Unishox2: Crash in decompression, strlen(NULL)
The following program dies dereferencing USX_TEMPLATES[4], which is NULL.
#include <stdio.h>
#include <string.h>
#include "unishox2.h"
int main()
{
static const char *input = "\252!\355\347;멠<\322\336\346\070\205X\200v\367b\002\332l\213\022\n\003P\374\267\002\266e\207.\210r:\021\225\224\243\353\204\305\352\255\017L/(HH4i\223~\270-\223\206\221\246\212\261\221e\254\375\341\350\037\240X\211lj\325\330u\365\303ʂ\200гM\236&\375\377\071%'?V\025\070\374\026\346s\323$\276\350F\224\r-\226\347ɋ\317\344\214\v\032U\303\353\215\335GX\202\371B\302\355\a\247\273\356C\372\a-\262\006\\\343\"ZH|\357\034\001";
char out[4096];
const size_t len = strlen(input); // no zeroes in it
unishox2_decompress(input, len, out, /*4096,*/ USX_HCODES_DFLT, USX_HCODE_LENS_DFLT, USX_FREQ_SEQ_TXT, USX_TEMPLATES);
return 0;
}
About this issue
- Original URL
- State: open
- Created 2 years ago
- Comments: 18 (8 by maintainers)
Forgot to mention it when I stopped, but I ran the test till about 116 million runs IIRC, no further issues. It did slow down a lot from the starting 1k/second unfortunately, as afl started generating large test cases (like 80kB).
Fair enough. Running on my laptop atm, I’m at 9.6 million execs and zero crashes so far, so it looks like you did a very good job 😃
This is very nice! 🥇 I will run this and fix the issues. Thanks!