Comments (5)
ulikunitz
commented on May 31, 2024
Just to make clear the panic indicates a bug in the encoder that needs to be fixed.
from xz.
pmezard
commented on May 31, 2024
The issue is not with the encoder but with the decoder. The input generated by go-fuzz is certainly malformed but I believe decoding libraries should not panic upon invalid inputs when possible (exception might be when allocating buffers but even these can be mitigated). The panic can be reproduced manually by running:
cd lzma
go run lzmareader/lzmareader.go corpus/bad_dist_out_of_range.lzma
using this as input:
https://github.com/pmezard/xz/blob/fuzz/lzma/corpus/bad_dist_out_of_range.lzma
in the fuzzing branch I pushed here:
https://github.com/pmezard/xz/tree/fuzz
The trivial reader code is here:
https://github.com/pmezard/xz/blob/fuzz/lzma/lzmareader/lzmareader.go
and go-fuzz function:
https://github.com/pmezard/xz/blob/fuzz/lzma/fuzz.go
from xz.
ulikunitz
commented on May 31, 2024
Hi, many thanks for the comprehensive information. I will have to work on it, but can't start before Sunday.
from xz.
ulikunitz
commented on May 31, 2024
The code has been rewritten and and tested against multiple corpora. I'm planning fuzzing tests for v0.7.
from xz.
ulikunitz
commented on May 31, 2024
I labeled the issue as enhancement, because the open action is fuzzing the bug is fixed.
from xz.
Related Issues (20)
- Unzipping is too slow HOT 12
- use of internal package github.com/ulikunitz/xz/internal/xlog not allowed HOT 2
- Not clear how to trade most resources for most compression HOT 3
- Checksum None is valid HOT 4
- expose blockreader HOT 4
- Current maturity of project (and other semantics) HOT 3
- Achieving maximum xz compression HOT 2
- memory leak HOT 2
- [SECURITY] Implementation of readUvarint vulnerable to CVE-2020-16845 HOT 17
- How to use multi CPU work for compression? HOT 3
- Panic with invalid input HOT 2
- missing match limit, was "lzip" HOT 11
- How to write compress & decompress data in file? HOT 2
- Don't worry about this lssue HOT 1
- Missing common APIs like Reader:Close() Writer:Flush() HOT 3
- Out of Memory bug when using a large reader HOT 3
- high allocation ratio HOT 3
- Expose `processFile` function HOT 2
- Plan for rewrite branch HOT 4
- How i can compressed folder? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xz.