Comments (2)
Thank you for your report. I was able to run your reproduction strategy and get the leak report.
We will look into fixing this bug.
You should note that there is a bug in your repro code. You reported the bug against commit d050fe3 but the reproduction uses 01f3a87 (HEAD).
Is there a public repository where we can report issues about the autofuzzing project. There are a few things I'd like to report.
from libyaml.
@Google-Autofuzz I appreciate your work, but I find your reproduction methodology to be unnecessarily complicated. I took the liberty of streamlining some things so that it is simple and exact to reproduce. Here is how I would have reported this strategy:
You can reproduce our findings by running the following commands in a terminal:
wget https://github.com/yaml/libyaml/files/1794405/autofuzz-libyaml-111.zip
unzip autofuzz-libyaml-111.zip
cd autofuzz-libyaml-111
docker build --tag=autofuzz-libyaml-111 .
docker run -t autofuzz-libyaml-111
To run this interactively, use:
docker run -it autofuzz-libyaml-111 bash
Then run this command in the container:
./repro.sh ./reproducer
Take a look at that zip file. The changes I made are:
- Put the files in a wrapper directory
- Added 4 commands to the end of your Dockerfile
- Added a symlink to your reproducer file
- Added a ReadMe file
Here is the benefit:
- The reproduction commands are exact. You can literally cut/paste all the commands into a terminal at once, and they will run exactly. Try it!
- It is common courtesy to zip or tar a single directory, rather than a bunch of files. But in addition, now the user doesn't need to do your
mkdir
step. They just unzip and the build directory is there. - No reason to copy over the
reproducer
file in a separate step and in a separate terminal session. This makes people think your setup is going to be a pain in the butt, when it's really not. The file is copied over in the build step. All the user needs to do is adocker build ...
and a docker run. - I found this line to be a doozy:
You give the user all these fake paths that are probably obvious to you, but totally confusing to the user. WTH is
docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer
/path/to/attached/reproducer
?? I had to guess that it waspoc-9b6dc82a78647c1c2c906f1d29f81ac93777df493f5f6dee87aa16b045bb37ed_min
Now the commands and paths are all exact and literal. No guessing as to what you are trying to say.
I hope this helps you come up with a better way to report your bugs. If you are interested, I have more ideas on how to polish this process. For now I just concentrated on a clean end-user experience.
from libyaml.
Related Issues (20)
- error HOT 7
- Event based YAML parsing
- build: run ./configure fail, cannot build successfully HOT 2
- Find heap buffer overflow by running fuzz test HOT 29
- Error in `./run-emitter': double free or corruption (fasttop): 0x0000000000621760 *** HOT 1
- problem libyaml building on Ubuntu HOT 2
- Set permissions for Github Workflows HOT 1
- ./bootstrap fails on Ubuntu 20.04.5 LTS HOT 1
- heap-buffer-overflow in yaml_emitter_emit_flow_mapping_key function of emitter.c:810:27 HOT 2
- Add support of blank lines and comments (re)format support, because people seems has been fighting with these issues for ages: HOT 3
- run-emitter-test-suite: negative-size-param in `get_tag/memcpy`
- Security Audit of libyaml
- Add advance error reporting for custom write_handler()
- Add Meson build system
- `sprintf` is deprecated on MacOS if ASAN is enable.
- Some emojis are incorrectly not considered printable
- Error when build libyaml 0.2.5 for Centos 7.9. HOT 1
- Error when build libyaml 0.2.5 for Centos 7.9
- How is this CVE-2024-3205 affected? HOT 12
- traces failure of yaml_emitter_write_indicator HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libyaml.