Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Panic when decompressing #2

Closed
frewsxcv opened this issue Oct 25, 2015 · 6 comments
Closed

Panic when decompressing #2

frewsxcv opened this issue Oct 25, 2015 · 6 comments
Assignees
@ende76
Labels
bug

Comments

@frewsxcv
Copy link
Contributor 

extern crate brotli;

use std::io::{self, Read};
use brotli::Decompressor;

fn main() {
    let mut input = vec![];
    let _ = Decompressor::new(&b"\x1b\x3f\xff\xff\xdb\x4f\xe2\x99\x80\x12".to_vec() as &[u8]).read_to_end(&mut input);
}

Crash discovered using afl.rs
@ende76
Copy link
Owner

ende76 commented Oct 25, 2015

@frewsxcv Thanks! I will look at it right now.

@ende76
Copy link
Owner

ende76 commented Oct 25, 2015

@frewsxcv I have identified the issue, and must admit that I had already been aware of it, yet postponed solving it. The answer was actually in one of the last few remaining @todo annotations:

    // @TODO: probably need to use parameter alphabet_size here to be able to
    //        reject streams with excessive repeated trailing zeros, as per section
    //        3.5. of the RFC:
    //        "If the number of times to repeat the previous length
    //         or repeat a zero length would result in more lengths in
    //         total than the number of symbols in the alphabet, then the
    //         stream should be rejected as invalid."

Your stream managed to create a seemingly endless stream of zeros for the runlength encoding, which seemed to have created a very long or possibly even endless loop. I have pushed a fix, but will keep this issue open for a little longer, to analyze your stream manually, because I want to make sure that's what happened.

@frewsxcv
Copy link
Contributor Author

Should a regression test be added?

@ende76
Copy link
Owner

ende76 commented Oct 25, 2015

Yes, absolutely! At the moment, I'm still analyzing your input in detail.

@frewsxcv
Copy link
Contributor Author

Alright, let me know when you think this is solved and I can continue fuzzing

@ende76
Copy link
Owner

ende76 commented Oct 25, 2015

Sorry, this took much longer than I first anticipated. The symptom was fixed 2 hours ago, and that fix should have been in place anyway, as already mentioned.
However, the analysis of your stream has brought to my attention a somewhat more serious problem, where I was a bit too cavalier with possible IO errors when parsing runlength codes (the exact place where your stream sent me looping).
Getting that right required many small changes all over, but I thought it was worth it to get it really right.
So now the issue can be considered closed.

@ende76 ende76 closed this as completed Oct 25, 2015
@ende76 ende76 added the bug label Oct 25, 2015
@ende76 ende76 self-assigned this Oct 25, 2015
ende76 added a commit that referenced this issue Oct 25, 2015
@ende76
MOD: bumped version number to reflect the bugfix #2
976331f
@frewsxcv frewsxcv changed the title Crash when decompressing Panic when decompressing Oct 25, 2015
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@ende76 ende76

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frewsxcv @ende76