Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Crash/Fuzzing] RangeError in ssz library when parsing empty BeaconBlock #23

Closed
pventuzelo opened this issue May 19, 2020 · 0 comments
Closed
Assignees

Comments

@pventuzelo
Copy link

@pventuzelo pventuzelo commented May 19, 2020

Describe the bug

During fuzzing with beaconfuzz, I found this RangeError crash inside the ssz library when providing an empty beaconblock.

Expected behavior

Should detect and throw an Error.

Steps to Reproduce

crash_RangeError_block_lodestar.js:

var mainnet_1 = require("@chainsafe/lodestar-types/lib/ssz/presets/mainnet");

buf = Buffer.from('', 'hex')

mainnet_1.types.BeaconBlock.deserialize(buf);

Run:

$ npm i @chainsafe/lodestar-types

$ node crash_RangeError_block_lodestar.js
/home/scop/node_modules/@chainsafe/ssz/lib/backings/structural/container.js:99
        offsets.push(start + fixedSection.getUint32(index, true));
                                          ^

RangeError: Offset is outside the bounds of the DataView
    at DataView.getUint32 (<anonymous>)
    at /home/scop/node_modules/@chainsafe/ssz/lib/backings/structural/container.js:99:43
    at Array.reduce (<anonymous>)
    at ContainerStructuralHandler.fromBytes (/home/scop/node_modules/@chainsafe/ssz/lib/backings/structural/container.js:97:33)
    at ContainerStructuralHandler.deserialize (/home/scop/node_modules/@chainsafe/ssz/lib/backings/structural/abstract.js:55:17)
    at ContainerType.deserialize (/home/scop/node_modules/@chainsafe/ssz/lib/types/composite/abstract.js:112:28)
    at Object.<anonymous> (XXX/crash_RangeError_block_lodestar.js:6:29)
    at Module._compile (internal/modules/cjs/loader.js:936:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:947:10)
    at Module.load (internal/modules/cjs/loader.js:790:32)

Desktop (please complete the following information):

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants