fix(rust): fix several panics detected by cargo-fuzz#3483
Merged
chaokunyang merged 1 commit intoapache:mainfrom Mar 23, 2026
Merged
fix(rust): fix several panics detected by cargo-fuzz#3483chaokunyang merged 1 commit intoapache:mainfrom
chaokunyang merged 1 commit intoapache:mainfrom
Conversation
BaldDemian
force-pushed
the
cargo-fuzz-fix
branch
from
797f4c3 to
ffe3ad1
Compare
chaokunyang
reviewed
Mar 23, 2026
rust/fory-core/src/row/bit_util.rs
Outdated
|
|
||
| pub fn calculate_bitmap_width_in_bytes(num_fields: usize) -> usize { | ||
| ((num_fields + 63) / 64) * WORD_SIZE | ||
| (num_fields.saturating_add(63) / 64).saturating_mul(WORD_SIZE) |
Collaborator
There was a problem hiding this comment.
This change behaviour, I think you should let it crash. Such crash is basically programming error
chaokunyang
reviewed
Mar 23, 2026
rust/fory-core/src/row/reader.rs
Outdated
| }; | ||
| }; | ||
| let key_byte_size = LittleEndian::read_u64(header) as usize; | ||
| let key_end = (8usize).saturating_add(key_byte_size).min(row.len()); |
Collaborator
There was a problem hiding this comment.
For row format, it's not used for rpc. it's mostly used in data processing cases. So we don't need to handle malicous/invalid data.
BaldDemian
force-pushed
the
cargo-fuzz-fix
branch
from
ffe3ad1 to
6da0bed
Compare
Contributor
Author
|
Thanks for your feedback, the mentioned changes are removed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why?
Fix several new panics when feeding corner-case input found by cargo-fuzz
What does this PR do?
In
rust/README.md, the right command to run all tests seems to becargo test --workspace. Runcargo test --features testswill get:In
rust/fory-core/src/meta/type_meta.rs,fory/rust/fory-core/src/meta/type_meta.rs
Line 645 in 5fc06f1
will panic if
encoding_idxexceeds the size ofencodings.fory/rust/fory-core/src/meta/type_meta.rs
Line 836 in 5fc06f1
will cause OOM if
num_fieldsis too large. I limit the max value ofnum_fieldstoi16::MAXsincefield_idisi16In
rust/fory-core/src/row/bit_util.rs, use saturating_add/mul to prevent potential overflow panic. But would it be better to return error instead of saturating_add/mul ?🤔In
rust/fory-core/src/row/reader.rs, direct access into slice using[]may cause out-of-bounds panic.In
rust/fory-core/src/serializer/collection.rs,rust/fory-core/src/serializer/map.rsandrust/fory-core/src/serializer/primitive_list.rs, we should check the remaining bytes in the buffer before allocatingVec. This can also prevent OOM.In
rust/fory-core/src/serializer/skip.rs,generics.first().unwrap()andgenerics.get(1).unwrap()will panic if the size ofgenericsis not long enough.Related issues
N/A
AI Contribution Checklist
N/A
Does this PR introduce any user-facing change?
N/A
Benchmark
This PR only adds additional check in case of corner-case input and thus won't has major influence on the performance.