Segmentation Fault (121229287)
Hello graphviz team,
As part of our fuzzing efforts at Google, we have identified an issue affecting graphviz (tested with revision * master bbb7e222).
To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/
Instructions:
unzip artifacts_121229287.zip
docker build --build-arg SANITIZER=address --tag=autofuzz-graphviz-121229287 autofuzz_121229287
docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_121229287/poc-ef09f81eaafdab402f5ac49737e61354a7947f36ac388bf8b2a651135f39bec1_min:/tmp/poc autofuzz-graphviz-121229287 "" /tmp/poc
docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_121229287/poc-ef09f81eaafdab402f5ac49737e61354a7947f36ac388bf8b2a651135f39bec1_min:/tmp/poc -it autofuzz-graphviz-121229287
Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here:
INFO: Seed: 3895553130
INFO: Loaded 0 modules (0 guards):
/fuzzing/graphviz/parser_fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc-ef09f81eaafdab402f5ac49737e61354a7947f36ac388bf8b2a651135f39bec1
Executed /tmp/poc-ef09f81eaafdab402f5ac49737e61354a7947f36ac388bf8b2a651135f39bec1 in 18 ms
***
*** NOTE: fuzzing was not performed, you have only
*** executed the target code on a fixed set of inputs.
***
INFO: Seed: 3979112141
INFO: Loaded 0 modules (0 guards):
/fuzzing/graphviz/render_fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc-ef09f81eaafdab402f5ac49737e61354a7947f36ac388bf8b2a651135f39bec1
ASAN:DEADLYSIGNAL
=================================================================
==12==ERROR: AddressSanitizer: SEGV on unknown address 0x6190002b7021 (pc 0x7f1897f78100 bp 0x7fff6ae39fd0 sp 0x7fff6ae39f60 T0)
==12==The signal is caused by a WRITE memory access.
#0 0x7f1897f780ff in merge_ranks /fuzzing/graphviz/lib/dotgen/cluster.c:238:44
#1 0x7f1897f77ff3 in expand_cluster /fuzzing/graphviz/lib/dotgen/cluster.c:290:5
#2 0x7f1897f9046b in mincross_clust /fuzzing/graphviz/lib/dotgen/mincross.c:514:5
#3 0x7f1897f8f6ff in dot_mincross /fuzzing/graphviz/lib/dotgen/mincross.c:348:8
#4 0x7f1897f8cef1 in dotLayout /fuzzing/graphviz/lib/dotgen/dotinit.c:321:9
#5 0x7f1897f8c5c3 in doDot /fuzzing/graphviz/lib/dotgen/dotinit.c:463:2
#6 0x7f1897f8c4a9 in dot_layout /fuzzing/graphviz/lib/dotgen/dotinit.c:509:22
#7 0x7f189899cc69 in gvLayoutJobs /fuzzing/graphviz/lib/gvc/gvlayout.c:85:2
#8 0x7f18989ae017 in gvLayout /fuzzing/graphviz/lib/gvc/gvc.c:65:9
#9 0x53a430 in LLVMFuzzerTestOneInput /fuzzing/graphviz/./graphviz_render_fuzzer.cc:23:18
#10 0x52382e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/graphviz/render_fuzzer+0x52382e)
#11 0x51897e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/graphviz/render_fuzzer+0x51897e)
#12 0x51ce87 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/graphviz/render_fuzzer+0x51ce87)
#13 0x51869b in main (/fuzzing/graphviz/render_fuzzer+0x51869b)
#14 0x7f18968d52e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#15 0x420119 in _start (/fuzzing/graphviz/render_fuzzer+0x420119)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /fuzzing/graphviz/lib/dotgen/cluster.c:238:44 in merge_ranks
==12==ABORTING
We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation.
Once you have reproduced the issue, we'd appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to "Google Autofuzz project".
We are also pleased to inform you that your project is eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options.
Don't hesitate to let us know if you have any questions!
Google AutoFuzz Team artifacts_121229287.zip