Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pathological input causes crash in toml::v2::impl::ex::parser::parse_value #100

Closed
geeknik opened this issue May 17, 2021 · 6 comments
Closed

Pathological input causes crash in toml::v2::impl::ex::parser::parse_value #100

geeknik opened this issue May 17, 2021 · 6 comments
Assignees
@marzer
Labels
bug Something isn't working

Comments

@geeknik
Copy link

geeknik commented May 17, 2021

Whilst experimenting with the example toml_to_json_transcoder built from commit dca694, we discovered a file which triggers a segfault:

0x0000555555594f54 in toml::v2::impl::ex::parser::parse_value (this=0x7fffffffbdf0)
    at /root/tomlplusplus/include/toml++/toml_utf8.h:892
892                     return codepoint <= U'\u001F' || codepoint == U'\u007F';

crash.zip
@marzer
Copy link
Owner

marzer commented May 17, 2021

Wow, that file is nothing if not pathological. The parser uses recursive descent; input like that will cause a stack overflow. How did you come to use this input? Was it real, or from something like a fuzzer?

@marzer
Copy link
Owner

marzer commented May 17, 2021
edited
Loading

Oh, never mind, I just did a quick scan of your profile; I'm going to guess it was from fuzzing :)

Welp, guess I better put some pathological case detection into the parser's descent logic... thanks for the report!

@marzer marzer added the bug Something isn't working label May 17, 2021
@marzer marzer self-assigned this May 17, 2021
@marzer marzer changed the title segfault in toml::v2::impl::ex::parser::parse_value Pathological input causes crash in toml::v2::impl::ex::parser::parse_value May 17, 2021
@geeknik
Copy link
Author

geeknik commented May 17, 2021

You're welcome, the input was derived from an actual file, but after about 10 million iterations it's no longer recognizable. We found a few bugs in similar parsers, so we wanted to cover all of the more popular packages like yours too.

@marzer
Copy link
Owner

marzer commented May 17, 2021
edited
Loading

Awesome work!

Also, turns out this actually exposed two bugs:

  1. The stack overflow
  2. The garbage at the end causing the segfault you saw

What fun :D

@marzer marzer closed this as completed in a29ecda May 17, 2021
@marzer
Copy link
Owner

marzer commented May 17, 2021

Fixed in master. Thanks again @geeknik!

@geeknik
Copy link
Author

geeknik commented May 17, 2021

Fix confirmed. Will let you know if we encounter anything more serious. 👍🏻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marzer marzer

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@geeknik @marzer