Re: [Gnash-dev] Has gnash been fuzzed?

[Jacek Wielemborek]

W dniu 20.11.2015 o 09:50, Sandro Santilli pisze:
> On Thu, Nov 19, 2015 at 07:32:15PM +0100, Jacek Wielemborek wrote:
> 
>> Classification: EXPLOITABLE
>>    Short description: PossibleStackCorruption (7/22)
> 
>> gnash::SWFMovieDefinition::read_all_swf(): Assertion `startPos <=
>> _swf_end_pos' failed.
>> Aborted (core dumped)
> 
> No stack corruption is possible, the assert is there to avoid it.
> A more robust parser would rather throw an exception there rather
> than abort, but I don't intend to fix any such code unless it
> comes with an automated test guarding for it to not break anymore.

This is one of nine crashes that I found, others might be more valuable.

> Are you willing to provide such new testsuite branch for
> those cases ? It looks to me that all you need is that base64
> string, and an automated tester could run afl-fuzz-parallel for
> each of the offending strings. Does it make sense ? Ideally a crash
> would be reported against the exact string producing it.

The thing is that the fuzzing process takes hours to complete, so I'm
not sure if it's something that should be part of standard test case.
Also, there's the external dependency of AFL and the need to use afl-gcc
compiler wrapper, which is why I abstracted it all to a Docker image.

signature.asc
Description: OpenPGP digital signature