Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Abrt in get_number (OSS-Fuzz 885) #519

Closed
nlohmann opened this issue Mar 17, 2017 · 1 comment
Closed

Abrt in get_number (OSS-Fuzz 885) #519

nlohmann opened this issue Mar 17, 2017 · 1 comment

Comments

@nlohmann
Copy link
Owner

Detailed report: https://oss-fuzz.com/testcase?key=5393597081845760

Project: json
Fuzzer: afl_json_parse_afl_fuzzer
Fuzz target binary: parse_afl_fuzzer
Job Type: afl_asan_json
Platform Id: linux

Crash Type: Abrt on unknown address 0x000000000001
Crash Address: 
Crash State:
  demangling_terminate_handler
  std::__terminate
  __cxa_throw
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://oss-fuzz.com/download/AMIfv97XDciMKr6_PypKy2kipdV1daNithj1enT67JgrprThT6JplCYIZtFZ_TCtBzO3zFNgwRZ8Xsg_Khn28ZYzwrJM5vUfpMLfjfnPjFvWGhUMH_ancyg7Inp7syPVn2pDxjmw4t3DTXkRZP1mxbG3arN7EiqS0C6zWNLGddHBz6ZFYmK7zG9c8Pm6jwsT-L6skXi5wgExIdnnf1DsXigBg9qu2rrS7PTgIfJtujTmJj8QxaHSvcdDpvId4OMhnPsip3AFZ4buiJMmxVFXvCH_HkalErQyMLzyMKRtGbYVnD8hQSy3e-uSfoilQDwT-VAbHZdrHIua195E9Sxo6htAZ49uLdIooFBrDOT0enP1Bltl60tx1dO-bobiGxbrPPE5vsqrb0eiG7ArC3_BlWWj0v3aOn-PfJwyOlzdWwbzrikZYSm5PT8?testcase_id=5393597081845760


Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.
	SCARINESS: 10 (signal)
#0 0x7f73f22e2417 in gsignal
#1 0x7f73f22e4019 in abort
#2 0x583436 in abort_message
#3 0x584c65 in demangling_terminate_handler()
#4 0x5832d5 in std::__terminate(void (*)())
#5 0x5847d6 in __cxa_throw
#6 0x524dfd in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::lexer::get_number(nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>&, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::lexer::token_type) const /src/json/src/json.hpp:11871:21
#7 0x51b119 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parser::parse_internal(bool) /src/json/src/json.hpp:12146:29
#8 0x51be3a in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parser::parse_internal(bool) /src/json/src/json.hpp:12092:38
#9 0x51a67f in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parser::parse() /src/json/src/json.hpp:11953:33
#10 0x5132ec in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer> nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parse<unsigned char const*, 0>(unsigned char const*, unsigned char const*, std::__1::function<bool (int, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parse_event_t, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>&)>) /src/json/src/json.hpp:7244:40
#11 0x512a40 in LLVMFuzzerTestOneInput /src/json/test/src/fuzzer-parse_json.cpp:34:19
#12 0x512333 in main /src/libfuzzer/afl/afl_driver.cpp:287:7
#13 0x7f73f22cd82f in __libc_start_main
#14 0x41b5d8 in _start

clusterfuzz-testcase-5393597081845760.zip

@nlohmann
Copy link
Owner Author

There seems to be a a json::out_of_range exception thrown in lexer::get_number which is now caught in the fuzzer.

@nlohmann nlohmann added the solution: proposed fix a fix for the issue has been proposed and waits for confirmation label Mar 17, 2017
nlohmann added a commit that referenced this issue Mar 17, 2017
Added catch branch for out_of_range exception that can occur if input
file contains a number overflow.
@nlohmann nlohmann self-assigned this Mar 17, 2017
@nlohmann nlohmann modified the milestone: Release 3.0.0 Mar 17, 2017
@nlohmann nlohmann removed the solution: proposed fix a fix for the issue has been proposed and waits for confirmation label Apr 7, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant