Skip to content
This repository was archived by the owner on Jan 2, 2025. It is now read-only.

Capacity overflow in function cdrs::types::try_i_to_n_bytes #363

Open
cicilzx opened this issue Oct 4, 2024 · 2 comments
Open

Capacity overflow in function cdrs::types::try_i_to_n_bytes #363

cicilzx opened this issue Oct 4, 2024 · 2 comments

Comments

@cicilzx
Copy link

cicilzx commented Oct 4, 2024

Hi, I'm developing a fuzzer to test the safe abstraction, and I fonnd a overflow issue in function cdrs::types::try_i_to_n_bytes.
Below is a test case:

fn test_try_i_to_n_bytes_UNell() {
    let int: i64 = 4090012054590209114;
    let n: usize = 10235255982123902036;
    let _ = try_i_to_n_bytes(int, n);
}

The panic information is as follows:

thread 'types::test_try_i_to_n_bytes_UNell' panicked at library/alloc/src/raw_vec.rs:25:5:
capacity overflow
stack backtrace:
   0: rust_begin_unwind
             at /rustc/d84b9037541f45dc2c52a41d723265af211c0497/library/std/src/panicking.rs:652:5
   1: core::panicking::panic_fmt
             at /rustc/d84b9037541f45dc2c52a41d723265af211c0497/library/core/src/panicking.rs:72:14
   2: alloc::raw_vec::capacity_overflow
             at /rustc/d84b9037541f45dc2c52a41d723265af211c0497/library/alloc/src/raw_vec.rs:25:5
   3: alloc::raw_vec::handle_error
             at /rustc/d84b9037541f45dc2c52a41d723265af211c0497/library/alloc/src/raw_vec.rs:593:29
   4: alloc::raw_vec::RawVec<T,A>::with_capacity_in
             at /rustc/d84b9037541f45dc2c52a41d723265af211c0497/library/alloc/src/raw_vec.rs:160:25
   5: alloc::vec::Vec<T,A>::with_capacity_in
             at /rustc/d84b9037541f45dc2c52a41d723265af211c0497/library/alloc/src/vec/mod.rs:699:20
   6: alloc::vec::Vec<T>::with_capacity
             at /rustc/d84b9037541f45dc2c52a41d723265af211c0497/library/alloc/src/vec/mod.rs:481:9
   7: cdrs::types::try_i_to_n_bytes
             at ./src/types/mod.rs:141:21
   8: cdrs::types::test_try_i_to_n_bytes_UNell
             at ./src/types/mod.rs:922:13
   9: cdrs::types::test_try_i_to_n_bytes_UNell::{{closure}}
             at ./src/types/mod.rs:905:33
  10: core::ops::function::FnOnce::call_once
             at /rustc/d84b9037541f45dc2c52a41d723265af211c0497/library/core/src/ops/function.rs:250:5
  11: core::ops::function::FnOnce::call_once
             at /rustc/d84b9037541f45dc2c52a41d723265af211c0497/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

I think it's because the type for bytes is derived as Vec<u8> based on the function signature: https://github.com/AlexPikalov/cdrs/blob/master/src/types/mod.rs#L140
@cicilzx
Copy link
Author

cicilzx commented Oct 4, 2024

Another example to trigger memory allocation failed:

use cdrs::types::try_i_to_n_bytes;

fn main() {
    let int:i64 = -3184069818265628469;
    let n:usize = 3395091926238641022;
    let _ = try_i_to_n_bytes(int, n);
}

The output is:

memory allocation of 3395091926238641022 bytes failed
Aborted

@Jasperav
Copy link
Collaborator

Jasperav commented Oct 4, 2024

This project is dead for over 3 years

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Jasperav @cicilzx