Skip to content

do not add rule to non-MEDIA parent #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
boxerab wants to merge 1 commit into from
Closed

do not add rule to non-MEDIA parent #22

boxerab wants to merge 1 commit into from

Conversation

@boxerab
Copy link
Contributor

@boxerab boxerab commented Nov 15, 2025

Here is the crash file and stack trace

crash-f9e95103fde5422aa9356ecfb7c191aa87a4c3c8.css

Running: /out/crash-f9e95103fde5422aa9356ecfb7c191aa87a4c3c8
css_parse_fuzzer: ../src/stylesheet.c:1444: css_error css__stylesheet_add_rule(css_stylesheet *, css_rule *, css_rule *): Assertion `parent->type == CSS_RULE_MEDIA' failed.
==13== ERROR: libFuzzer: deadly signal
    #0 0x55b6858a14c1 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x55b685793268 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    #2 0x55b685775db5 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3
    #3 0x7f2327e5241f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 9753720502573b97dbac595b61fd72c2df18e078)
    #4 0x7f2327c4600a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300a) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #5 0x7f2327c25858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #6 0x7f2327c25728  (/lib/x86_64-linux-gnu/libc.so.6+0x22728) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #7 0x7f2327c36fd5 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x33fd5) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #8 0x55b685931942 in css__stylesheet_add_rule /src/libcss/build/../src/stylesheet.c:1444:3
    #9 0x55b685936e53 in handleStartRuleset /src/libcss/build/../src/parse/language.c:313:10
    #10 0x55b685932f7a in language_handle_event /src/libcss/build/../src/parse/language.c:211:10
    #11 0x55b68594afee in parseRuleset /src/libcss/build/../src/parse/parse.c:942:8
    #12 0x55b68594907d in css__parser_parse_chunk /src/libcss/build/../src/parse/parse.c:322:11
    #13 0x55b6858db3cb in parse_css /src/libcss/test/fuzzers/css_parse_fuzzer.cc:260:20
    #14 0x55b6858db3cb in LLVMFuzzerTestOneInput /src/libcss/test/fuzzers/css_parse_fuzzer.cc:332:3
    #15 0x55b68577749d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
    #16 0x55b685762212 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6
    #17 0x55b6857680e0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:865:9
    #18 0x55b685793c12 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #19 0x7f2327c27082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #20 0x55b68575b2fd in _start (/out/css_parse_fuzzer+0x1182fd)

@tlsa
Copy link
Member

tlsa commented Nov 16, 2025

Thanks. I've reduced the offending CSS to:

@media screen { b; }
p { padding: 0; }

tlsa added a commit that referenced this pull request Nov 16, 2025
@tlsa @jmb202
test: Add test for bad rule in at media block
b17f8d3 
Based on fuzzing test input generated by Aaron Boxer:
#22

Co-authored-by: John-Mark Bell <jmb@netsurf-browser.org>
@tlsa tlsa mentioned this pull request Nov 16, 2025
Merged
tlsa added a commit that referenced this pull request Nov 16, 2025
@tlsa @jmb202
test: Add test for bad rule in at media block
24d53ec 
Based on fuzzing test input generated by Aaron Boxer:
#22

Co-authored-by: John-Mark Bell <jmb@netsurf-browser.org>
@tlsa
Copy link
Member

tlsa commented Nov 16, 2025

Hi @boxerab,

Thanks for finding this. This assertion was triggered by an earlier error in the parser, which has been fixed in PR #24.

@boxerab
Copy link
Contributor Author

boxerab commented Nov 16, 2025

Great! closing.

@boxerab boxerab closed this Nov 16, 2025
@boxerab
Copy link
Contributor Author

boxerab commented Nov 16, 2025

By the way, here is a file that times out the parser after 25 seconds.

timeout-5176a088a925355ff72d666a294f7a365d985db2.css

stack trace

ALARM: working on the last Unit for 25 seconds
       and the timeout value is 25 (use -timeout=N to change)
MS: 1 PersAutoDict- DE: "\000\000\000\000\000\000\000\000"-; base unit: 59922feabaa971b91f9e3a00d4a7fc4751c9b5c8
artifact_prefix='./'; Test unit written to ./timeout-5176a088a925355ff72d666a294f7a365d985db2
==44== ERROR: libFuzzer: timeout after 25 seconds
    #0 0x5568079444c1 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x556807836268 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    #2 0x556807818d3d in fuzzer::Fuzzer::AlarmCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:304:5
    #3 0x7f9ad3e0241f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 9753720502573b97dbac595b61fd72c2df18e078)
    #4 0x556807833e83 in AddValue /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerValueBitMap.h:39:18
    #5 0x556807833e83 in HandleCmp<unsigned int> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:391:19
    #6 0x556807833e83 in __sanitizer_cov_trace_const_cmp4 /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:513:15
    #7 0x556807a851a4 in consumeEscape /src/libcss/build/../src/lex/lex.c:1721:13
    #8 0x556807a898fd in consumeStringChars /src/libcss/build/../src/lex/lex.c:1937:12
    #9 0x556807a898fd in consumeString /src/libcss/build/../src/lex/lex.c:1894:12
    #10 0x556807a78423 in String /src/libcss/build/../src/lex/lex.c:1310:10
    #11 0x556807a78423 in css__lexer_get_token /src/libcss/build/../src/lex/lex.c:277:10
    #12 0x5568079fa98d in getToken /src/libcss/build/../src/parse/parse.c:623:11
    #13 0x5568079f4605 in parseValue1 /src/libcss/build/../src/parse/parse.c:1719:11
    #14 0x5568079ec1cd in css__parser_completed /src/libcss/build/../src/parse/parse.c:354:11
    #15 0x5568079d077a in css_stylesheet_data_done /src/libcss/build/../src/stylesheet.c:345:10
    #16 0x55680797e42f in parse_css /src/libcss/test/fuzzers/css_parse_fuzzer.cc:263:12
    #17 0x55680797e42f in LLVMFuzzerTestOneInput /src/libcss/test/fuzzers/css_parse_fuzzer.cc:332:3
    #18 0x55680781a49d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13

The css file is quite large, but I think 30 seconds is a long time to parse. I can generate quite a few of these timeout crashes.

@tlsa
Copy link
Member

tlsa commented Nov 17, 2025

By the way, here is a file that times out the parser after 25 seconds.

Please try with branch jmb/lex-trailing-esc.

@boxerab
Copy link
Contributor Author

boxerab commented Nov 20, 2025

I just got the latest code and now fuzzing looks pretty good - ran 16 fuzzers for an hour and no crashes.

@boxerab boxerab deleted the non_media_parents branch November 28, 2025 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@boxerab @tlsa