Assertion Failure in acommon::ObjStack::check_size in aspell_fuzzer #657
Description
Description:
When running aspell_fuzzer, built by OSS-Fuzz, we encounter an assertion failure within acommon::ObjStack::check_size. This occurs due to a potential size overflow, causing the fuzzer to crash with a deadly signal.
Build Information:
- Commit:
4295413512cb1ceeba741876d12612e74c77f14b - Binary:
./aspell_fuzzer
Sanitizer Report:
aspell_fuzzer: ./common/objstack.hpp:34: void acommon::ObjStack::check_size(size_t): Assertion `!will_overflow(sz)' failed.
==11018== ERROR: libFuzzer: deadly signal
#0 0x565266c21fd1 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x565266b26f68 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x565266b0a303 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3
#3 0x7f2c1b5ca41f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 9a65bb469e45a1c6fbcffae5b82a2fd7a69eb479)
#4 0x7f2c1b26f00a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300a) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#5 0x7f2c1b24e858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#6 0x7f2c1b24e728 (/lib/x86_64-linux-gnu/libc.so.6+0x22728) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#7 0x7f2c1b25ffd5 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x33fd5) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#8 0x565266ce7f7b in acommon::ObjStack::check_size(unsigned long) /src/aspell/./common/objstack.hpp:34:5
#9 0x565266ce7f7b in acommon::ObjStack::alloc_top(unsigned long) /src/aspell/./common/objstack.hpp:89:24
#10 0x565266ce7f7b in acommon::ObjStack::dup_top(acommon::ParmString) /src/aspell/./common/objstack.hpp:102:27
#11 0x565266ce7f7b in acommon::ObjStack::dup(acommon::ParmString) /src/aspell/./common/objstack.hpp:110:38
#12 0x565266ce7f7b in acommon::StringMap::add(acommon::ParmString const&) /src/aspell/./common/string_map.hpp:78:35
#13 0x565266c70d0c in acommon::Config::lookup_list(acommon::KeyInfo const*, acommon::MutableContainer&, bool) const /src/aspell/common/config.cpp:422:7
#14 0x565266c6e510 in acommon::Config::retrieve_list(acommon::ParmString const&, acommon::MutableContainer*) const /src/aspell/common/config.cpp:451:5
#15 0x565266cea610 in (anonymous namespace)::SgmlFilter::setup(acommon::Config*) /src/aspell/modules/filter/sgml.cpp:142:11
#16 0x565266cbaadb in acommon::setup_filter(acommon::Filter&, acommon::Config*, bool, bool, bool) /src/aspell/lib/new_filter.cpp:191:9
#17 0x565266c61c08 in acommon::new_document_checker(acommon::Speller*) /src/aspell/lib/new_checker.cpp:21:5
#18 0x565266c57f51 in new_aspell_document_checker /src/aspell/lib/document_checker-c.cpp:42:37
#19 0x565266c56fec in LLVMFuzzerTestOneInput /src/aspell-fuzz/aspell_fuzzer.cpp:95:13
#20 0x565266b0b810 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#21 0x565266af6a85 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
#22 0x565266afc51f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
#23 0x565266b277c2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#24 0x7f2c1b250082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
#25 0x565266aeec6d in _start (/out/aspell_fuzzer+0xe9c6d)
Steps to Reproduce:
-
Build
aspell_fuzzerusing the OSS-Fuzz environment.
crash-37dd22909dac8dd1f0810ea6a1d25c18781edfc3.zip -
Execute the binary:
./aspell_fuzzer <poc>