tonlib-rs icon indicating copy to clipboard operation
tonlib-rs copied to clipboard

Published 20 hours ago verified publisher icon ston-fi

[Fuzz]: Fix panics on invalid BagOfCells input

Open satoshiotomakan opened this issue 7 months ago • 0 comments

I ran cargo fuzz tests to validate BagOfCells decoding implementation, and found several cases that lead to arithmetic operation overflows and out-of-bounce access. All the inputs are hex-encoded.

  • [ ] b5ee9c725e0000030000000000000000000000000000000000005e

Errors in BagOfCells::parse()

  • [ ] b5ee9c72c9000001000000000000100000000000000000ff20d1fffe20000052180000001926
  • [ ] b5ee9c7201000001000056600000000c000c0cff5e0000005eb5ee9c72ca0c0c0c0c0c0c00

Errors in cell::get_bit_descriptor()

  • [ ] b5ee9c72ca0000010000560c0c130c0c0c0c0c0c0c0c000c0c0c5e5e0c0c00b5ee0c5e5e
  • [ ] b5ee9c72ca0000230000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000c000c0cffffffffffff0000000000000000000000000000000000000000000600080c

Error in cell::get_refs_descriptor()

  • [ ] b5ee9c72d1000c0c0c0c20260cba5e0900002a2600000000000000090909090909090909090909090909090909090909091f1f1f1f090909090909090909090971ee31310909090909090909090200000900090909090901680909090909090909090909090909090909090909090000000000000000000000000c88f3

Errors in CellType::level_mask()

  • [ ] b5ee9c72ca0000180000250125000000000000000b0b0b0b0b0b0404040404040404030404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040408080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808040404040c04040404040404040404040404040404040404040404040404040404040404040404040404270404040404040404040404040404040404040400005204040404040404040404000404040404040404040404040404040403fb04040404040404040404040404040404040404040404040400002501250b4b0b0800ca00250c00000c000c100c0c0c26

Error in cell::calculate_hashes_and_depths()

  • [ ] b5ee9c72d1000a000000000000000008860101ff041cffff000100000000000010081c01000000000000000000000000000000000000b5ee00000000ff9c72d1000a0000000000000000000000ac0000000006060606060606060606060606000008d60104ff031cff530000002e0000080000000000000000b0504f4f4ab0b0b0b0b0b0b0b0b00f00b00500000f0000000000030053a900002f00000000000000feffffffff0000000000009ce4ee6100000000000000000000000000000886fc00ff041cffff00000000000063000000000000eeee9c72069c720606060000060600

satoshiotomakan avatar Jul 26 '24 14:07 satoshiotomakan