[hdf5] Improve h5_extended_fuzzer coverage#15309
Open
mch-byte wants to merge 2 commits into
Open
Conversation
- Replace hardcoded dataset/attribute names with actual object iteration via H5Gget_num_objs/H5Gget_objname_by_idx - Add bounded H5Dread to exercise chunk I/O, compact I/O, decompression, and type conversion paths - Add H5Dget_create_plist for filter pipeline and fill value parsing - Add H5Topen2 for committed datatype coverage - Add attribute iteration on both groups and datasets - Add H5Gget_info for group metadata paths - Add LLVMFuzzerInitialize with H5Eset_auto2 log suppression - Add input size bounds (8 to 64KB) to prevent OOM on crafted headers - Add recursion depth limit (8) to prevent stack overflow - Add unlink() cleanup of temp file - Add h5_extended_fuzzer.dict with 38 HDF5 format signatures - Add h5_extended_fuzzer.options with max_len=65536 - Update build.sh to copy dict and options to $OUT This improved fuzzer found a heap-buffer-overflow in H5D__compact_readvv (H5Dcompact.c:409) which has been reported to the HDF5 maintainers via GitHub Security Advisory.
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
mch-byte is a new contributor to projects/hdf5. The PR must be approved by known contributors before it can be merged. The past contributors are: arthurscchan, hunsche, hyoklee, maflcko, derobins, DonggeLiu |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR improves the
h5_extended_fuzzerfor the HDF5 project. The existing fuzzer uses hardcoded dataset/attribute names that never match real file contents, has no input size limit (causing OOM-related coverage degradation on ClusterFuzz), and does not suppress log output.Changes
"dsetname"/"theattr"with actual object iterationH5Dreadto exercise chunk I/O, compact I/O, decompression, and type conversionH5Dget_create_plistfor filter pipeline and fill value parsingH5Topen2for committed datatype coverageH5Gget_infofor group metadata pathsLLVMFuzzerInitializewithH5Eset_auto2log suppressionh5_extended_fuzzer.dictwith 38 HDF5 format signaturesh5_extended_fuzzer.optionswithmax_len=65536build.shto copy dict and options to$OUTResults
This improved fuzzer found a heap-buffer-overflow in
H5D__compact_readvv(H5Dcompact.c:409) which has been reported to the HDF5 maintainers via GitHub Security Advisory.Current OSS-Fuzz coverage for
h5_extended_fuzzeris 9.36% and degrading due to OOM. This fuzzer stabilizes coverage and reaches substantially more code paths including chunk read, compact read, type conversion, filter pipeline, and committed datatype handling.