bshastry

syntax = "proto2";
// Very simple proto description of the PNG format,
// described at https://en.wikipedia.org/wiki/Portable_Network_Graphics

message IHDR {
  required uint32 width = 1;
  required uint32 height = 2;
  required uint32 other1 = 3;
  required uint32 other2 = 4;  // Only 1 byte used.
}

bshastry

// Example fuzzer for PNG using protos.
#include <string>
#include <sstream>
#include <fstream>
#include <zlib.h>  // for crc32

#include "libprotobuf-mutator/src/libfuzzer/libfuzzer_macro.h"
#include "png_fuzz_proto.pb.h"

static void WriteInt(std::stringstream &out, uint32_t x) {

bshastry

#### TRACE ####
PUSH1           pc=00000000 gas=10000000000 cost=3

PUSH1           pc=00000002 gas=9999999997 cost=3
Stack:
00000000  0000000000000000000000000000000000000000000000000000000000000080

MSTORE          pc=00000004 gas=9999999994 cost=12
Stack:
00000000  0000000000000000000000000000000000000000000000000000000000000040

bshastry

// assert(y+8 <= Image->ImageDesc.Height);
// assert(x+8*strlen(legend) <= Image->ImageDesc.Width);
void
GifDrawText8x8(SavedImage *Image, 
	    const int x, const int y,
	    const char *legend,
	    const int color)
{
    int i, j;
    const char *cp;

bshastry

WARNING: Failed to find function "__sanitizer_acquire_crash_state".
INFO: Seed: 3690422858
INFO: Loaded 1 modules   (602905 inline 8-bit counters): 602905 [0x77d3748, 0x7866a61), 
INFO: Loaded 1 PC tables (602905 PCs): 602905 [0x581ace0,0x614de70), 
./cmake-build-debug/test/tools/ossfuzz/abiV2_ossfuzz: Running 1 inputs 1 time(s) each.
Running: test/libsolidity/semanticTests/abiEncoderV2/calldata_array_static_index_access.sol
/home/bhargava/work/github/solidity/libdevcore/picosha2.h:129:41: runtime error: unsigned integer overflow: 3217501051 + 2961470947 cannot be represented in type 'unsigned int'
/home/bhargava/work/github/solidity/libdevcore/picosha2.h:129:34: runtime error: unsigned integer overflow: 3745923821 + 1885696617 cannot be represented in type 'unsigned int'
/home/bhargava/work/github/solidity/libdevcore/picosha2.h:129:56: runtime error: unsigned integer overflow: 2454778661 + 1886544231 cannot be represented in type 'unsigned int'
/home/bhargava/work/github/solidity/libdevcore/picosha2.h:143:28

bshastry

WARNING: Failed to find function "__sanitizer_acquire_crash_state".
INFO: Seed: 3690422858
INFO: Loaded 1 modules   (602905 inline 8-bit counters): 602905 [0x77d3748, 0x7866a61), 
INFO: Loaded 1 PC tables (602905 PCs): 602905 [0x581ace0,0x614de70), 
./cmake-build-debug/test/tools/ossfuzz/abiV2_ossfuzz: Running 1 inputs 1 time(s) each.
Running: test/libsolidity/semanticTests/abiEncoderV2/calldata_array_static_index_access.sol
/home/bhargava/work/github/solidity/libdevcore/picosha2.h:129:41: runtime error: unsigned integer overflow: 3217501051 + 2961470947 cannot be represented in type 'unsigned int'
/home/bhargava/work/github/solidity/libdevcore/picosha2.h:129:34: runtime error: unsigned integer overflow: 3745923821 + 1885696617 cannot be represented in type 'unsigned int'
/home/bhargava/work/github/solidity/libdevcore/picosha2.h:129:56: runtime error: unsigned integer overflow: 2454778661 + 1886544231 cannot be represented in type 'unsigned int'
/home/bhargava/work/github/solidity/libdevcore/picosha2.h:143:28

bshastry

solidity-fuzzing-corpus/strictasm_assembly_ossfuzz_seed_corpus/45a5e4fe4e1ad692701beacb73888e741c504556
solidity-fuzzing-corpus/strictasm_assembly_ossfuzz_seed_corpus/5ddde4533c4b0a1b298e7a03daec893513b5622d
solidity-fuzzing-corpus/strictasm_assembly_ossfuzz_seed_corpus/d7a208ac644eda53556dd06aa7b85093e6a75ebb
solidity-fuzzing-corpus/strictasm_assembly_ossfuzz_seed_corpus/fc91de10656dfee063d233b359aec49c6830ac6d
solidity-fuzzing-corpus/strictasm_assembly_ossfuzz_seed_corpus/5612b37555b19745df8f05134f252e5503ddde2a
solidity-fuzzing-corpus/strictasm_assembly_ossfuzz_seed_corpus/5f9d2de80d8d233d06f331c2b5cd2deacadb3fd1
solidity-fuzzing-corpus/strictasm_assembly_ossfuzz_seed_corpus/a3429ef34c0b2a779b251fa99440191f6de3ca3a
solidity-fuzzing-corpus/strictasm_assembly_ossfuzz_seed_corpus/895ea28d7a726936a178d6d33c7d68345b4c7f17
solidity-fuzzing-corpus/strictasm_assembly_ossfuzz_seed_corpus/f95d765bcd206a0ea8835cdce3f0312331473a25
solidity-fuzzing-corpus/strictasm_assembly_ossfuzz_seed_corpus/59e90a2a8c804776e3139ce5e

bshastry

INFO: Seed: 2647962259
INFO: Loaded 1 modules   (65675 inline 8-bit counters): 65675 [0x13fe550, 0x140e5db), 
INFO: Loaded 1 PC tables (65675 PCs): 65675 [0x111ed18,0x121f5c8), 
./solidity/build/test/tools/ossfuzz/strictasm_diff_ossfuzz: Running 228 inputs 1 time(s) each.
Running: solidity-fuzzing-corpus/strictasm_assembly_ossfuzz_seed_corpus/45a5e4fe4e1ad692701beacb73888e741c504556
=================================================================
==21==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000004728 at pc 0x000000a03ee5 bp 0x7ffd41c38b50 sp 0x7ffd41c38b48
WRITE of size 4 at 0x608000004728 thread T0
    #0 0xa03ee4 in __gnu_cxx::__exchange_and_add(int volatile*, int) /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/ext/atomicity.h:49:12
    #1 0xa03d7d in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/shared_ptr_base.h:152:6

bshastry

pragma solidity >=0.0;
pragma experimental ABIEncoderV2;

contract Factory {
	function test() external returns (uint) {
		C c = new C();
		return c.f();
	}
}

bshastry

pragma solidity >=0.0;
pragma experimental ABIEncoderV2;

contract Factory {
	function test() external returns (uint) {
		C c = new C();
		return c.test();
	}
}