Fun with Fuzzing

crash-5c1e14c4d4840ba982214d1d06d2f596854dee92

(1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111*())

crash-914bd022d064f34139eac485f3ed71cda7e4dc6b

{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{                                                                      {{{{{{{{{{{{{{{{{{{{{{                                                           {{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{X{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{()

crash-f5a10eb0f51161f912f0674db9bf78519193363f.py

[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!5

python3_12_fuzzing.py

# requires my fork of atheris with 3.12 support see https://github.com/google/atheris/pull/60

import atheris

with atheris.instrument_imports():
  import sys


# @atheris.instrument_func  # Causing a crash in the stack effect of CALL
def TestOneInput(data):
  string = data.decode('utf-8', errors='ignore')

  try:
    compile(string, 'sample.py', mode='eval')
  except SyntaxError:
    pass


if __name__ == '__main__':
  atheris.Setup(sys.argv, TestOneInput)
  atheris.Fuzz()

results.md

Tests

MemoryError on repeated curly brace

 === Uncaught Python exception: ===
MemoryError: <EMPTY MESSAGE>
Traceback (most recent call last):
  File "/Users/anthonyshaw/projects/cpython/../atheris/example_fuzzers/parser_mutator.py", line 33, in TestOneInput
    compile(string, 'sample.py', mode='eval')
MemoryError: <EMPTY MESSAGE>

==7698== ERROR: libFuzzer: fuzz target exited
    #0 0x11052f4a5 in __sanitizer_print_stack_trace+0x35 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x544a5) (BuildId: 756bb7515781379f84412f22c4274ffd2400000010000000000a0a0000030d00)
    #1 0x113491db8 in fuzzer::PrintStackTrace() FuzzerUtil.cpp:210
    #2 0x113473d0c in fuzzer::Fuzzer::ExitCallback() FuzzerLoop.cpp:250
    #3 0x7ff80382cba7 in __cxa_finalize_ranges+0x19f (libsystem_c.dylib:x86_64+0x2aba7) (BuildId: 0773ddbc707e3b56ad3e97aaa9b2c3ed32000000200000000100000000030d00)
    #4 0x7ff80382c9ba in exit+0x22 (libsystem_c.dylib:x86_64+0x2a9ba) (BuildId: 0773ddbc707e3b56ad3e97aaa9b2c3ed32000000200000000100000000030d00)
    #5 0x10f18b93f in Py_Exit pylifecycle.c:2988
    #6 0x10f1a5778 in _PyErr_PrintEx pythonrun.c
    #7 0x10f1a2995 in _PyRun_SimpleFileObject pythonrun.c:439
    #8 0x10f1a1771 in _PyRun_AnyFileObject pythonrun.c:78
    #9 0x10f21d096 in Py_RunMain main.c:689
    #10 0x10f21e344 in pymain_main main.c:719
    #11 0x10f21e657 in Py_BytesMain main.c:743
    #12 0x7ff80360141e in start+0x76e (dyld:x86_64+0xfffffffffff6e41e) (BuildId: f22a114397323e23a8b7cbade6bb830132000000200000000100000000030d00)

SUMMARY: libFuzzer: fuzz target exited
MS: 5 InsertRepeatedBytes-CopyPart-InsertRepeatedBytes-InsertRepeatedBytes-InsertByte-; base unit: f9065fa7389750e16fe00d7ba36748f61d3e0df6
artifact_prefix='./'; Test unit written to ./crash-914bd022d064f34139eac485f3ed71cda7e4dc6b

MemoryError on exponent to lots of open square brackets

Gives MemoryError without a traceback

$ python crash-f5a10eb0f51161f912f0674db9bf78519193363f
MemoryError

Overflow error on multiplication of empty tuple

See crash-5c

Traceback (most recent call last):
  File "/Users/anthonyshaw/projects/cpython/crash-5c1e14c4d4840ba982214d1d06d2f596854dee92", line 1, in <module>
    (1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111*())
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~
OverflowError: cannot fit 'int' into an index-sized integer

Crashes when trying to allocate a tuple beyond the bounds of Py_ssize_t. Multiplying an integer with a tuple creates a repeated pattern, but the tuple is empty, so the resulting tuple would also be empty (and not overflow). Possibly a bug in the allocation?

>>> 2 * (1,)
(1, 1)
>>> 3 * (1,)
(1, 1, 1)