A showcase of bugs found via fuzz testing Rust codebases. It serves multiple purposes:
- Help the community see what issues are common in Rust codebases (useful when e.g. designing APIs)
- Increase visibility of effective fuzz testing targets so people can reuse testing strategies
- Provide insight into common issues they can expect to find if they use a certain fuzzer
These bugs aren't nearly as serious as the memory-safety issues afl has discovered in C and C++ projects. That's because Rust is memory-safe by default! Have you fuzzed Rust code and found a bug? Please consider adding it to this table via a pull request!
Security issues are marked with a βοΈ in the "Security?" column. Denial of service, including panics and out-of-memory, are not considered security issues.
| Crate | Information | Fuzzer | Category | Security? |
|---|---|---|---|---|
| bmfont | panic on unwrapping | libfuzzer | panic |
|
| brotli-rs | #10 | afl | panic |
|
| brotli-rs | #11 | afl | panic |
|
| brotli-rs | #12 | afl | panic |
|
| brotli-rs | #2 | afl | panic |
|
| brotli-rs | #3 | afl | panic |
|
| brotli-rs | #4 | afl | panic |
|
| brotli-rs | #5 | afl | oor |
|
| brotli-rs | #6 | afl | arith |
|
| brotli-rs | #7 | afl | oor |
|
| brotli-rs | #8 | afl | arith |
|
| brotli-rs | #9 | afl | arith |
|
| bson | #116 | libfuzzer | oom |
|
| bson | multiple bugs, including arithmetic overflow | libfuzzer | arith, other, unwrap |
|
| capnproto-rust | Multiple bugs, including a memory safety bug | libfuzzer | βοΈ | |
| capnproto-rust | reddit, e72746c |
libfuzzer | logic |
|
| claxon | 0fd8815 | libfuzzer | unwrap |
|
| claxon | 21b1db4 | libfuzzer | oor |
|
| claxon | 875c3b2 | libfuzzer | logic |
|
| claxon | c036944 | libfuzzer | logic |
|
| claxon | Massive slowdown on malformed input | libfuzzer | other |
|
| claxon | Memory disclosure on malformed input | afl + libdiffuzz | uninit |
βοΈ |
| comrak | #65 | libfuzzer | oor |
|
| cpp_demangle | Multiple panics | afl | unwrap, arith |
|
| cranelift | #418 | libfuzzer | logic |
|
| cssparser | floating-point parsing imprecision | libfuzzer | logic |
|
| cursive | grapheme boundary correctness | libfuzzer | utf-8 |
|
| deflate-rs | #40 | afl | logic |
|
| deflate-rs | #42 | afl | logic |
|
| der-parser | arithmetic overflow | libfuzzer | arith |
|
| dhcp4r | #6 | libfuzzer | oor |
|
| encoding_rs | #44 | afl | logic |
|
| flac | #3 | afl | oom |
|
| flac | index out of bounds | libfuzzer | oor |
|
| flif | #26 | libfuzzer | oom |
|
| fontdue | arithmetic overflow | libfuzzer | arith |
|
| goblin | memory exhaustion | afl | oom |
|
| h2 | #260 | honggfuzz | oor |
|
| h2 | #261 | honggfuzz | panic |
|
| h2 | #262 | honggfuzz | panic |
|
| httparse | #9 | afl | arith |
|
| httpdate | accepted dates like "May 35" | libfuzzer | logic, arith |
|
| httpdate | panic on "no character boundary" | libfuzzer | utf-8 |
|
| hyper | arithmetic overflow | libfuzzer | arith |
|
| image | #1238 | afl | oor |
|
| image | #414 | afl | logic |
|
| image | #473 | afl | arith |
|
| image | #474 | afl | unwrap |
|
| image | #477 | afl | oor |
|
| image | #622 | libfuzzer | oom |
|
| image | #623 | libfuzzer | oom |
|
| image | #624 | libfuzzer | oom |
|
| image | #625 | libfuzzer | oor |
|
| image | #876 | afl | oor |
|
| image | #877 | afl | arith |
|
| image | #878 | afl | oor |
|
| image | Failed to break on an EOF | afl | oor |
|
| inflate | arithmetic overflow | libfuzzer | arith |
|
| ipfix | index out of bounds | libfuzzer | oor |
|
| jpeg-decoder | #38 | afl | unwrap |
|
| jpeg-decoder | #50 | afl | oom |
|
| jpeg-decoder | arithmetic overflow | libfuzzer | arith |
|
| json-rust | arithmetic overflow | afl | arith |
|
| juniper | panic on "no character boundary" | libfuzzer | utf-8 |
|
| just | #363 | libfuzzer | logic |
|
| lewton | enormous CPU and memory consumption on crafted input | afl | other |
|
| lewton | index out of bounds | honggfuzz | oor |
|
| lewton | index out of bounds | afl | oor |
|
| lewton | index out of bounds | afl | oor |
|
| lewton | index out of bounds | afl | oor |
|
| lewton | infinite loop | afl | loop |
|
| lewton | large CPU and memory consumption on crafted input | afl | other |
|
| lewton | memory exhaustion due to integer underflow | afl | arith, oom |
|
| lewton | memory exhaustion | afl | oom |
|
| lexical | arithmetic overflow | libfuzzer | arith |
|
| lexical | arithmetic overflow | libfuzzer | arith |
|
| lexical | Out-of-bounds read in unsafe code | libfuzzer | oor |
|
| libflate | 258cf44 | honggfuzz | oor |
|
| libflate | 6157daa | honggfuzz | panic |
|
| libflate | dc77163 | honggfuzz | unwrap |
|
| libflate | Out-of-bounds read in unsafe code | afl | oor |
|
| libpnet | arithmetic overflow | libfuzzer | arith |
|
| libstd | overflow in range bounds calculation on Vec::drain | rutenspitz | arith |
|
| lodepng-rust | memory leak | libfuzzer | oom |
|
| lz-fear | index out of bounds | libfuzzer | oor |
|
| lz-fear | index out of bounds | libfuzzer | oor |
|
| lz-fear | memory exhaustion | libfuzzer | oom |
|
| lzma-rs | behavior mismatch with reference implementation | libfuzzer | logic |
|
| minidump | #7 | libfuzzer | panic |
|
| miniz_oxide | Infinite loop exhausting memory | libfuzzer | loop, oom |
|
| miniz_oxide | Infinite loop | libfuzzer | loop |
|
| Molten | #41 | libfuzzer | utf-8 |
|
| Molten | #42 | libfuzzer | oor |
|
| mongo_driver | #55 | libfuzzer | unwrap |
|
| mp3-metadata | Multiple panics | afl | oor |
|
| mp4parse-rust | #2 | afl | panic |
|
| mp4parse-rust | #4 | afl | panic |
|
| mp4parse-rust | #5 | afl | panic |
|
| mp4parse-rust | #6 | afl | panic |
|
| msgpack-rust | #151 | afl | oom |
|
| ncurses-rs | string with \0 | libfuzzer | unwrap |
|
| nifti | out of bounds array slicing | libfuzzer | oor |
|
| nom | arithmetic overflow | libfuzzer | arith |
|
| npy-rs | arithmetic overflow due to incorrect parameter declaration | libfuzzer | arith, logic |
|
| ntp | panic caused by unwrap on invalid input | libfuzzer | unwrap |
|
| num | panic on BigInt parsing |
libfuzzer | unwrap |
|
| pancurses | string with \0 | libfuzzer | unwrap |
|
| parity | panic on BasicDecoder unchecked addition |
libfuzzer | arith |
|
| pcapng | arithmetic overflow | libfuzzer | arith |
|
| picky | #10 | libfuzzer | unwrap |
|
| picky-asn1-der | #10 | libfuzzer | arith, oom, oor |
|
| png | crash on malformed input | afl | oom |
|
| png | incorrect buffer size due to integer overflow | afl | arith, oom |
|
| png | infinite loop on crafted input | libfuzzer | loop |
|
| png | panic on malformed input | libfuzzer | oor |
|
| png | panic on malformed input | libfuzzer | unwrap |
|
| png | panic on malformed input | libfuzzer | oor |
|
| png | panic on malformed input | afl | unwrap, logic |
|
| proc-macro2 | #54 | afl | utf-8 |
|
| proc-macro2 | #55 | afl | so |
|
| prost | Stack overflow | afl | so |
βοΈ |
| pulldown-cmark | arithmetic overflow | libfuzzer | arith |
|
| pulldown-cmark | Overflow ParseIntError | libfuzzer | unwrap |
|
| pulldown-cmark | Panics and infinite loop | libfuzzer | loop, utf-8, oor |
|
| quick-xml | arithmetic overflow | libfuzzer | arith |
|
| quick-xml | arithmetic overflow | libfuzzer | arith |
|
| quick-xml | index out of bounds | libfuzzer | oor |
|
| rawloader | abort on huge memory allocation | afl | oom |
|
| regex | #417 | afl | utf-8 |
|
| regex | #84 | afl | unwrap |
|
| regex | called Option::unwrap() on a None value | honggfuzz | unwrap |
|
| regex | index out of bounds | honggfuzz | oor |
|
| regex | regex parsing panics with blog post | libfuzzer | unwrap |
|
| regex | Unexpected match branch | honggfuzz | logic |
|
| rmpv | Unchecked vector pre-allocation | afl | oom |
|
| roughenough | handle truncated message | afl | oor |
|
| roughenough | incorrect range check fix | libfuzzer | logic |
|
| roughenough | reject messages with zero tags | afl | logic, oor |
|
| roughenough | reject short single tag messages | afl | logic, oor |
|
| roughenough | return Error instead of panicking | afl | panic |
|
| roughenough | validate tag offset not past end of message | afl | logic |
|
| roughenough | validate value offset not pass end of message | afl | logic |
|
| rust-asn1 | #32 | afl | oom |
|
| rust-snappy | #12 | libfuzzer | oor |
|
| rust-url | #108 | afl | oor |
|
| rustc | #24275 | afl | other |
|
| rustc | #50577 | prog-fuzz | logic |
|
| rustc | #50582 | prog-fuzz | logic |
|
| rustc | #50585 | prog-fuzz | logic |
|
| rustc | #50600 | prog-fuzz | logic |
|
| rustc | #50637 | prog-fuzz | loop |
|
| rustc | #51070 | prog-fuzz | logic |
|
| rustc-demangle | multiply with overflow | libfuzzer | arith |
|
| rustc-serialize | #109 | afl | arith |
|
| rustc-serialize | #110 | afl | panic |
|
| semver | logic error | libfuzzer | logic |
|
| Sequoia-PGP | #514 | libfuzzer | arith |
|
| Sequoia-PGP | #515 | libfuzzer | utf-8 |
|
| Sequoia-PGP | #516 | libfuzzer | oor |
|
| Sequoia-PGP | #516 | libfuzzer | oor |
|
| serde | #75 | afl | arith |
|
| serde | #77 | afl | arith |
|
| serde | #82 | afl | so |
|
| serde-yaml | #49 | libfuzzer | so |
|
| serde-yaml | #88 | libfuzzer | logic |
|
| simple_asn1 | #9 | libfuzzer | arith, oor |
|
| sleep-parser | #3 | honggfuzz | oor, utf-8 |
|
| smoltcp | arithmetic underflow | libfuzzer | arith |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| smoltcp | index out of bounds | libfuzzer | oor |
|
| snmp-parser | panic on unwrapping | libfuzzer | unwrap |
|
| ssh-keys | #3 | afl | oor |
|
| ssh-keys | panic on slice indexing | libfuzzer | oor |
|
| ssh-parser | arithmetic overflow | libfuzzer | arith |
|
| svgparser | arithmetic overflow, bound checking panic, incorrect result | libfuzzer | arith, oor, logic |
|
| svgparser | endless loop | libfuzzer | loop |
|
| swf-parser | #23 | libfuzzer | logic |
|
| sxd-document | use after free | libfuzzer | uaf |
βοΈ |
| tar-rs | #23 | afl | arith |
|
| tera | #396 | libfuzzer | arith, logic |
|
| tiff | index out of bounds | afl | oor |
|
| tiff | infinite loop on malformed input | afl | loop |
|
| tiff | memory exhaustion on malformed input | afl | oom |
|
| tiff | panic on attempt to divide by zero | afl | arith |
|
| tinyvec | arithmetic underflow | rutenspitz | arith |
|
| tinyvec | resize() could set incorrect size for inline storage | rutenspitz | logic |
|
| tinyvec | swap_remove() for last element worked incorrectly | rutenspitz | logic |
|
| todotxt.rs | index out of bounds | libfuzzer | oor |
|
| toml | #178 | libfuzzer | logic |
|
| toml | #179 | libfuzzer | logic |
|
| toml | #180 | libfuzzer | logic |
|
| toml | #181 | libfuzzer | logic |
|
| toml | #185 | libfuzzer | logic |
|
| toml | #186 | libfuzzer | logic |
|
| unicode-segmentation | grapheme boundary correctness | libfuzzer | logic |
|
| unicode-segmentation | word boundary correctness | libfuzzer | logic |
|
| uuid | index out of bounds | libfuzzer | oor |
|
| v_escape | heap buffer overflow | libfuzzer | oor |
βοΈ |
| vosub | arithmetic overflow | libfuzzer | arith |
|
| vosub | invalid slice | libfuzzer | oor |
|
| vosub | invalid slice | libfuzzer | oor |
|
| vosub | invalid slice | libfuzzer | panic |
|
| vosub | shift overflow | libfuzzer | arith |
|
| wasmparser.rs | arithmetic overflow | libfuzzer | arith |
|
| wayland-rs | #187 | libfuzzer | oor |
|
| ws-rs | arithmetic overflow | libfuzzer | arith |
|
| xml-rs | #93 | afl | utf-8 |
|
| zip-rs | arithmetic overflow | libfuzzer | arith |
arith: Arithmetic error, eg. overflowslogic: Logic bugloop: Infinite loopoom: Out of memoryoor: Out of range accesssegfault: Program segfaultedso: Stack overflowuaf: Use after freeuninit: Program discloses contents of uninitialized memoryunwrap: Call tounwraponNoneorErr(_)utf-8: Problem with UTF-8 strings handling, eg. get a char not at a char boundarypanic: A panic not covered by any of the aboveother: Anything that does not fit in another category, or unclear what the problem is