【fuzz】libsass --sanitizer undefined src/memory/shared_ptr.hpp:202:17: runtime error: downcast of address 0x000001ba3350 which does not point to an object of type 'Sass::PreValue'

【环境信息】
x86
【测试版本】
Name: libsass
Version: 3.6.4

【注意事项】
受影响版本排查（受影响/不受影响）
1、master
2、openEuler-20.03-LTS-SP3
3、openEuler-20.03-LTS-SP1
4、openEuler-20.03-LTS-SP2
5、openEuler-20.03-LTS
6、openEuler-21.03
7、openEuler-20.03-LTS-Next
8、openEuler-21.09
9、openEuler-22.03-LTS
10、openEuler-22.03-LTS-Next
11、openEuler-20.09
12、openEuler-23.03

一、【测试步骤】
1、编译
python3 infra/helper.py build_fuzzers --sanitizer memory libsass
2、执行
python3 infra/helper.py run_fuzzer libsass data_context_fuzzer

【报错信息】
src/memory/shared_ptr.hpp:202:17: runtime error: downcast of address 0x000001ba3350 which does not point to an object of type 'Sass::PreValue'
0x000001ba3350: note: object is of type 'Sass::Unary_Expression'
 00 00 00 00  48 ff c7 00 00 00 00 00  01 00 00 00 00 00 00 00  00 e5 b9 01 00 00 00 00  10 e1 b9 01
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'Sass::Unary_Expression'
    #0 0x6a037f in Sass::SharedImpl<Sass::PreValue>::SharedImpl<Sass::Expression>(Sass::Expression*) /src/libsass/src/memory/shared_ptr.hpp:202:17
    #1 0x653594 in Sass::Parser::parse_selector_schema(char const*, bool) /src/libsass/src/parser.cpp:576:24
    #2 0x6549cb in Sass::Parser::parse_ruleset(Lookahead) /src/libsass/src/parser.cpp:516:17
    #3 0x648a0d in Sass::Parser::parse_block_node(bool) /src/libsass/src/parser.cpp:260:21
    #4 0x644b10 in Sass::Parser::parse_block_nodes(bool) /src/libsass/src/parser.cpp:171:11
    #5 0x6434c1 in Sass::Parser::parse() /src/libsass/src/parser.cpp:97:5
    #6 0x587661 in Sass::Context::register_resource(Sass::Include const&, Sass::Resource const&) /src/libsass/src/context.cpp:307:24
    #7 0x590e16 in Sass::Data_Context::parse() /src/libsass/src/context.cpp:621:5
    #8 0x4c456a in Sass::sass_parse_block(Sass_Compiler*) /src/libsass/src/sass_context.cpp:181:31
    #9 0x4c4347 in sass_compiler_parse /src/libsass/src/sass_context.cpp:435:22
    #10 0x4c3f1c in sass_compile_context(Sass_Context*, Sass::Context*) /src/libsass/src/sass_context.cpp:318:7
    #11 0x4c1bc3 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:26:3
    #12 0x452eb1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #13 0x4525f5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #14 0x4546c7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #15 0x455145 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
    #16 0x44411e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
    #17 0x46c8f2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #18 0x7f3d9ec8082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #19 0x418828 in _start (/out/data_context_fuzzer+0x418828)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/memory/shared_ptr.hpp:202:17 in 
MS: 3 CopyPart-ChangeASCIIInt-EraseBytes-; base unit: ff956f07b3a53022be6d4e297295274825301164
0xc,0xc,0x44,0x44,0x23,0x7b,0x2b,0xc,0x2b,0x30,0x7b,0x7d,0x2b,0x32,0x2a,0x23,0x7b,0x31,0x2a,0x2b,0xc,0x2b,0x30,0x7b,0x7d,0x2b,0x32,0x2a,0x32,0x2a,
\x0c\x0cDD#{+\x0c+0{}+2*#{1*+\x0c+0{}+2*2*
artifact_prefix='./'; Test unit written to ./crash-13cc3f33c64741d13130ed851b1d4b528ab1e608
Base64: DAxERCN7KwwrMHt9KzIqI3sxKisMKzB7fSsyKjIq
【预期结果】
运行无异常

【实际结果】
运行抛出异常

【复现步骤】
python3 infra/helper.py reproduce libsass data_context_fuzzer ./crash-13cc3f33c64741d13130ed851b1d4b528ab1e608

src-openEuler/libsass

内容风险标识

评论 (2)

src-openEuler/libsass .gitee-modal { width: 500px !important; }

内容风险标识