These bugs aren't nearly as serious as the memory-safety issues afl has discovered in C and C++ projects. That's because Rust is memory-safe by default, but also because not many people have tried fuzzing yet! Over time we will update this section with the most interesting bugs, whether they're logic errors or memory-safety problems arising from unsafe
code. Pull requests are welcome!
Security issues are marked with a βοΈ in the "Security?" column. Denial of service, including panics and out-of-memory, are not considered security issues.
Crate | Information | Fuzzer | Category | Security? |
---|---|---|---|---|
bmfont | panic on unwrapping | libfuzzer | panic |
|
brotli-rs | #10 | afl | panic |
|
brotli-rs | #11 | afl | panic |
|
brotli-rs | #12 | afl | panic |
|
brotli-rs | #2 | afl | panic |
|
brotli-rs | #3 | afl | panic |
|
brotli-rs | #4 | afl | panic |
|
brotli-rs | #5 | afl | oor |
|
brotli-rs | #6 | afl | arith |
|
brotli-rs | #7 | afl | oor |
|
brotli-rs | #8 | afl | arith |
|
brotli-rs | #9 | afl | arith |
|
bson | multiple bugs, including arithmetic overflow | libfuzzer | arith , other , unwrap |
|
capnproto-rust | Multiple bugs, including a memory safety bug | libfuzzer | βοΈ | |
cpp_demangle | #41 | afl | ||
cssparser | floating-point parsing imprecision | libfuzzer | logic |
|
der-parser | arithmetic overflow | libfuzzer | arith |
|
flac | #3 | afl | oom |
|
flac | index out of bounds | libfuzzer | oor |
|
h2 | #260 | honggfuzz | oor |
|
h2 | #261 | honggfuzz | panic |
|
h2 | #262 | honggfuzz | panic |
|
httparse | #9 | afl | ||
httpdate | panics: "no character boundary" and arithmetic overflow | libfuzzer | ||
hyper | arithmetic overflow | libfuzzer | ||
image | #414 | afl | ||
image | #473 | afl | ||
image | #474 | afl | ||
image | #477 | afl | ||
image | 1 | libfuzzer | ||
image | 2 | libfuzzer | ||
image | 3 | libfuzzer | ||
image | 4 | libfuzzer | ||
inflate | arithmetic overflow | libfuzzer | arith |
|
ipfix | index out of bounds | libfuzzer | oor |
|
jpeg-decoder | #38 | afl | ||
jpeg-decoder | #50 | afl | ||
jpeg-decoder | arithmetic overflow | libfuzzer | ||
json-rust | arithmetic overflow | afl | arith |
|
libpnet | arithmetic overflow | libfuzzer | ||
minidump | #7 | libfuzzer | ||
Molten | #41 | libfuzzer | utf-8 |
|
Molten | #42 | libfuzzer | oor |
|
mp3-metadata | #9 | afl | ||
mp4parse-rust | #2 | afl | ||
mp4parse-rust | #4 | afl | ||
mp4parse-rust | #5 | afl | ||
mp4parse-rust | #6 | afl | ||
msgpack-rust | #151 | afl | oom |
|
nom | arithmetic overflow | libfuzzer | arith |
|
npy-rs | arithmetic overflow | libfuzzer | ||
ntp | panic caused by unwrap on invalid input | libfuzzer | ||
num | panic on BigInt parsing |
libfuzzer | unwrap |
|
parity | panic on BasicDecoder unchecked addition |
libfuzzer | ||
pcapng | arithmetic overflow | libfuzzer | ||
proc-macro2 | #54 | afl | utf-8 |
|
proc-macro2 | #55 | afl | so |
|
pulldown-cmark | Overflow ParseIntError | libfuzzer | unwrap |
|
pulldown-cmark | Panics and infinite loop | libfuzzer | loop , utf-8 , oor |
|
quick-xml | arithmetic overflow | libfuzzer | arith |
|
quick-xml | arithmetic overflow | libfuzzer | arith |
|
quick-xml | index out of bounds | libfuzzer | oor |
|
regex | #84 | afl | unwrap |
|
regex | regex parsing panics with blog post | libfuzzer | unwrap |
|
regex | #417 | afl | utf-8 |
|
regex | index out of bounds | honggfuzz | oor |
|
regex | Unexpected match branch | honggfuzz | logic |
|
regex | called Option::unwrap() on a None value | honggfuzz | unwrap |
|
rust-asn1 | #32 | afl | ||
rust-url | #108 | afl | oor |
|
rustc | #24275 | afl | other |
|
rustc | #24276 | afl | segfault |
|
rustc-demangle | multiply with overflow | libfuzzer | arith |
|
rustc-serialize | #109 | afl | arith |
|
rustc-serialize | #110 | afl | panic |
|
rust-snappy | #12 | libfuzzer | oor |
|
semver | logic error | libfuzzer | logic |
|
serde | #75 | afl | arith |
|
serde | #77 | afl | arith |
|
serde | #82 | afl | so |
|
serde-yaml | #49 | libfuzzer | so |
|
serde-yaml | #88 | libfuzzer | logic |
|
sleep-parser | #3 | honggfuzz | oor , utf-8 |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
smoltcp | arithmetic underflow | libfuzzer | arith |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
snmp-parser | panic on unwrapping | libfuzzer | unwrap |
|
ssh-keys | panic on slice indexing | libfuzzer | oor |
|
ssh-parser | arithmetic overflow | libfuzzer | arith |
|
svgparser | arithmetic overflow, bound checking panic, incorrect result | libfuzzer | arith , oor , logic |
|
svgparser | endless loop | libfuzzer | loop |
|
sxd-document | use after free | libfuzzer | uaf |
βοΈ |
tar-rs | #23 | afl | arith |
|
todotxt.rs | index out of bounds | libfuzzer | oor |
|
toml | #178 | libfuzzer | logic |
|
toml | #179 | libfuzzer | logic |
|
toml | #180 | libfuzzer | logic |
|
toml | #181 | libfuzzer | logic |
|
toml | #185 | libfuzzer | logic |
|
toml | #186 | libfuzzer | logic |
|
unicode-segmentation | grapheme boundary correctness | libfuzzer | ||
unicode-segmentation | word boundary correctness | libfuzzer | ||
uuid | index out of bounds | libfuzzer | oor |
|
vosub | invalid slice | libfuzzer | oor |
|
vosub | invalid slice | libfuzzer | panic |
|
vosub | arithmetic overflow | libfuzzer | arith |
|
vosub | invalid slice | libfuzzer | oor |
|
vosub | shift overflow | libfuzzer | arith |
|
wasmparser.rs | arithmetic overflow | libfuzzer | arith |
|
ws-rs | arithmetic overflow | libfuzzer | arith |
|
xml-rs | #93 | afl | utf-8 |
|
zip-rs | arithmetic overflow | libfuzzer | arith |
arith
: Arithmetic error, eg. overflowslogic
: Logic bugloop
: Infinite loopoom
: Out of memoryoor
: Out of range accesssegfault
: Program segfaultedso
: Stack overflowuaf
: Use after freeunwrap
: Call tounwrap
onNone
orErr(_)
utf-8
: Problem with UTF-8 strings handling, eg. get a char not at a char boundarypanic
: A panic not covered by any of the aboveother
: Anything that does not fit in another category, or unclear what the problem is