Fix spurious failures of php-fuzz-mbstring #12819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Closed

alexdowad wants to merge 1 commit into php:master from alexdowad:fix_mbstr_fuzzer

Closed

Fix spurious failures of php-fuzz-mbstring #12819

alexdowad wants to merge 1 commit into php:master from alexdowad:fix_mbstr_fuzzer

Conversation

alexdowad

Copy link

Contributor

@alexdowad alexdowad commented Nov 28, 2023

@Girgias @nielsdos @youkidearitai @cmb69

@alexdowad


 Fix spurious failures of php-fuzz-mbstring

cf2ae73

@github-actions github-actions bot added the SAPI: fuzzer label

Nov 28, 2023

nielsdos

nielsdos reviewed

Nov 28, 2023

View reviewed changes

sapi/fuzzer/fuzzer-mbstring.c

* Unicode codepoint. */

unsigned int errors3 = 0;

zend_string *Temp = convert_encoding(Data, Size, FromEncoding, &mbfl_encoding_utf8, 128, &errors3);

if (errors3 > 0) {

Copy link

Member

@nielsdos nielsdos Nov 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One theoretical issue I can think of is that you're now relying on the UTF-8 string handling to be correct, so we might miss some bugs?

Also: what if errors3 == 0 (i.e. the input is valid) but errors1>0 and good == true ? I don't think that should be allowed right?

Copy link

Contributor Author

@alexdowad alexdowad Nov 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nielsdos The point of this extra if clause is that the situation you have described is very possible. It happens if the input string, when interpreted in FromEncoding, contains codepoints which cannot be represented in ToEncoding. That causes spurious crashes of the fuzzer.

I wouldn't say we are "relying on UTF-8 string handling to be correct". The point of this code is that if errors1 > 0, and those errors occurred in the decoder for FromEncoding, then we will still detect the same errors here and we will get errors3 > 0.

We are relying on the UTF-8 encoder not to spuriously give errors3 > 0. But if that happens, it wouldn't result in bugs being missed; rather, it would result in spurious crashes of the fuzzer.