Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Crash/Fuzzing] TypeError in ssz library during BeaconBlock deserialize #22

Closed
pventuzelo opened this issue May 18, 2020 · 1 comment · Fixed by #37
Closed

[Crash/Fuzzing] TypeError in ssz library during BeaconBlock deserialize #22

pventuzelo opened this issue May 18, 2020 · 1 comment · Fixed by #37
Assignees

Comments

@pventuzelo
Copy link

@pventuzelo pventuzelo commented May 18, 2020

Describe the bug

During fuzzing with beaconfuzz, I found this TypeError crash inside ssz library when trying to deserialize a beaconblock.

Expected behavior

Should throw a custom Error.

Steps to Reproduce

crash_TypeError_block_lodestar.js:

var mainnet_1 = require("@chainsafe/lodestar-types/lib/ssz/presets/mainnet");

buf = Buffer.from('0100000000000000ae000000000000000a0a0a0a2a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a000000000000000000000000000000000000000000000000000000000000000054000000b69753a1c80a81b630fedc668c19ac093cbcc44fe1e294ff7164de52ef0f109a602b7065cb7b21f14a65cbcbbd4455960cef385d552e393e2d47b340cab50291ce81256c1b8239d6ebc1ab84ae2410f6b9fb3dc989e15a9fe9a4431393e1da5d0000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dc000000dc000000dc000000dc000000dc00ddff', 'hex')

mainnet_1.types.BeaconBlock.deserialize(buf);

Run:

$ npm i @chainsafe/lodestar-types

$ node crash_TypeError_block_lodestar.js
XXX/lodestar/node_modules/@chainsafe/ssz/lib/types/basic/uint.js:176
      output += BigInt(data[offset + i]) << BigInt(8 * i);
                ^

TypeError: Cannot convert undefined to a BigInt
    at BigInt (<anonymous>)
    at BigIntUintType.fromBytes (XXX/lodestar/node_modules/@chainsafe/ssz/lib/types/basic/uint.js:176:17)
    at XXX/lodestar/node_modules/@chainsafe/ssz/lib/backings/structural/container.js:133:40
    at Array.forEach (<anonymous>)
    at ContainerStructuralHandler.fromBytes (XXX/lodestar/node_modules/@chainsafe/ssz/lib/backings/structural/container.js:112:39)
    at XXX/lodestar/node_modules/@chainsafe/ssz/lib/backings/structural/container.js:135:51
    at Array.forEach (<anonymous>)
    at ContainerStructuralHandler.fromBytes (XXX/lodestar/node_modules/@chainsafe/ssz/lib/backings/structural/container.js:112:39)
    at XXX/lodestar/node_modules/@chainsafe/ssz/lib/backings/structural/array.js:209:54
    at Function.from (<anonymous>)

Desktop (please complete the following information):

@mpetrunic mpetrunic transferred this issue from ChainSafe/lodestar May 18, 2020
@mpetrunic mpetrunic reopened this May 18, 2020
@pventuzelo
Copy link
Author

@pventuzelo pventuzelo commented May 19, 2020

Extra information (zcli output):

$ zcli pretty block crash.bin
cannot load input
cannot decode ssz: cannot create scoped decoding reader, scope of 4292673536 bytes is bigger than parent scope has available space 0

@tuyennhv tuyennhv self-assigned this Jun 24, 2020
wemeetagain added a commit that referenced this issue Aug 26, 2021
wemeetagain added a commit that referenced this issue Sep 7, 2021
Add publish.yml to publish via github pages using github actions rather than travis
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants