-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unknown fields fuzzed #179
Comments
It looks like as an input from a different fuzzer. Maybe something in OSS-Fuzz tries to mix them? |
Yes!! You're right. OSS-Fuzz does cross pollination of corpora. Hmmm. I see. So this is not an issue of LPM generating unknown fields, but because unknown fields were passed in to the fuzzer. |
LPM does not generate unknown fields |
Hi, I saw this issue pop up in OSS Fuzz and also google3 (example: b/160321599). Root cause is that protobuf text format does not have proper stack overflow protection. This was initially noticed in #172. I added this code to fix it: https://github.com/protocolbuffers/protobuf/blob/6935eae45c99926a000ecbef0be20dfd3d159e71/src/google/protobuf/text_format.cc#L675 But it looks like there is one edge case where the text format library can recurse on unknown fields without hitting the recursion protection: https://github.com/protocolbuffers/protobuf/blob/6935eae45c99926a000ecbef0be20dfd3d159e71/src/google/protobuf/text_format.cc#L844 Which is triggered by the input @asraa posted above, deeply nested arrays. I will make a PR to protobuf to fix this edge case... |
Ah!! I see where it is. Thanks Teju, let me know if you need help. |
Hi,
I found an interesting crash on OSS-Fuzz after bumping libprotobuf-mutator to the latest commit:
https://github.com/envoyproxy/envoy/blob/011945dcf92b8a461ab4ba309fa2bebeffc15895/bazel/repository_locations.bzl#L166
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23823
Opening the testcase, we have
Which is not a valid protobuf for the message https://github.com/envoyproxy/envoy/blob/master/test/common/http/header_map_impl_fuzz.proto
The stack trace looks something like:
I can reproduce the testcase locally, but what I'm curious about is why the testcase was generated in the first place.
The text was updated successfully, but these errors were encountered: