[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: More disciplined use of 'getstr' and 'tsslen'
- From: Sergey Bronnikov <sergeyb@...>
- Date: Thu, 24 Aug 2023 20:09:34 +0300
Hello, everyone
Recently there was a commit [1]:
> More disciplined use of 'getstr' and 'tsslen'
> We may want to add other string variants in the future; this change
> documents better where the code may need to handle those variants.
This commit breaks tests [2], worked before:
lua_stringtonumber_test: lstring.c:210: TString *internshrstr(lua_State
*, const char *, size_t): Assertion `(ts)->shrlen != 0xFF' failed.
==3807== ERROR: libFuzzer: deadly signal
#0 0x55a438701cb4 in __sanitizer_print_stack_trace
(/home/runner/work/lua-c-api-tests/lua-c-api-tests/build/tests/lua_stringtonumber_test+0x93cb4)
(BuildId: 265733c61733d08ff1b45392e95ac0f330286289)
#1 0x55a4386d86c8 in fuzzer::PrintStackTrace()
(/home/runner/work/lua-c-api-tests/lua-c-api-tests/build/tests/lua_stringtonumber_test+0x6a6c8)
(BuildId: 265733c61733d08ff1b45392e95ac0f330286289)
#2 0x55a4386be143 in fuzzer::Fuzzer::CrashCallback()
(/home/runner/work/lua-c-api-tests/lua-c-api-tests/build/tests/lua_stringtonumber_test+0x50143)
(BuildId: 265733c61733d08ff1b45392e95ac0f330286289)
#3 0x7fc98c95751f (/lib/x86_64-linux-gnu/libc.so.6+0x4251f)
(BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#4 0x7fc98c9aba7b in pthread_kill
(/lib/x86_64-linux-gnu/libc.so.6+0x96a7b) (BuildId:
69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#5 0x7fc98c957475 in gsignal
(/lib/x86_64-linux-gnu/libc.so.6+0x42475) (BuildId:
69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#6 0x7fc98c93d7f2 in abort
(/lib/x86_64-linux-gnu/libc.so.6+0x287f2) (BuildId:
69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#7 0x7fc98c93d71a (/lib/x86_64-linux-gnu/libc.so.6+0x2871a)
(BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#8 0x7fc98c94ee95 in __assert_fail
(/lib/x86_64-linux-gnu/libc.so.6+0x39e95) (BuildId:
69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#9 0x55a438743ae1 in internshrstr lstring.c
#10 0x55a438743222 in luaS_newlstr
(/home/runner/work/lua-c-api-tests/lua-c-api-tests/build/tests/lua_stringtonumber_test+0xd5222)
(BuildId: 265733c61733d08ff1b45392e95ac0f330286289)
#11 0x55a438743d18 in luaS_new
(/home/runner/work/lua-c-api-tests/lua-c-api-tests/build/tests/lua_stringtonumber_test+0xd5d18)
(BuildId: 265733c61733d08ff1b45392e95ac0f330286289)
#12 0x55a4387846a7 in luaX_init
(/home/runner/work/lua-c-api-tests/lua-c-api-tests/build/tests/lua_stringtonumber_test+0x1166a7)
(BuildId: 265733c61733d08ff1b45392e95ac0f330286289)
#13 0x55a438741858 in f_luaopen lstate.c
#14 0x55a43871c13c in luaD_rawrunprotected
(/home/runner/work/lua-c-api-tests/lua-c-api-tests/build/tests/lua_stringtonumber_test+0xae13c)
(BuildId: 265733c61733d08ff1b45392e95ac0f330286289)
#15 0x55a438741611 in lua_newstate
(/home/runner/work/lua-c-api-tests/lua-c-api-tests/build/tests/lua_stringtonumber_test+0xd3611)
(BuildId: 265733c61733d08ff1b45392e95ac0f330286289)
#16 0x55a438778d1f in luaL_newstate
(/home/runner/work/lua-c-api-tests/lua-c-api-tests/build/tests/lua_stringtonumber_test+0x10ad1f)
(BuildId: 265733c61733d08ff1b45392e95ac0f330286289)
#17 0x55a438701fec in LLVMFuzzerTestOneInput
/home/runner/work/lua-c-api-tests/lua-c-api-tests/tests/lua_stringtonumber_test.c:13:17
Tests itself uses Lua C API and doesn't violate API, example of one of
the tests:
(const uint8_t *data and size_t size are random and defined previously)
lua_State *L = luaL_newstate();
if (L == NULL)
return 0;
size_t str_len = size + 1;
char *str = calloc(str_len, sizeof(char));
if (str == NULL) {
return 0;
}
memcpy(str, data, size);
str[size] = '\0';
size_t sz = lua_stringtonumber(L, str);
if (sz == 0) {
assert(lua_gettop(L) == 0);
} else {
assert(lua_gettop(L) == 1);
assert(lua_isnumber(L, -1) == 1);
}
free(str);
lua_settop(L, 0);
lua_close(L);
Is it expected behavior?
1.
https://github.com/lua/lua/commit/9b4f39ab14fb2e55345c3d23537d129dac23b091
2.
https://github.com/ligurio/lua-c-api-tests/actions/runs/5942832389/job/16116623678?pr=34
Sergey
