Initial fuzzing with libFuzzer - memory leak, UB and buffer write overflow #345

pauldreik · 2019-10-24T01:02:34Z

I added a very basic fuzzing attempt, more or less from the README on the front page. It found a memory leak instantly. This is why I proceeded with running the normal tool in valgrind (see #340).

The fuzzer is available at https://github.com/pauldreik/simdjson/tree/paul/initialfuzz/fuzz
Here is what I did:

git clone https://github.com/pauldreik/simdjson
cd simdjson
git checkout paul/initialfuzz
export CXXFLAGS=-fsanitize=fuzzer-no-link,address,undefined
export LDFLAGS=-fsanitize=address,undefined
export CXX=clang++
export CC=clang
mkdir build-fuzzer
cd build-fuzzer
cmake .. -GNinja -DCMAKE_BUILD_TYPE=Debug -DENABLE_FUZZING=On
ninja
fuzz/fuzzer

and this is the first result (memory leak)

paul@torsken:~/code/delaktig/simdjson/build-fuzzer$ fuzz/fuzzer 
INFO: Seed: 3998568228
INFO: Loaded 2 modules   (12214 inline 8-bit counters): 12020 [0x7fa65710f1e0, 0x7fa6571120d4), 194 [0x56dbc8, 0x56dc8a), 
INFO: Loaded 2 PC tables (12214 PCs): 12020 [0x7fa6571120d8,0x7fa657141018), 194 [0x56dc90,0x56e8b0), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2	INITED cov: 381 ft: 382 corp: 1/1b lim: 4 exec/s: 0 rss: 29Mb
	NEW_FUNC[1/7]: 0x7fa656fdf2c0 in simdjson::haswell::push_last_byte_of_a_to_b(long long vector[4], long long vector[4]) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/haswell/simdutf8check.h:34
	NEW_FUNC[2/7]: 0x7fa656fdff30 in simdjson::haswell::push_last_2bytes_of_a_to_b(long long vector[4], long long vector[4]) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/haswell/simdutf8check.h:38

=================================================================
==17675==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 34 byte(s) in 1 object(s) allocated from:
    #0 0x4f4f79 in posix_memalign (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x4f4f79)
    #1 0x7fa656f72643 in simdjson::aligned_malloc(unsigned long, unsigned long) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/portability.h:175:7
    #2 0x7fa656f71cdc in simdjson::aligned_malloc_char(unsigned long, unsigned long) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/portability.h:183:18
    #3 0x7fa656f71c5f in simdjson::allocate_padded_buffer(unsigned long) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/jsonioutil.cpp:11:25
    #4 0x7fa656f7663e in int simdjson::json_parse_implementation<(simdjson::Architecture)1>(unsigned char const*, unsigned long, simdjson::ParsedJson&, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/jsonparser.h:27:24
    #5 0x7fa656f73c6e in simdjson::json_parse(unsigned char const*, unsigned long, simdjson::ParsedJson&, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/jsonparser.cpp:23:10
    #6 0x7fa656f74d74 in simdjson::build_parsed_json(unsigned char const*, unsigned long, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/jsonparser.cpp:86:5
    #7 0x526f01 in simdjson::build_parsed_json(char const*, unsigned long, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/jsonparser.h:176:10
    #8 0x526ca8 in simdjson::build_parsed_json(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/jsonparser.h:199:10
    #9 0x5266ed in LLVMFuzzerTestOneInput /home/paul/code/delaktig/simdjson/build-fuzzer/../fuzz/fuzz.cpp:17:29
    #10 0x430f1a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x430f1a)
    #11 0x4304b5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x4304b5)
    #12 0x4321fe in fuzzer::Fuzzer::MutateAndTestOne() (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x4321fe)
    #13 0x432ed5 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x432ed5)
    #14 0x428f00 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x428f00)
    #15 0x44c512 in main (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x44c512)
    #16 0x7fa656b8109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

Direct leak of 33 byte(s) in 1 object(s) allocated from:
    #0 0x4f4f79 in posix_memalign (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x4f4f79)
    #1 0x7fa656f72643 in simdjson::aligned_malloc(unsigned long, unsigned long) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/portability.h:175:7
    #2 0x7fa656f71cdc in simdjson::aligned_malloc_char(unsigned long, unsigned long) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/portability.h:183:18
    #3 0x7fa656f71c5f in simdjson::allocate_padded_buffer(unsigned long) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/jsonioutil.cpp:11:25
    #4 0x7fa656f7663e in int simdjson::json_parse_implementation<(simdjson::Architecture)1>(unsigned char const*, unsigned long, simdjson::ParsedJson&, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/jsonparser.h:27:24
    #5 0x7fa656f74a41 in simdjson::json_parse_dispatch(unsigned char const*, unsigned long, simdjson::ParsedJson&, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/jsonparser.cpp:75:10
    #6 0x7fa656f73c6e in simdjson::json_parse(unsigned char const*, unsigned long, simdjson::ParsedJson&, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/jsonparser.cpp:23:10
    #7 0x7fa656f74d74 in simdjson::build_parsed_json(unsigned char const*, unsigned long, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/jsonparser.cpp:86:5
    #8 0x526f01 in simdjson::build_parsed_json(char const*, unsigned long, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/jsonparser.h:176:10
    #9 0x526ca8 in simdjson::build_parsed_json(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/jsonparser.h:199:10
    #10 0x5266ed in LLVMFuzzerTestOneInput /home/paul/code/delaktig/simdjson/build-fuzzer/../fuzz/fuzz.cpp:17:29
    #11 0x430f1a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x430f1a)
    #12 0x4304b5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x4304b5)
    #13 0x4327dd in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x4327dd)
    #14 0x432cf5 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x432cf5)
    #15 0x428f00 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x428f00)
    #16 0x44c512 in main (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x44c512)
    #17 0x7fa656b8109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: 67 byte(s) leaked in 2 allocation(s).
INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.

MS: 1 InsertByte-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0xb6,0xa,
\xb6\x0a
artifact_prefix='./'; Test unit written to ./leak-b08056e3474d9276a30ab9ce3604f56bbf152c24
Base64: tgo=

It also finds UB, if one supress the memory leak detection and let it proceed anyway

fuzz/fuzzer -detect_leaks=0

../src/numberparsing.h:318:14: runtime error: 1e+351 is outside the range of representable values of type 'double'

And here is the buffer overflow

=================================================================
==17698==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000961400 at pc 0x7f9e68edaf0b bp 0x7fff9046b8d0 sp 0x7fff9046b8c8
WRITE of size 8 at 0x615000961400 thread T0
    #0 0x7f9e68edaf0a in simdjson::ParsedJson::write_tape_s64(long) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/parsedjson.h:79:25
    #1 0x7f9e68edaf0a in simdjson::parse_number(unsigned char const*, simdjson::ParsedJson&, unsigned int, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/numberparsing.h:597
    #2 0x7f9e68edaf0a in simdjson::haswell::unified_machine(unsigned char const*, unsigned long, simdjson::ParsedJson&) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/generic/stage2_build_tape.h:396
    #3 0x7f9e68ee78ed in int simdjson::unified_machine<(simdjson::Architecture)1>(unsigned char const*, unsigned long, simdjson::ParsedJson&) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/haswell/stage2_build_tape.h:25:10
    #4 0x7f9e68e1dadc in int simdjson::json_parse_implementation<(simdjson::Architecture)1>(unsigned char const*, unsigned long, simdjson::ParsedJson&, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/jsonparser.h:38:13
    #5 0x7f9e68e1ac6e in simdjson::json_parse(unsigned char const*, unsigned long, simdjson::ParsedJson&, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/jsonparser.cpp:23:10
    #6 0x7f9e68e1bd74 in simdjson::build_parsed_json(unsigned char const*, unsigned long, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/jsonparser.cpp:86:5
    #7 0x526f01 in simdjson::build_parsed_json(char const*, unsigned long, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/jsonparser.h:176:10
    #8 0x526ca8 in simdjson::build_parsed_json(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/jsonparser.h:199:10
    #9 0x5266ed in LLVMFuzzerTestOneInput /home/paul/code/delaktig/simdjson/build-fuzzer/../fuzz/fuzz.cpp:17:29
    #10 0x430f1a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x430f1a)
    #11 0x4304b5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x4304b5)
    #12 0x4321fe in fuzzer::Fuzzer::MutateAndTestOne() (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x4321fe)
    #13 0x432ed5 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x432ed5)
    #14 0x428f00 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x428f00)
    #15 0x44c512 in main (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x44c512)
    #16 0x7f9e68a2809a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #17 0x422a19 in _start (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x422a19)

0x615000961400 is located 0 bytes to the right of 512-byte region [0x615000961200,0x615000961400)
allocated by thread T0 here:
    #0 0x523972 in operator new[](unsigned long, std::nothrow_t const&) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x523972)
    #1 0x7f9e68f3b814 in simdjson::ParsedJson::allocate_capacity(unsigned long, unsigned long) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/parsedjson.cpp:55:10
    #2 0x7f9e68e1bbd9 in simdjson::build_parsed_json(unsigned char const*, unsigned long, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../src/jsonparser.cpp:84:16
    #3 0x526f01 in simdjson::build_parsed_json(char const*, unsigned long, bool) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/jsonparser.h:176:10
    #4 0x526ca8 in simdjson::build_parsed_json(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/jsonparser.h:199:10
    #5 0x5266ed in LLVMFuzzerTestOneInput /home/paul/code/delaktig/simdjson/build-fuzzer/../fuzz/fuzz.cpp:17:29
    #6 0x430f1a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x430f1a)
    #7 0x4304b5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x4304b5)
    #8 0x4321fe in fuzzer::Fuzzer::MutateAndTestOne() (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x4321fe)
    #9 0x432ed5 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x432ed5)
    #10 0x428f00 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x428f00)
    #11 0x44c512 in main (/home/paul/code/delaktig/simdjson/build-fuzzer/fuzz/fuzzer+0x44c512)
    #12 0x7f9e68a2809a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/paul/code/delaktig/simdjson/build-fuzzer/../include/simdjson/parsedjson.h:79:25 in simdjson::ParsedJson::write_tape_s64(long)
Shadow bytes around the buggy address:
  0x0c2a80124230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80124240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a80124250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a80124260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a80124270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a80124280:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80124290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a801242a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a801242b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a801242c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a801242d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==17698==ABORTING
MS: 1 CopyPart-; base unit: 80151ab5ed726cf12ff141ba559db6d50be69032
0x5b,0x37,0x2c,0x37,0x2c,0x37,0x2c,0x37,0x2c,0x36,0x2c,0x37,0x2c,0x37,0x2c,0x37,0x2c,0x36,0x2c,0x37,0x2c,0x37,0x2c,0x36,0x2c,0x5b,0x37,0x2c,0x37,0x2c,0x37,0x2c,0x37,0x2c,0x36,0x2c,0x37,0x2c,0x37,0x2c,0x37,0x2c,0x36,0x2c,0x37,0x2c,0x37,0x2c,0x36,0x2c,0x37,0x2c,0x37,0x2c,0x37,0x2c,0x37,0x2c,0x37,0x2c,0x37,0x2c,0x36,
[7,7,7,7,6,7,7,7,6,7,7,6,[7,7,7,7,6,7,7,7,6,7,7,6,7,7,7,7,7,7,6
artifact_prefix='./'; Test unit written to ./crash-1034d1117ff8e103a19c5830342087618f4f49e6
Base64: WzcsNyw3LDcsNiw3LDcsNyw2LDcsNyw2LFs3LDcsNyw3LDYsNyw3LDcsNiw3LDcsNiw3LDcsNyw3LDcsNyw2

The buffer overflow test case is base 64 coded below (I did not minimize it since it is short anyway):

WzcsNyw3LDcsNiw3LDcsNyw2LDcsNyw2LFs3LDcsNyw3LDYsNyw3LDcsNiw3LDcsNiw3LDcsNyw3
LDcsNyw2

lemire · 2019-10-24T01:48:24Z

Let us investigate.


        Fix for #345

lemire · 2019-10-24T19:35:59Z

Your test revealed a potential memory leak when parsing an input that fails stage 1, fixed in the following commit :

a065805

(The fix is trivial and so is the issue, once it is spotted.)

lemire · 2019-10-24T19:40:33Z

I'll open a distinct issue for the buf overflow.


        Follow up test and fix for #345


        Follow up test and fix for #345 (#347)

lemire · 2019-10-24T20:07:00Z

Buf overflow fixed. See related PR.


        Final (?) fix for #345

lemire · 2019-10-24T20:35:24Z

UB fixed via da1c35d

lemire · 2019-10-24T20:36:12Z

It might be worth it to submit as a PR your fuzzer to the project. You caught three bugs that had escaped us thus far. Well done.

pauldreik · 2019-10-24T21:22:03Z

Thanks!
I just ran the fuzzer on the updated master, and the problems are gone. Great that you could fix it so fast!
I will happily contribute my fuzzer to the project.

I added the fuzzer cmake boilerplate in a way such that it is possible to have it being built by oss-fuzz. That change may not be what you want, but I am not sure the existing cmake is well behaved. The reason is that (if I got this right) you are supposed to be able to pass compiler flags and the build should respect them. As it is now on master, CXXFLAGS are replaced. oss-fuzz passes flags via CXXFLAGS and the fuzzer via a linker flag. I solved the latter for fmt like this: https://github.com/fmtlib/fmt/blob/b7a157401e54895b491d0189045f27ca5cf100f6/test/fuzzing/CMakeLists.txt#L31 which works fine.
For me it would be perfect if I could reuse what I did for fmt, because it works fine and is already running on oss-fuzz. All is hidden behind a ENABLE_FUZZING flag to cmake which is default off, so it should not disturb other users.

lemire · 2019-10-24T22:35:52Z

Improvements to our CMake setup are invited.


        Fix for #345


        Follow up test and fix for #345 (#347)


        Final (?) fix for #345


        Streams of JSON documents + Large files (>4GB) (#350)

* rough prototype working. Needs more test and fine tuning. * prototype working on large files. * prototype working on large files. * Adding benchmarks * jsonstream API adjustment * type * minor fixes and cleaning. * minor fixes and cleaning. * removing warnings * removing some copies * runtime dispatch error fix * makefile linking src/jsonstream.cpp * fixing arm stage 1 headers * fixing stage 2 headers * fixing stage 1 arm header * making jsonstream portable * cleaning imports * including <algorithms> for windows compiler * cleaning benchmark imports * adding jsonstream to amalgamation * merged main into branch * bug fix where JsonStream would bug on rare cases. * Addind a JsonStream Demo to Amalgamation * Fix for #345 * Follow up test and fix for #345 (#347) * Final (?) fix for #345 * Verbose basictest * Being more forgiving of powers of ten. * Let us zero the tail end. * add basic fuzzers (#348) * add basic fuzzing using libFuzzer * let cmake respect cflags, otherwise the fuzzer flags go unnoticed also, integrates badly with oss-fuzz * add new fuzzer for minification, simplify the old one * add fuzzer for the dump example * clang format * adding Paul Dreik * rough prototype working. Needs more test and fine tuning. * prototype working on large files. * prototype working on large files. * Adding benchmarks * jsonstream API adjustment * type * minor fixes and cleaning. * Fixing issue 351 (#352) * Fixing issues 351 and 353 * minor fixes and cleaning. * removing warnings * removing some copies * Fix ARM compile errors on g++ 7.4 (#354) * Fix ARM compilation errors * Update singleheader * runtime dispatch error fix * makefile linking src/jsonstream.cpp * fixing arm stage 1 headers * fixing stage 2 headers * fixing stage 1 arm header * fix integer overflow in subnormal_power10 (#355) detected by oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18714 * Adding new test file, following #355 * making jsonstream portable * cleaning imports * including <algorithms> for windows compiler * cleaning benchmark imports * adding jsonstream to amalgamation * merged main into branch * bug fix where JsonStream would bug on rare cases. * Addind a JsonStream Demo to Amalgamation * merging main * rough prototype working. Needs more test and fine tuning. * prototype working on large files. * prototype working on large files. * Adding benchmarks * jsonstream API adjustment * minor fixes and cleaning. * minor fixes and cleaning. * removing warnings * removing some copies * runtime dispatch error fix * makefile linking src/jsonstream.cpp * fixing arm stage 1 headers * fixing stage 2 headers * fixing stage 1 arm header * making jsonstream portable * cleaning imports * including <algorithms> for windows compiler * cleaning benchmark imports * adding jsonstream to amalgamation * bug fix where JsonStream would bug on rare cases. * Addind a JsonStream Demo to Amalgamation * rough prototype working. Needs more test and fine tuning. * minor fixes and cleaning. * adding jsonstream to amalgamation * merged main into branch * Addind a JsonStream Demo to Amalgamation * merging main * merging main * make file fix


        Streams of JSON documents + Large files (>4GB) (#350) (#364)

* rough prototype working. Needs more test and fine tuning. * prototype working on large files. * prototype working on large files. * Adding benchmarks * jsonstream API adjustment * type * minor fixes and cleaning. * minor fixes and cleaning. * removing warnings * removing some copies * runtime dispatch error fix * makefile linking src/jsonstream.cpp * fixing arm stage 1 headers * fixing stage 2 headers * fixing stage 1 arm header * making jsonstream portable * cleaning imports * including <algorithms> for windows compiler * cleaning benchmark imports * adding jsonstream to amalgamation * merged main into branch * bug fix where JsonStream would bug on rare cases. * Addind a JsonStream Demo to Amalgamation * Fix for #345 * Follow up test and fix for #345 (#347) * Final (?) fix for #345 * Verbose basictest * Being more forgiving of powers of ten. * Let us zero the tail end. * add basic fuzzers (#348) * add basic fuzzing using libFuzzer * let cmake respect cflags, otherwise the fuzzer flags go unnoticed also, integrates badly with oss-fuzz * add new fuzzer for minification, simplify the old one * add fuzzer for the dump example * clang format * adding Paul Dreik * rough prototype working. Needs more test and fine tuning. * prototype working on large files. * prototype working on large files. * Adding benchmarks * jsonstream API adjustment * type * minor fixes and cleaning. * Fixing issue 351 (#352) * Fixing issues 351 and 353 * minor fixes and cleaning. * removing warnings * removing some copies * Fix ARM compile errors on g++ 7.4 (#354) * Fix ARM compilation errors * Update singleheader * runtime dispatch error fix * makefile linking src/jsonstream.cpp * fixing arm stage 1 headers * fixing stage 2 headers * fixing stage 1 arm header * fix integer overflow in subnormal_power10 (#355) detected by oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18714 * Adding new test file, following #355 * making jsonstream portable * cleaning imports * including <algorithms> for windows compiler * cleaning benchmark imports * adding jsonstream to amalgamation * merged main into branch * bug fix where JsonStream would bug on rare cases. * Addind a JsonStream Demo to Amalgamation * merging main * rough prototype working. Needs more test and fine tuning. * prototype working on large files. * prototype working on large files. * Adding benchmarks * jsonstream API adjustment * minor fixes and cleaning. * minor fixes and cleaning. * removing warnings * removing some copies * runtime dispatch error fix * makefile linking src/jsonstream.cpp * fixing arm stage 1 headers * fixing stage 2 headers * fixing stage 1 arm header * making jsonstream portable * cleaning imports * including <algorithms> for windows compiler * cleaning benchmark imports * adding jsonstream to amalgamation * bug fix where JsonStream would bug on rare cases. * Addind a JsonStream Demo to Amalgamation * rough prototype working. Needs more test and fine tuning. * minor fixes and cleaning. * adding jsonstream to amalgamation * merged main into branch * Addind a JsonStream Demo to Amalgamation * merging main * merging main * make file fix

lemire added the help wanted label Oct 24, 2019

lemire added a commit that referenced this issue Oct 24, 2019

Fix for #345

Loading status checks…

a065805

lemire closed this Oct 24, 2019

lemire added a commit that referenced this issue Oct 24, 2019

Follow up test and fix for #345

Loading status checks…

fc14be8

lemire mentioned this issue Oct 24, 2019

Follow up test and fix for https://github.com/lemire/simdjson/issues/345 #347

Merged

lemire added a commit that referenced this issue Oct 24, 2019

Final (?) fix for #345

da1c35d

pauldreik mentioned this issue Oct 24, 2019

add basic fuzzers #348

Merged

piotte13 added a commit that referenced this issue Nov 7, 2019

Fix for #345

d4a680a

piotte13 added a commit that referenced this issue Nov 7, 2019

Follow up test and fix for #345 (#347)

b1a18d7

piotte13 added a commit that referenced this issue Nov 7, 2019

Final (?) fix for #345

ec9d408

piotte13 mentioned this issue Nov 7, 2019

Streams of JSON documents + Large files (>4GB) (#350) #364

Merged

lemire / simdjson

Initial fuzzing with libFuzzer - memory leak, UB and buffer write overflow #345

Initial fuzzing with libFuzzer - memory leak, UB and buffer write overflow #345

pauldreik commented Oct 24, 2019 •

edited

This comment has been minimized.

lemire commented Oct 24, 2019

This comment has been minimized.

lemire commented Oct 24, 2019

This comment has been minimized.

lemire commented Oct 24, 2019

This comment has been minimized.

lemire commented Oct 24, 2019

This comment has been minimized.

lemire commented Oct 24, 2019

This comment has been minimized.

lemire commented Oct 24, 2019

This comment has been minimized.

pauldreik commented Oct 24, 2019

This comment has been minimized.

lemire commented Oct 24, 2019

lemire / simdjson

Join GitHub today

Initial fuzzing with libFuzzer - memory leak, UB and buffer write overflow #345

Initial fuzzing with libFuzzer - memory leak, UB and buffer write overflow #345

Comments

pauldreik commented Oct 24, 2019 • edited

This comment has been minimized.

lemire commented Oct 24, 2019

This comment has been minimized.

lemire commented Oct 24, 2019

This comment has been minimized.

lemire commented Oct 24, 2019

This comment has been minimized.

lemire commented Oct 24, 2019

This comment has been minimized.

lemire commented Oct 24, 2019

This comment has been minimized.

lemire commented Oct 24, 2019

This comment has been minimized.

pauldreik commented Oct 24, 2019

This comment has been minimized.

lemire commented Oct 24, 2019

pauldreik commented Oct 24, 2019 •

edited