Skip to content

Segmentation fault in utf8proc_normalize_utf32 with invalid options #288

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
shuangxiangkan opened this issue Feb 23, 2025 · 1 comment
Open

Segmentation fault in utf8proc_normalize_utf32 with invalid options #288

shuangxiangkan opened this issue Feb 23, 2025 · 1 comment

Comments

@shuangxiangkan
Copy link

Description

While fuzzing utf8proc with AFL++, we discovered that pass invalid option flags to utf8proc_normalize_utf32, the API may trigger a segmentation fault.

// Valid option test - works correctly
utf8proc_option_t valid_options = 
    UTF8PROC_STRIPCC | 
    UTF8PROC_NLF2LS | 
    UTF8PROC_NLF2PS;
utf8proc_normalize_utf32(copy, num_codepoints, valid_options);

// Invalid option test - triggers crash
utf8proc_option_t invalid_options = 0xFFFF;
utf8proc_normalize_utf32(copy, num_codepoints, invalid_options);

Environment

  • OS: Ubuntu 22.04
  • Compiler: Clang 16.0.6
  • AFL++ Version: afl-fuzz++4.22a

Reproduction

afl-clang-fast -o fuzzer_afl fuzzer_afl.c \
    -I/path/to/utf8proc/include \
    -L/path/to/utf8proc/lib \
    -lutf8proc \
    -fsanitize=address

./fuzzer_afl

ASAN Log

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3853974==ERROR: AddressSanitizer: SEGV on unknown address 0x558dccc4294c (pc 0x558dcbbee9c7 bp 0x00007f000617 sp 0x7ffc0d45aeb0 T0)
==3853974==The signal is caused by a READ memory access.
    #0 0x558dcbbee9c7 in unsafe_get_property /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/utf8proc.c:237:7
    #1 0x558dcbbee9c7 in utf8proc_normalize_utf32 /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/utf8proc.c:655:53
    #2 0x558dcbbea291 in main /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/Fuzz/reproduce/fuzzer_afl.c:79:13
    #3 0x7fb067499249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7fb067499304 in __libc_start_main csu/../csu/libc-start.c:360:3
    #5 0x558dcbb2a3e0 in _start (/srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/Fuzz/reproduce/fuzzer_afl+0x223e0) (BuildId: e62e3f9342618db53c46bbabc796a818d12e19b0)

Fuzz file and input

fuzzer_afl.c.zip

crash_input.zip

The utf8proc_reencode function may have similar crash behavior with invalid options
@shuangxiangkan
Copy link
Author

utf8proc_map_custom also crashes due to an invalid option

ASAN Log

=================================================================
==661819==ERROR: AddressSanitizer: global-buffer-overflow on address 0x56051d2da93e at pc 0x56051d266416 bp 0x7fffe70538b0 sp 0x7fffe70538a8
READ of size 2 at 0x56051d2da93e thread T0
    #0 0x56051d266415 in unsafe_get_property /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/utf8proc.c:237:7
    #1 0x56051d266415 in utf8proc_decompose_custom /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/utf8proc.c:599:19
    #2 0x56051d267cbd in utf8proc_map_custom /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/utf8proc.c:771:12
    #3 0x56051d2621cf in main /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/Fuzz/fuzzer_afl.c:59:5
    #4 0x7f11125d7249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7f11125d7304 in __libc_start_main csu/../csu/libc-start.c:360:3
    #6 0x56051d1a23e0 in _start (/srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/Fuzz/fuzzer_afl+0x223e0) (BuildId: 151cd15ebea154e929ab33a21a7599b86672b579)

input

crash_input2.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shuangxiangkan