LLVM Bugzilla is read-only and represents the historical archive of all LLVM issues filled before November 26, 2021. Use github to submit LLVM bugs

Bug 24411 - libFuzzer outputs that crash libc++'s regex engine
Summary: libFuzzer outputs that crash libc++'s regex engine
Status: RESOLVED FIXED
Alias: None
Product: libc++
Classification: Unclassified
Component: All Bugs (show other bugs)
Version: unspecified
Hardware: PC All
: P normal
Assignee: Marshall Clow (home)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-10 10:00 PDT by Marshall Clow (home)
Modified: 2019-02-07 14:19 PST (History)
3 users (show)

See Also:
Fixed By Commit(s):


Attachments
Input to crash regex_match (47 bytes, application/octet-stream)
2015-08-10 10:01 PDT, Marshall Clow (home)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marshall Clow (home) 2015-08-10 10:00:15 PDT
This bug is to record the results of fuzzing libc++'s regex with clang's libfuzzer.

When a crash is found, it will be added here.
Comment 1 Marshall Clow (home) 2015-08-10 10:01:57 PDT
Created attachment 14716 [details]
Input to crash regex_match
Comment 2 Marshall Clow (home) 2015-08-10 10:03:31 PDT
First crash - in regex_match. Using this target function

extern "C" void LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
	if (size > 0)
	{
		try
		{
			std::regex::flag_type flag = std::regex_constants::grep;
			std::string s((const char *)data, size);
			std::regex re(s, flag);
			std::regex_match(s, re);
		} 
		catch (std::regex_error &ex) {} 
	} 
}
Comment 3 Marshall Clow (home) 2015-08-24 10:58:24 PDT
I reduced this test case down to "\\8" and fixed it in 245849.

Leaving the bug open b/c I think the fuzzer will find more.
Comment 4 Marshall Clow (home) 2015-08-26 11:46:40 PDT
Here's another one the uzzer found (simplified).
This one doesn't fail, but it takes minutes to match against itself.

const char *bad = "#\\(.*\\)*###################.######.####### ";
Comment 5 Kostya Serebryany 2017-02-10 14:50:23 PST
Is there still an interest in fuzzing libc++'s regex? 
We now have https://github.com/google/oss-fuzz, a continuous 
fuzzing service, where libc++ would be welcome. 

Fuzzing regex now yield this: 
projects/libcxx/include/regex:4058:21: runtime error: signed integer overflow: 403809844 * 10 cannot be represented in type 'int'

and then quickly gets stuck in timeouts.
Comment 6 Marshall Clow (home) 2019-02-07 14:19:08 PST
We have fixed all the regex crashes that OSS-Fuzz has reported.
What's left is stack overflows, large memory usage, and timeouts.

Closing this bug, because they're all being tracked over at OSS-Fuzz.