readstat team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
readstat (tested with revision * master 03a4be4).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

Instructions:

• unzip artifacts_154266358.zip
• docker build --build-arg SANITIZER=address --tag=autofuzz-readstat-154266358 autofuzz_154266358
• docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_154266358/2395a2f6-1dfd-4d1f-acfc-9f8cb81877ee:/tmp/poc autofuzz-readstat-154266358 "fuzz_compression_sas_rle" /tmp/poc
• docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_154266358/2395a2f6-1dfd-4d1f-acfc-9f8cb81877ee:/tmp/poc -it autofuzz-readstat-154266358

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

running /fuzzing/ReadStat/fuzz_compression_sas_rle /tmp/2395a2f6-1dfd-4d1f-acfc-9f8cb81877ee ...
INFO: Seed: 2898462640
/fuzzing/ReadStat/fuzz_compression_sas_rle: Running 1 inputs 1 time(s) each.
Running: /tmp/2395a2f6-1dfd-4d1f-acfc-9f8cb81877ee
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8==ERROR: AddressSanitizer: stack-overflow on address 0x7fff4046e118 (pc 0x0000004fa99c bp 0x7fff40d35d30 sp 0x7fff4046e120 T0)
    #0 0x4fa99b in LLVMFuzzerTestOneInput /fuzzing/ReadStat/src/fuzz/fuzz_compression_sas_rle.c:13:5
    #1 0x508773 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/ReadStat/fuzz_compression_sas_rle+0x508773)
    #2 0x4fad93 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/ReadStat/fuzz_compression_sas_rle+0x4fad93)
    #3 0x4ff272 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/ReadStat/fuzz_compression_sas_rle+0x4ff272)
    #4 0x4faaab in main (/fuzzing/ReadStat/fuzz_compression_sas_rle+0x4faaab)
    #5 0x7f1c096a809a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #6 0x420939 in _start (/fuzzing/ReadStat/fuzz_compression_sas_rle+0x420939)
SUMMARY: AddressSanitizer: stack-overflow /fuzzing/ReadStat/src/fuzz/fuzz_compression_sas_rle.c:13:5 in LLVMFuzzerTestOneInput
==8==ABORTING

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

From a quick glance, it seems that the fuzzer should restrict the Size of the input.

Don't hesitate to let us know if you have any questions!

Julien, for the
Google AutoFuzz Team

artifacts_154266358.zip
report_154266358.txt

[evanmiller]

Fixed in dev, will close the issue when it reaches master.