json:parse_bjdata_fuzzer reaches assertion #3475
Description
Description
The input 0x5b, 0x23, 0x49, 0x20, 0xff triggers an assertion in the fuzzer for BJData.
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47305
- https://oss-fuzz.com/testcase-detail/5621157828624384
Reproduction steps
- Call the fuzzer on input
0x5b, 0x23, 0x49, 0x20, 0xff. - Observe the assertion.
Expected vs. actual results
No assertion should be triggered. Either the fuzzer must be made more robust against or there is a bug in the library that must be fixed.
Minimal code example
Adapted fuzzer:
#include <nlohmann/json.hpp>
using json = nlohmann::json;
int main() {
std::vector<std::uint8_t> vec1 = {{0x5b, 0x23, 0x49, 0x20, 0xff}};
json j1 = json::from_bjdata(vec1);
try
{
// step 2.1: round trip without adding size annotations to container types
std::vector<uint8_t> vec2 = json::to_bjdata(j1, false, false);
// step 2.2: round trip with adding size annotations but without adding type annonations to container types
std::vector<uint8_t> vec3 = json::to_bjdata(j1, true, false);
// step 2.3: round trip with adding size as well as type annotations to container types
std::vector<uint8_t> vec4 = json::to_bjdata(j1, true, true);
// parse serialization
json j2 = json::from_bjdata(vec2);
json j3 = json::from_bjdata(vec3);
json j4 = json::from_bjdata(vec4);
// serializations must match
assert(json::to_bjdata(j2, false, false) == vec2);
assert(json::to_bjdata(j3, true, false) == vec3);
assert(json::to_bjdata(j4, true, true) == vec4);
}
catch (const json::parse_error&)
{
// parsing a BJData serialization must not fail
assert(false);
}
}Error messages
Assertion
// parsing a BJData serialization must not fail
assert(false);is triggered. In the original context, the following stack trace is produced:
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_json_26b1464c0c18fac23c49bf26ed996090f90e682a/revisions/parse_bjdata_fuzzer /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash
Time ran: 0.16492581367492676
parse_bjdata_fuzzer: src/fuzzer-parse_bjdata.cpp:66: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `false' failed.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==765==ERROR: AddressSanitizer: ABRT on unknown address 0x0539000002fd (pc 0x7f986288918b bp 0x7f98629fe588 sp 0x7fff5efdeb10 T0)
SCARINESS: 10 (signal)
#0 0x7f986288918b in raise /build/glibc-eX1tMB/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:51:1
#1 0x7f9862868858 in abort /build/glibc-eX1tMB/glibc-2.31/stdlib/abort.c:79:7
#2 0x7f9862868728 in __assert_fail_base /build/glibc-eX1tMB/glibc-2.31/assert/assert.c:92:3
#3 0x7f9862879f35 in __assert_fail /build/glibc-eX1tMB/glibc-2.31/assert/assert.c:101:3
#4 0x4d9414 in LLVMFuzzerTestOneInput json/tests/src/fuzzer-parse_bjdata.cpp:66:13
#5 0x4d729a in ExecuteFilesOnyByOne aflplusplus/utils/aflpp_driver/aflpp_driver.c:234:7
#6 0x4d706d in main aflplusplus/utils/aflpp_driver/aflpp_driver.c:318:12
#7 0x7f986286a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
#8 0x41e5bd in _start
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4618b)
==765==ABORTING
Compiler and operating system
macOS 12.3.1, Apple clang version 13.1.6
Library version
develop
Validation
- The bug also occurs if the latest version from the
developbranch is used. - I can successfully compile and run the unit tests.