Skip to content
This repository has been archived by the owner. It is now read-only.

libFuzzer outputs that crash libc++'s regex engine #24411

Closed
mclow opened this issue Aug 10, 2015 · 6 comments
Closed

libFuzzer outputs that crash libc++'s regex engine #24411

mclow opened this issue Aug 10, 2015 · 6 comments
Assignees

Comments

@mclow
Copy link

@mclow mclow commented Aug 10, 2015

Bugzilla Link 24411
Resolution FIXED
Resolved on Feb 07, 2019 14:19
Version unspecified
OS All
Attachments Input to crash regex_match
CC @kcc,@mclow

Extended Description

This bug is to record the results of fuzzing libc++'s regex with clang's libfuzzer.

When a crash is found, it will be added here.

@mclow
Copy link
Author

@mclow mclow commented Aug 10, 2015

assigned to @mclow

Loading

@mclow
Copy link
Author

@mclow mclow commented Aug 10, 2015

First crash - in regex_match. Using this target function

extern "C" void LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
if (size > 0)
{
try
{
std::regex::flag_type flag = std::regex_constants::grep;
std::string s((const char *)data, size);
std::regex re(s, flag);
std::regex_match(s, re);
}
catch (std::regex_error &ex) {}
}
}

Loading

@mclow
Copy link
Author

@mclow mclow commented Aug 24, 2015

I reduced this test case down to "\8" and fixed it in 245849.

Leaving the bug open b/c I think the fuzzer will find more.

Loading

@mclow
Copy link
Author

@mclow mclow commented Aug 26, 2015

Here's another one the uzzer found (simplified).
This one doesn't fail, but it takes minutes to match against itself.

const char bad = "#\(.\)*###################.######.####### ";

Loading

@kcc
Copy link

@kcc kcc commented Feb 10, 2017

Is there still an interest in fuzzing libc++'s regex?
We now have https://github.com/google/oss-fuzz, a continuous
fuzzing service, where libc++ would be welcome.

Fuzzing regex now yield this:
projects/libcxx/include/regex:4058:21: runtime error: signed integer overflow: 403809844 * 10 cannot be represented in type 'int'

and then quickly gets stuck in timeouts.

Loading

@mclow
Copy link
Author

@mclow mclow commented Feb 7, 2019

We have fixed all the regex crashes that OSS-Fuzz has reported.
What's left is stack overflows, large memory usage, and timeouts.

Closing this bug, because they're all being tracked over at OSS-Fuzz.

Loading

This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants