Attempting to parse string including unicode causes panic

Question

Attempting to parse string including unicode causes panic

frewsxcv opened this issue 9 years ago · comments

code

#![feature(plugin)]
#![plugin(afl_coverage_plugin)]

extern crate afl_coverage;

extern crate xml;

use std::io::{self, Read};

fn main() {
    let mut input = String::new();
    let result = io::stdin().read_to_string(&mut input);
    if result.is_ok() {
        let mut reader = xml::reader::EventReader::from_str(&input);
        let _: Vec<_> = reader.events().collect();
    }
}

input

&𤶼;

or as base64:

JvCktrw7

result

root@afl-rust:~/afl-staging-area# cargo run --verbose < new-file
       Fresh gcc v0.3.5
       Fresh bitflags v0.1.1
       Fresh afl-coverage-plugin v0.0.1 (https://github.com/kmcallister/afl.rs#845bdff0)
       Fresh afl-coverage v0.0.1 (https://github.com/kmcallister/afl.rs#845bdff0)
       Fresh xml-rs v0.1.24 (file:///root/afl-staging-area)
       Fresh afl-staging-area v0.1.0 (file:///root/afl-staging-area)
     Running `target/debug/afl-staging-area`
thread '<main>' panicked at 'index 0 and/or 2 in `𤶼` do not lie on character boundary', /root/rust/src/libcore/str/mod.rs:1528
stack backtrace:
   1:     0x7f003c964039 - sys::backtrace::write::hb34cb0734f7a3c97uhs
   2:     0x7f003c9674f1 - panicking::on_panic::h82f65b9161b1f8deGXw
   3:     0x7f003c960c62 - rt::unwind::begin_unwind_inner::h9f6dd38aeb9ea42dQCw
   4:     0x7f003c961247 - rt::unwind::begin_unwind_fmt::h44a1d6134651f778WBw
   5:     0x7f003c966e46 - rust_begin_unwind
   6:     0x7f003c999ee4 - panicking::panic_fmt::h063af2dc79b71461c0B
   7:     0x7f003c99b0ff - str::slice_error_fail::h6b062fef7704c76aLMJ
   8:     0x7f003c955b0b - str::traits::str.ops..Index<ops..Range<usize>>::index::hd5dc3805dd71586eEBJ
                        at /root/rust/src/libcore/str/mod.rs:1408
   9:     0x7f003c955812 - string::String.ops..Index<ops..Range<usize>>::index::h6e06879e88a080d5wHh
                        at /root/rust/src/libcollections/string.rs:941
  10:     0x7f003c953f27 - reader::parser::inside_reference::PullParser::inside_reference::h50d494c95b4dfa3fPzc
                        at /root/xml-rs/src/reader/parser/inside_reference.rs:30
  11:     0x7f003c95d470 - reader::parser::PullParser::dispatch_token::ha2333453eaa89eedJcd
                        at /root/xml-rs/src/reader/parser/mod.rs:329
  12:     0x7f003c8cfa86 - reader::parser::PullParser::next::h6163686924289215835
                        at /root/xml-rs/src/reader/parser/mod.rs:256
  13:     0x7f003c8cf34e - reader::EventReader<B>::next::h1752267722971489844
                        at /root/xml-rs/src/reader/mod.rs:44
  14:     0x7f003c8cf0a2 - reader::Events<'a, B>.Iterator::next::h5762463174033631403
                        at /root/xml-rs/src/reader/mod.rs:78
  15:     0x7f003c8c85dc - vec::Vec<T>.FromIterator<T>::from_iter::h16810629610021855622
                        at /root/rust/src/libcollections/vec.rs:1501
  16:     0x7f003c8c7a9e - iter::Iterator::collect::h15266764030729070866
                        at /root/rust/src/libcore/iter.rs:567
  17:     0x7f003c8c38d8 - main::ha4318abb77b31c89jaa
                        at src/main.rs:16
  18:     0x7f003c96bff8 - rust_try_inner
  19:     0x7f003c96bfe5 - rust_try
  20:     0x7f003c968d43 - rt::lang_start::he6efc8b28021b078bSw
  21:     0x7f003c8eb622 - main
  22:     0x7f003baaba3f - __libc_start_main
  23:     0x7f003c8c33b8 - _start
  24:                0x0 - <unknown>
Process didn't exit successfully: `target/debug/afl-staging-area` (signal: 4)

This bug was found using https://github.com/kmcallister/afl.rs 👍

Vladimir Matveev · Answer 1 · Thu May 14 2015 16:32:35 GMT+0800 (China Standard Time)

Nice, thanks!

Vladimir Matveev · Answer 2 · Thu May 14 2015 17:21:52 GMT+0800 (China Standard Time)

BTW, this character does not seem to be a valid name character per XML grammar. This is mostly a note to myself in order not to forget to add a proper error.