Unexpected program panics detected by fuzzing

[llooFlashooll]

Hi, when I used afl.rs to test the package, the fuzzer detected unexpected program panics, which I consider to be a bug.

Here is the example code:

extern crate swf_parser;
fn _to_u64(data:&[u8], index:usize)->u64 {
    let data0 = _to_u32(data, index) as u64;
    let data1 = _to_u32(data, index+4) as u64;
    data0 << 32 | data1
}

fn _to_usize(data:&[u8], index:usize)->usize {
    _to_u64(data, index) as usize
}

fn _to_u32(data:&[u8], index:usize)->u32 {
    let data0 = _to_u16(data, index) as u32;
    let data1 = _to_u16(data, index+2) as u32;
    data0 << 16 | data1
}

fn _to_u8(data:&[u8], index:usize)->u8 {
    data[index]
}

fn _to_slice<T>(data:&[u8], start_index: usize, end_index: usize)->&[T] {
    let data_slice = &data[start_index..end_index];
    let (_, shorts, _) = unsafe {data_slice.align_to::<T>()};
    shorts
}

fn _to_u16(data:&[u8], index:usize)->u16 {
    let data0 = _to_u8(data, index) as u16;
    let data1 = _to_u8(data, index+1) as u16;
    data0 << 8 | data1
}


fn test_function0(_param0: &[u8] ,_param1: &[u8] ,_param2: &[u8] ,_param3: u8 ,_param4: (&[u8] ,usize)) {
    let _local0 = swf_parser::streaming::parser::HeaderParser::new();
    swf_parser::streaming::parser::HeaderParser::header(_local0 ,_param0);
    swf_parser::complete::parse_swf(_param1);
    swf_parser::complete::parse_tag(_param2 ,_param3);
    swf_parser::streaming::basic_data_types::parse_bool_bits(_param4);
}

fn _read_data()-> Vec<u8> {
    use std::env;
    use std::process::exit;
    let args:Vec<String> = env::args().collect();
    if args.len() < 2 {
        println!("No crash filename provided");
        exit(-1);
    }
    use std::path::PathBuf;
    let crash_file_name = &args[1];
    let crash_path = PathBuf::from(crash_file_name);
    if !crash_path.is_file() {
        println!("Not a valid crash file");
        exit(-1);
    }
    use std::fs;
    let data =  fs::read(crash_path).unwrap();
    data
}

fn main() {
    let _content = _read_data();
    let data = &_content;
    println!("data = {:?}", data);
    println!("data len = {:?}", data.len());
    //actual body emit
    if data.len() < 13 {return;}
    let dynamic_length = (data.len() - 9) / 4;
    let _param0 = _to_slice::<u8>(data, 9 + 0 * dynamic_length, 9 + 1 * dynamic_length);
    let _param1 = _to_slice::<u8>(data, 9 + 1 * dynamic_length, 9 + 2 * dynamic_length);
    let _param2 = _to_slice::<u8>(data, 9 + 2 * dynamic_length, 9 + 3 * dynamic_length);
    let _param3 = _to_u8(data, 0);
    let _param4 = (_to_slice::<u8>(data, 9 + 3 * dynamic_length, data.len()), _to_usize(data, 1));
    test_function0(_param0 ,_param1 ,_param2 ,_param3 ,_param4);

}

The crash file is:

8888888888888888

We can reproduce the crash by running the program with the crash file as the argument.

Here is the corresponding stack trace and panic message:

../swf-parser/rs/fuzz_target/swf_parser_wubfs_generic_fuzz/multipleTargets/target/debug/replay_swf_parser0 ../swf-parser/rs/fuzz_target/swf_parser_wubfs_generic_fuzz/multipleTargets/out/test_swf_parser0/default/crashes/id:000915,sig:06,src:000323,time:1171121,execs:1291044,op:havoc,rep:16
data = [48, 0, 0, 24, 0, 1, 0, 0, 0, 48, 1, 0, 0, 0, 0, 0, 0, 25, 0, 23, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 255, 249, 0, 0, 0, 23, 239, 47, 0, 10, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 223, 255, 255, 255, 255, 255, 15, 243, 246, 139, 12, 12, 12, 12, 12, 12, 12, 12, 11, 235, 12, 1, 15, 243, 246, 139, 155, 139, 139, 139, 139, 139, 139, 0, 16, 139, 139, 0, 0, 0, 0, 0, 1, 139, 139, 0, 0, 255, 226, 0, 1, 21, 21, 21, 21, 21, 21, 21, 0, 0, 0, 23, 0, 0, 0, 255, 255, 0, 255, 255, 67, 67, 67, 67, 12, 12, 12, 12, 12, 12, 12, 12, 12, 1, 15, 243, 246, 139, 155, 139, 139, 139, 139, 139, 139, 0, 16, 139, 139, 0, 0, 0, 0, 0, 1, 139, 139, 0, 0, 0, 0, 0, 1, 21, 21, 21, 21, 21, 21, 21, 0, 0, 0, 23, 0, 0, 0, 255, 255, 0, 255, 255, 67, 67, 67, 67, 67, 67, 67, 43, 67, 66, 67, 67, 67, 67, 67, 67, 67, 67, 45, 67, 67, 67, 67, 67, 255, 255, 255, 15, 243, 232, 2, 254, 0, 139, 139, 139, 139, 139, 105]
data len = 238

thread 'main' panicked at ../swf-parser/rs/src/streaming/basic_data_types.rs:16:44:
attempt to subtract with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

The rustc version is 1.76.0, the afl.rs version is 0.15.9, the package version is the latest.

Please check if these are real bugs that need to be fixed. Thanks!

[demurgos]

Hello 👋
I confirm that all panics are considered bugs. I'm no longer actively maintaining the library, but I'm planning to eventually return to actively maintain it and switch to a zero-allocation parsing style. In the meantime I did not plan to do many changes, but I'll try to find a moment to fix the panic.

[demurgos]

The issue can be reduced to:

  #[test]
  fn test_issue_160() {
    const data: &'static [u8] = &[
      21, 21, 21, 21, 21, 21, 21, 0, 0, 0, 23, 0, 0, 0, 255, 255, 0, 255, 255, 67, 67, 67, 67, 67, 67, 67, 43, 67, 66,
      67, 67, 67, 67, 67, 67, 67, 67, 45, 67, 67, 67, 67, 67, 255, 255, 255, 15, 243, 232, 2, 254, 0, 139, 139, 139,
      139, 139, 105,
    ];
    let bit_pos = 26388295843840;
    swf_parser::streaming::basic_data_types::parse_bool_bits((data, bit_pos));
  }

The problems stems from the fact that bit parsers expect the bit index to be in 0 <= index < 8. There should probably be some guard to prevent it. parse_bool_bits is semi-internal, it won't ever crashes when called through byte-level parsers so in practice it won't ever crash.
I'll think about how to prevent such invalid bit offsets, but it's probably not super-high priority. I was initially worried that there was a panic when parsing a whole movie or tag.

[llooFlashooll]

I see. Thank you very much for your timely reply!