Unexpected program panics detected by fuzzing #36
Description
Hi, when I used afl.rs to test the package, the fuzzer detected unexpected program panics, which I consider to be a bug.
Here is the example code:
extern crate mp3_metadata;
fn _to_slice<T>(data:&[u8], start_index: usize, end_index: usize)->&[T] {
let data_slice = &data[start_index..end_index];
let (_, shorts, _) = unsafe {data_slice.align_to::<T>()};
shorts
}
fn test_function0(_param0: &[u8]) {
mp3_metadata::read_from_slice(_param0);
}
fn _read_data()-> Vec<u8> {
use std::env;
use std::process::exit;
let args:Vec<String> = env::args().collect();
if args.len() < 2 {
println!("No crash filename provided");
exit(-1);
}
use std::path::PathBuf;
let crash_file_name = &args[1];
let crash_path = PathBuf::from(crash_file_name);
if !crash_path.is_file() {
println!("Not a valid crash file");
exit(-1);
}
use std::fs;
let data = fs::read(crash_path).unwrap();
data
}
fn main() {
let _content = _read_data();
let data = &_content;
println!("data = {:?}", data);
println!("data len = {:?}", data.len());
//actual body emit
if data.len() < 1 {return;}
let dynamic_length = (data.len() - 0) / 1;
let _param0 = _to_slice::<u8>(data, 0 + 0 * dynamic_length, data.len());
test_function0(_param0);
}The crash file is:
We can reproduce the crash by running the program with the crash file as the argument.
Here is the corresponding stack trace and panic message:
../mp3-metadata/fuzz_target/mp3_metadata_wubfs_generic_fuzz/multipleTargets/target/debug/replay_mp3_metadata0 ../mp3-metadata/fuzz_target/mp3_metadata_wubfs_generic_fuzz/multipleTargets/out/test_mp3_metadata0/default/crashes/id:000003,sig:06,src:000430+000409,time:1047467,execs:2812380,op:splice,rep:2
data = [255, 0, 0, 16, 0, 12, 0, 5, 43, 51, 61, 61, 90, 0, 0, 50, 5, 255, 239, 32, 61, 61, 61, 61, 61, 61, 92, 61, 65, 51, 255, 230, 255, 5, 61, 61, 5, 255, 255, 5, 43, 51, 61, 61, 5, 255, 255, 5, 169, 169, 73, 68, 51, 0, 0, 187, 0, 0, 0, 0, 0, 0, 0, 50, 5, 255, 255, 5, 169, 169, 73, 68, 51, 0, 0, 187, 0, 0, 0, 0, 0, 0, 0, 0, 51, 180, 255, 0, 0, 51, 5, 255, 252, 5, 43, 51, 51, 0, 1, 32, 31, 0, 0, 51, 51, 148, 255, 255, 16, 51, 51, 53, 250, 0, 1, 61, 61, 61, 0, 51, 180, 255, 0, 0, 51, 5, 255, 252, 5, 43, 51, 51, 0, 1, 32, 31, 0, 0, 51, 5, 255, 255, 5, 169, 169, 73, 68, 51, 0, 0, 187, 0, 0, 0, 0, 0, 0, 0, 50, 5, 255, 255, 5, 169, 169, 73, 68, 51, 0, 0, 187, 0, 0, 0, 0, 0, 0, 0, 0, 51, 180, 255, 0, 0, 51, 5, 255, 252, 5, 43, 51, 148, 255, 255, 16]
data len = 195
thread 'main' panicked at ../mp3-metadata/src/metadata.rs:100:22:
index out of bounds: the len is 0 but the index is 0
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
The rustc version is 1.76.0, the afl.rs version is 0.15.9, the package version is the latest.
Please check if these are real bugs that need to be fixed. Thanks!