Skip Menu |

This queue is for tickets about the Compress-LZ4 CPAN distribution.

Report information
The Basics
Id: 120991
Status: resolved
Priority: 0/
Queue: Compress-LZ4
People
Owner: Nobody in particular
Requestors: me [...] ryanwhitworth.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Thu Apr 06 07:44:33 2017 me [...] ryanwhitworth.com - Ticket created
Subject: Segmentation Faults found via fuzzing
Date: Thu, 6 Apr 2017 07:34:32 -0400
To: bug-Compress-LZ4 [...] rt.cpan.org
From: Ryan Whitworth <me [...] ryanwhitworth.com>
Hello, I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the Compress::LZ4::decompress method and found a few inputs that cause crashes. Is fixing these crashes something you're interested in? The input files can be found here: https://github.com/rwhitworth/compress-lz4-fuzz. These inputs were found and verified with perl-blead on Linux and verified with perl 5.24.0 on OS X. The files are inputs that can be executed as "perl test_program.pl < id:XX" to cause seg faults. In the test program you may need to comment out the while loop if you do not plan to configure AFL and recompile perl, etc. You do not need to install or use AFL to reproduce these crashes. Instructions for how to add instrumentation to both perl and Compress::LZ4 can be found here: https://medium.com/@dgryski/fuzzing-perl-xs-modules-with-afl-4bfc2335dd90 Let me know if I can provide any more information to help narrow down this issue. Thanks, Ryan Whitworth me@ryanwhitworth.com
  Thu Apr 06 12:39:22 2017 gray [...] cpan.org - Correspondence added
On Thu Apr 06 07:44:33 2017, me@ryanwhitworth.com wrote: Show quoted text
> Hello, > I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the > Compress::LZ4::decompress method and found a few inputs that cause crashes. > Is fixing these crashes something you're interested in? The input files can > be found here: https://github.com/rwhitworth/compress-lz4-fuzz. These > inputs were found and verified with perl-blead on Linux and verified with > perl 5.24.0 on OS X. > > The files are inputs that can be executed as "perl test_program.pl < id:XX" > to cause seg faults. In the test program you may need to comment out the > while loop if you do not plan to configure AFL and recompile perl, etc. > You do not need to install or use AFL to reproduce these crashes. > > Instructions for how to add instrumentation to both perl and Compress::LZ4 > can be found here: > https://medium.com/@dgryski/fuzzing-perl-xs-modules-with-afl-4bfc2335dd90 > > Let me know if I can provide any more information to help narrow down this > issue. > > Thanks, > Ryan Whitworth > me@ryanwhitworth.com
thanks, fixed in 0.25
  Thu Apr 06 12:39:23 2017 The RT System itself - Status changed from 'new' to 'open'
  Thu Apr 06 12:39:47 2017 gray [...] cpan.org - Status changed from 'open' to 'resolved'