Skip to content

Assertion failure in unserialization triggered by fuzzed input

The assertions added in !52 (merged) unveiled a problem in unserialization:

usbredirparserfuzz: ../../src/spice-usbredir/usbredirparser/usbredirparser.c:128: void usbredirparser_assert_invariants(const struct usbredirparser_priv *): Assertion `(parser->data_len != 0) ^ (parser->data == NULL)' failed.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==17==ERROR: AddressSanitizer: ABRT on unknown address 0x000000000011 (pc 0x7feb0df8218b bp 0x7feb0e0f7588 sp 0x7ffe3110b0d0 T0)
SCARINESS: 10 (signal)
    #0 0x7feb0df8218b in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4618b)
    #1 0x7feb0df61858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #2 0x7feb0df61728  (/lib/x86_64-linux-gnu/libc.so.6+0x25728)
    #3 0x7feb0df72f35 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x36f35)
    #4 0x5667b3 in usbredirparser_assert_invariants /work/build/../../src/spice-usbredir/usbredirparser/usbredirparser.c:128:5
    #5 0x56ae6b in usbredirparser_unserialize /work/build/../../src/spice-usbredir/usbredirparser/usbredirparser.c
    #6 0x55ee10 in try_unserialize /work/build/../../src/spice-usbredir/fuzzing/usbredirparserfuzz.cc:321:12
    #7 0x55ee10 in LLVMFuzzerTestOneInput /work/build/../../src/spice-usbredir/fuzzing/usbredirparserfuzz.cc:403:31
    #8 0x456bf3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
    #9 0x442552 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #10 0x447fcd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
    #11 0x470f42 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #12 0x7feb0df630b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #13 0x41f75d in _start (/out/usbredirparserfuzz+0x41f75d)

fuzzing/usbredirparserfuzz input:

$ base64 -d >testcase5087952414310400 <<<'EOF'
KQAAAAAAAAABAAAACgFdGNUIAAAAAgAAAAAAXgAAAAAAAAAAAABq/ywA+TQA
EOF