Skip to content

πŸ† Collection of bugs uncovered by fuzzing Rust code

License

Notifications You must be signed in to change notification settings

rust-fuzz/trophy-case

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ† Trophy Case πŸ†

A showcase of bugs found via fuzz testing Rust codebases. It serves multiple purposes:

  • Help the community see what issues are common in Rust codebases (useful when e.g. designing APIs)
  • Increase visibility of effective fuzz testing targets so people can reuse testing strategies
  • Provide insight into common issues they can expect to find if they use a certain fuzzer

These bugs aren't nearly as serious as the memory-safety issues afl has discovered in C and C++ projects. That's because Rust is memory-safe by default! Have you fuzzed Rust code and found a bug? Please consider adding it to this table via a pull request!

Security issues are marked with a ❗️ in the "Security?" column. Denial of service, including panics and out-of-memory, are not considered security issues.

Crate Information Fuzzer Category Security?
alloy-json-abi Stack Overflow in JsonAbi::parse libfuzzer so
artichoke infinite loop in bison-generated C code libfuzzer loop
asn1 #32 afl oom
async-h1 non-ASCII input to method libfuzzer panic
bcrypt indexing on non-utf8 boundry libfuzzer utf-8
bincode invalid system time panic libfuzzer panic
bincode invalid duration panic libfuzzer panic
bmfont panic on unwrapping libfuzzer panic
boa invalid spans honggfuzz logic
boa Could not convert to BigInt honggfuzz logic
boa invalid utf16 honggfuzz logic
boa assignment to number honggfuzz logic
boa division by zero honggfuzz arith
boa assertion failure libfuzzer panic
brotli-rs #10 afl panic
brotli-rs #11 afl panic
brotli-rs #12 afl panic
brotli-rs #2 afl panic
brotli-rs #3 afl panic
brotli-rs #4 afl panic
brotli-rs #5 afl oor
brotli-rs #6 afl arith
brotli-rs #7 afl oor
brotli-rs #8 afl arith
brotli-rs #9 afl arith
bson #116 libfuzzer oom
bson multiple bugs, including arithmetic overflow libfuzzer arith, other, unwrap
bson arithmetic overflow leading to out of memory libfuzzer arith, oom
capnproto-rust Multiple bugs, including a memory safety bug libfuzzer ❗️
capnproto-rust reddit, e72746c libfuzzer logic
capnproto-rust Out-of-bounds read libfuzzer oor ❗️
chrono overflow in date arithmetic libfuzzer arith
chrono panic in checked_add_days libfuzzer + bolero panic
clap issue/2264 afl utf-8
claxon 0fd8815 libfuzzer unwrap
claxon 21b1db4 libfuzzer oor
claxon 875c3b2 libfuzzer logic
claxon c036944 libfuzzer logic
claxon Massive slowdown on malformed input libfuzzer other
claxon Memory disclosure on malformed input afl + libdiffuzz uninit ❗️
comrak #65 libfuzzer oor
cookie indexing on non-utf8 boundry libfuzzer utf-8
cpp_demangle Multiple panics afl unwrap, arith
cranelift #418 libfuzzer logic
csscolorparser indexing on non-utf8 boundry libfuzzer utf-8
cssparser floating-point parsing imprecision libfuzzer logic
cursive grapheme boundary correctness libfuzzer utf-8
deflate-rs #40 afl logic
deflate-rs #42 afl logic
der arithmetic overflow leading to index out of bounds libfuzzer arith
der-parser arithmetic overflow libfuzzer arith
dhcp4r #6 libfuzzer oor
encoding_rs #44 afl logic
exmex #8 honggfuzz arith, logic
exmex #13 libfuzzer utf-8
fatfs arithmetic overflow libfuzzer arith
flac #3 afl oom
flac index out of bounds libfuzzer oor
flatgeobuf #85 libfuzzer oom
flatgeobuf #86 libfuzzer oor
flif #26 libfuzzer oom
fontdue arithmetic overflow libfuzzer arith
fontdue slow parsing libfuzzer other
geo #531 libfuzzer logic
geo #536 libfuzzer logic
goblin memory exhaustion afl oom
goblin memory exhaustion libfuzzer oom
h2 #260 honggfuzz oor
h2 #261 honggfuzz panic
h2 #262 honggfuzz panic
h2 assertion failure libfuzzer panic
handlebars index out of bounds libfuzzer oor
handlebars unwrap panic libfuzzer unwrap
hjson-rust invalid utf8 libfuzzer utf-8
hjson-rust subtract with overflow libfuzzer arith
hjson-rust removal index (is 0) should be < len libfuzzer logic
hjson-rust panics on ParseIntError libfuzzer arith
httparse #9 afl arith
httpdate accepted dates like "May 35" libfuzzer logic, arith
httpdate panic on "no character boundary" libfuzzer utf-8
human-name several panics libfuzzer logic, arith
hyper arithmetic overflow libfuzzer arith
image #1238 afl oor
image #414 afl logic
image #473 afl arith
image #474 afl unwrap
image #477 afl oor
image #622 libfuzzer oom
image #623 libfuzzer oom
image #624 libfuzzer oom
image #625 libfuzzer oor
image #876 afl oor
image #877 afl arith
image #878 afl oor
image Failed to break on an EOF afl oor
image arithmetic overflow libfuzzer arith
image-gif infinite loop libfuzzer loop
inflate arithmetic overflow libfuzzer arith
ipfix index out of bounds libfuzzer oor
jpeg-decoder #38 afl unwrap
jpeg-decoder #50 afl oom
jpeg-decoder arithmetic overflow libfuzzer arith
jpeg-decoder 180 libfuzzer logic
jpeg-decoder arithmetic overflow libfuzzer arith
json-rust arithmetic overflow afl arith
json-rust issue/193 afl panic
jsonschema issue/253 libfuzzer oor
juniper panic on "no character boundary" libfuzzer utf-8
just #363 libfuzzer logic
kalker index out of bounds libfuzzer oor
lewton enormous CPU and memory consumption on crafted input afl other
lewton index out of bounds honggfuzz oor
lewton index out of bounds afl oor
lewton index out of bounds afl oor
lewton index out of bounds afl oor
lewton infinite loop afl loop
lewton large CPU and memory consumption on crafted input afl other
lewton memory exhaustion due to integer underflow afl arith, oom
lewton memory exhaustion afl oom
lexical arithmetic overflow libfuzzer arith
lexical arithmetic overflow libfuzzer arith
lexical Out-of-bounds read in unsafe code libfuzzer oor
libflate 258cf44 honggfuzz oor
libflate 6157daa honggfuzz panic
libflate dc77163 honggfuzz unwrap
libflate Out-of-bounds read in unsafe code afl oor
libflate internal assertion failure libfuzzer panic
libpnet arithmetic overflow libfuzzer arith
libstd overflow in range bounds calculation on Vec::drain rutenspitz arith
lodepng-rust memory leak libfuzzer oom
lopdf arithmetic overflow libfuzzer arith
lz-fear index out of bounds libfuzzer oor
lz-fear index out of bounds libfuzzer oor
lz-fear memory exhaustion libfuzzer oom
lz4_flex memcpy-param-overlap libfuzzer other
lz4_flex heap-buffer-overflow libfuzzer oor ❗️
lzma-rs behavior mismatch with reference implementation libfuzzer logic
matchit invalid utf-8 libfuzzer utf-8
minidump #7 libfuzzer panic
minidump unbounded allocation libfuzzer oom
minidump slicing out of bounds libfuzzer oor
minidump creating backwards ranges libfuzzer panic
minidump add with overflow #413 libfuzzer arith
minidump add with overflow #422 libfuzzer arith
minidump add with overflow #425 libfuzzer arith
minidump infinitely extending vec OOM libfuzzer oom
minidump subtract with overflow #439 libfuzzer arith
minidump index OOB libfuzzer oor
miniz_oxide Infinite loop exhausting memory libfuzzer loop, oom
miniz_oxide Infinite loop libfuzzer loop
Molten #41 libfuzzer utf-8
Molten #42 libfuzzer oor
mongo_driver #55 libfuzzer unwrap
mp3-metadata Multiple panics afl oor
mp4ameta unbounded allocation libfuzzer oom
mp4parse-rust #2 afl panic
mp4parse-rust #4 afl panic
mp4parse-rust #5 afl panic
mp4parse-rust #6 afl panic
msgpack-rust #151 afl oom
naga slicing not on a character boundary libfuzzer utf-8
ncurses-rs string with \0 libfuzzer unwrap
nifti out of bounds array slicing libfuzzer oor
nom arithmetic overflow libfuzzer arith
npy-rs arithmetic overflow due to incorrect parameter declaration libfuzzer arith, logic
ntfs multiply with overflow libfuzzer arith
ntfs index OOB libfuzzer oor
ntp panic caused by unwrap on invalid input libfuzzer unwrap
num panic on BigInt parsing libfuzzer unwrap
pancurses string with \0 libfuzzer unwrap
parity panic on BasicDecoder unchecked addition libfuzzer arith
pcapng arithmetic overflow libfuzzer arith
pdf index out of bounds libfuzzer oor
pdf infinite loop libfuzzer loop
pdf stack overflow (unbounded recursion) libfuzzer so
pdf stack overflow (unbounded recursion) libfuzzer so
pdf stack overflow (unbounded recursion) libfuzzer so
pdf stack overflow (unbounded recursion) libfuzzer so
pdf index out of bounds #122 libfuzzer oor
pdf index out of bounds #123 libfuzzer oor
pdf index out of bounds #124 libfuzzer oor
pdf index out of bounds #126 libfuzzer oor
pgp subtract with overflow libfuzzer arith
phonenumber internal unwrap libfuzzer unwrap
picky #10 libfuzzer unwrap
picky-asn1-der #10 libfuzzer arith, oom, oor
plist arithmetic overflow libfuzzer arith
png crash on malformed input afl oom
png incorrect buffer size due to integer overflow afl arith, oom
png infinite loop on crafted input libfuzzer loop
png panic on malformed input libfuzzer oor
png panic on malformed input libfuzzer unwrap
png panic on malformed input libfuzzer oor
png panic on malformed input afl unwrap, logic
prettytable-rs subtract with overflow libfuzzer arith
proc-macro2 #54 afl utf-8
proc-macro2 #55 afl so
prost Stack overflow afl so
pulldown-cmark arithmetic overflow libfuzzer arith
pulldown-cmark Overflow ParseIntError libfuzzer unwrap
pulldown-cmark Panics and infinite loop libfuzzer loop, utf-8, oor
pulldown-cmark string slice out of bounds libfuzzer oor
pulldown-cmark beginning more than end slice index libfuzzer oor
pulldown-cmark option unwrap parsing heading attributes libfuzzer unwrap
quick-xml arithmetic overflow libfuzzer arith
quick-xml arithmetic overflow libfuzzer arith
quick-xml index out of bounds libfuzzer oor
quick-xml internal unreachable panic libfuzzer panic
rasn failed round trip libfuzzer logic
rawloader abort on huge memory allocation afl oom
rav1e Invalid assertion in rate control libfuzzer panic
rav1e LRF crash when encoding tiny frames libfuzzer panic
rav1e CDEF UV direction mismatch for 4:2:2 libfuzzer logic
rav1e Safe wrappers for-sys dav1d libfuzzer logic
rav1e Crash with 4 tiles for 1080p 4:2:2 libfuzzer logic
rav1e Buffer underflow in CDEF pad_into_tmp16 libfuzzer so
rav1e Tiling mismatch for 4:2:2 libfuzzer logic
rav1e Encode-decode mismatch libfuzzer logic
rav1e Crash on width or height of 1 libfuzzer panic
rav1e Encoder admits invalid color configuration libfuzzer logic
redis Multiplication overflow panics in the parser afl arith
regex #417 afl utf-8
regex #84 afl unwrap
regex called Option::unwrap() on a None value honggfuzz unwrap
regex index out of bounds honggfuzz oor
regex regex parsing panics with blog post libfuzzer unwrap
regex Unexpected match branch honggfuzz logic
regex issue/738 afl arith, oor, utf-8
risuto server DoS on user input date out of range libfuzzer + bolero panic
risuto server DoS on user input date during a timezone change libfuzzer + bolero panic
rmpv Unchecked vector pre-allocation afl oom
ron stack overflow (unbounded recursion) libfuzzer so
ron Maps are wrapped in a sequence libfuzzer logic
roughenough handle truncated message afl oor
roughenough incorrect range check fix libfuzzer logic
roughenough reject messages with zero tags afl logic, oor
roughenough reject short single tag messages afl logic, oor
roughenough return Error instead of panicking afl panic
roughenough validate tag offset not past end of message afl logic
roughenough validate value offset not pass end of message afl logic
rust-ini invalid codepoint libfuzzer utf-8
rustc #24275 afl other
rustc #50577 prog-fuzz logic
rustc #50582 prog-fuzz logic
rustc #50585 prog-fuzz logic
rustc #50600 prog-fuzz logic
rustc #50637 prog-fuzz loop
rustc #51070 prog-fuzz logic
rustc #62524 #62546 #62554 #62863 #62881 #62894 #62895 #62913 #62973 #63116 #63135 #66473 #68629 #68730 #68890 #69130 #69310 #69378 #69396 #69401 #69600 #69602 #70549 #70552 #70594 #70608 #70677 #70724 #70736 #70763 #70813 #70942 #71297 #71471 #71798 #72410 #84104 #84117 #84148 #84149 #86895 #88770 #92267 fuzz-rustc utf-8, panic, oom, loop, oor, unwrap
rustc-demangle multiply with overflow libfuzzer arith
rustc-serialize #109 afl arith
rustc-serialize #110 afl panic
semver logic error libfuzzer logic
semver issue/227 afl unwrap
Sequoia-PGP #514 libfuzzer arith
Sequoia-PGP #515 libfuzzer utf-8
Sequoia-PGP #516 libfuzzer oor
Sequoia-PGP #516 libfuzzer oor
serde #75 afl arith
serde #77 afl arith
serde #82 afl so
serde-yaml #49 libfuzzer so
serde-yaml #88 libfuzzer logic
simple_asn1 #9 libfuzzer arith, oor
sleep-parser #3 honggfuzz oor, utf-8
smoltcp arithmetic underflow libfuzzer arith
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
snap #12 libfuzzer oor
snmp-parser panic on unwrapping libfuzzer unwrap
soroban-env incorrect comparison functions libfuzzer logic
soroban-env incorrect comparison functions libfuzzer logic
soroban-env incorrect conversion libfuzzer logic
sqlformat panic on unwrapping error due to failure to parse int libfuzzer unwrap
sqlparser stack overflow (unbounded recursion) libfuzzer so
ssh-keys #3 afl oor
ssh-keys panic on slice indexing libfuzzer oor
ssh-parser arithmetic overflow libfuzzer arith
stellar-xdr incorrect comparison functions libfuzzer logic
svgparser arithmetic overflow, bound checking panic, incorrect result libfuzzer arith, oor, logic
svgparser endless loop libfuzzer loop
swf-parser #23 libfuzzer logic
sxd-document use after free libfuzzer uaf ❗️
symbolic-demangle extremely slow demangling, OOM libfuzzer oom
symbolic-minidump segfault in exposed C++ library libfuzzer segfault ❗️
symbolic-unreal unbounded allocation libfuzzer oom
symphonia panic on unwrapping libfuzzer unwrap
syn Unrecognized literal libfuzzer logic
syn panic when parsing impl libfuzzer logic
tar-rs #23 afl arith
tera #396 libfuzzer arith, logic
tera unimplemented panic libfuzzer panic
tf-demo-parser arithmetic overflow leading to out of memory libfuzzer arith, oom
tiff index out of bounds afl oor
tiff infinite loop on malformed input afl loop
tiff memory exhaustion on malformed input afl oom
tiff panic on attempt to divide by zero afl arith
time issue/309 afl panic, arith
tinytemplate beginning more than end on string slicing libfuzzer oor
tinyvec arithmetic underflow rutenspitz arith
tinyvec resize() could set incorrect size for inline storage rutenspitz logic
tinyvec swap_remove() for last element worked incorrectly rutenspitz logic
todotxt.rs index out of bounds libfuzzer oor
tokei panic libfuzzer oor
tokei consistency #725 libfuzzer logic
toml #178 libfuzzer logic
toml #179 libfuzzer logic
toml #180 libfuzzer logic
toml #181 libfuzzer logic
toml #185 libfuzzer logic
toml #186 libfuzzer logic
toml stack overflow (unbounded recursion) libfuzzer so
toml_edit stack overflow (unbounded recursion) libfuzzer so
trust-dns-proto Incorrect length check in Encoding libfuzzer logic
trust-dns-proto ZERO resouce records are mis-parsed libfuzzer logic
trust-dns-proto Incorrect handling of escapes libfuzzer logic
ttf-parser infinite loop libfuzzer loop
ttf-parser assertion failure libfuzzer panic
tui issue/446 afl arith
ubyte multiply with overflow when parsing fractional number libfuzzer arith
unicode-segmentation grapheme boundary correctness libfuzzer logic
unicode-segmentation word boundary correctness libfuzzer logic
unified-diff lines before 1, with no context libFuzzer logic
url #108 afl oor
url infinite loop libfuzzer loop
url slicing error afl oor
url out of index afl oor
url failed round trip parse libfuzzer logic
uuid index out of bounds libfuzzer oor
v_escape heap buffer overflow libfuzzer oor ❗️
vial arithmetic overflow libfuzzer arith
vosub arithmetic overflow libfuzzer arith
vosub invalid slice libfuzzer oor
vosub invalid slice libfuzzer oor
vosub invalid slice libfuzzer panic
vosub shift overflow libfuzzer arith
wasmparser.rs arithmetic overflow libfuzzer arith
wayland-rs #187 libfuzzer oor
ws-rs arithmetic overflow libfuzzer arith
xi-editor issue/1303 afl arith
xml-rs #93 afl utf-8
xml-rs arithmetic overflow libfuzzer arith
yaxpeax-x86 #12 arithmetic overflow libfuzzer arith
yaxpeax-x86 #13 arithmetic overflow libfuzzer arith
yaxpeax-x86 #15 arithmetic overflow libfuzzer arith
zip-rs arithmetic overflow libfuzzer arith
zip-rs arithmetic overflow libfuzzer arith
zune-jpeg heap buffer overflow libfuzzer oor ❗️

Description of categories:

  • arith: Arithmetic error, eg. overflows
  • logic: Logic bug
  • loop: Infinite loop
  • oom: Out of memory
  • oor: Out of range access
  • segfault: Program segfaulted
  • so: Stack overflow
  • uaf: Use after free
  • uninit: Program discloses contents of uninitialized memory
  • unwrap: Call to unwrap on None or Err(_)
  • utf-8: Problem with UTF-8 strings handling, eg. get a char not at a char boundary
  • panic: A panic not covered by any of the above
  • other: Anything that does not fit in another category, or unclear what the problem is

About

πŸ† Collection of bugs uncovered by fuzzing Rust code

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published