Skip to content

Certain file causes panic upon unpack #23

New issue
New issue
Closed
Closed
Certain file causes panic upon unpack#23
@frewsxcv

Description

@frewsxcv
frewsxcv
opened on May 12, 2015

I tried running this library through afl.rs, and came across a panic:

Here is the file that is fed into stdin (this is base64 encoded, make sure to decode it before):

AAAAAHVzdGFyICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA3NTUAMDAwMTc1
MAAwMDAxNzUwADAwMDAwMDAwMDAwADEyNDQwMDIxNTc0ADAxMDY0NwAgNQAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhciAgAG12ZDQyNTMAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMDY0NwAgNQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

Code I used:

extern crate tar;

use std::io::{self, Read};
use std::path::Path;


fn main() {
    let mut input = String::new();
    let result = io::stdin().read_to_string(&mut input);
    if result.is_ok() {
        let mut a = tar::Archive::new(input.as_bytes());
        a.unpack(Path::new("/dev/null"));
    }
}

Output

root@afl-rust:~/afl-staging-area# cargo run --verbose < id\:000000\,sig\:04\,src\:000027\,op\:ext_AO\,pos\:268
       Fresh afl-coverage-plugin v0.0.1 (https://github.com/kmcallister/afl.rs#845bdff0)
       Fresh libc v0.1.7
       Fresh gcc v0.3.5
       Fresh afl-coverage v0.0.1 (https://github.com/kmcallister/afl.rs#845bdff0)
       Fresh tar v0.2.11 (file:///root/afl-staging-area)
       Fresh afl-staging-area v0.1.0 (file:///root/afl-staging-area)
     Running `target/debug/afl-staging-area`
thread '<main>' panicked at 'arithmetic operation overflowed', /root/tar-rs/src/lib.rs:167
stack backtrace:
   1:     0x7fac5db00e59 - sys::backtrace::write::hb34cb0734f7a3c97uhs
   2:     0x7fac5db044d1 - panicking::on_panic::h82f65b9161b1f8deGXw
   3:     0x7fac5dafbb62 - rt::unwind::begin_unwind_inner::h9f6dd38aeb9ea42dQCw
   4:     0x7fac5dafbdc7 - rt::unwind::begin_unwind_fmt::h44a1d6134651f778WBw
   5:     0x7fac5db03e26 - rust_begin_unwind
   6:     0x7fac5db35b84 - panicking::panic_fmt::h063af2dc79b71461c0B
   7:     0x7fac5db35604 - panicking::panic::ha74d34b97dbec983JYB
   8:     0x7fac5dadc226 - Archive<R>::unpack::h130850372175687317
                        at /root/tar-rs/src/lib.rs:172
   9:     0x7fac5dad7117 - main::h71d2ed005404877bkaa
                        at src/main.rs:17
  10:     0x7fac5db086b8 - rust_try_inner
  11:     0x7fac5db086a5 - rust_try
  12:     0x7fac5db05d23 - rt::lang_start::he6efc8b28021b078bSw
  13:     0x7fac5daf2be2 - main
  14:     0x7fac5d501a3f - __libc_start_main
  15:     0x7fac5dad6c08 - _start
  16:                0x0 - <unknown>
Process didn't exit successfully: `target/debug/afl-staging-area` (signal: 4)

tar-rs/src/lib.rs

Line 167 in 5830d58

let is_directory = bytes[bytes.len() - 1] == b'/';
is the line in particular it crashes on

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions