Awesome
🏆 Trophy Case 🏆
A showcase of bugs found via fuzz testing Rust codebases. It serves multiple purposes:
- Help the community see what issues are common in Rust codebases (useful when e.g. designing APIs)
- Increase visibility of effective fuzz testing targets so people can reuse testing strategies
- Provide insight into common issues they can expect to find if they use a certain fuzzer
These bugs aren't nearly as serious as the memory-safety issues afl has discovered in C and C++ projects. That's because Rust is memory-safe by default! Have you fuzzed Rust code and found a bug? Please consider adding it to this table via a pull request!
Security issues are marked with a ❗️ in the "Security?" column. Denial of service, including panics and out-of-memory, are not considered security issues.
Crate | Information | Fuzzer | Category | Security? |
---|---|---|---|---|
alloy-json-abi | Stack Overflow in JsonAbi::parse | libfuzzer | so | |
artichoke | infinite loop in bison-generated C code | libfuzzer | loop | |
asn1 | #32 | afl | oom | |
async-h1 | non-ASCII input to method | libfuzzer | panic | |
bcrypt | indexing on non-utf8 boundry | libfuzzer | utf-8 | |
bincode | invalid system time panic | libfuzzer | panic | |
bincode | invalid duration panic | libfuzzer | panic | |
bmfont | panic on unwrapping | libfuzzer | panic | |
boa | invalid spans | honggfuzz | logic | |
boa | Could not convert to BigInt | honggfuzz | logic | |
boa | invalid utf16 | honggfuzz | logic | |
boa | assignment to number | honggfuzz | logic | |
boa | division by zero | honggfuzz | arith | |
boa | assertion failure | libfuzzer | panic | |
brotli-rs | #10 | afl | panic | |
brotli-rs | #11 | afl | panic | |
brotli-rs | #12 | afl | panic | |
brotli-rs | #2 | afl | panic | |
brotli-rs | #3 | afl | panic | |
brotli-rs | #4 | afl | panic | |
brotli-rs | #5 | afl | oor | |
brotli-rs | #6 | afl | arith | |
brotli-rs | #7 | afl | oor | |
brotli-rs | #8 | afl | arith | |
brotli-rs | #9 | afl | arith | |
bson | #116 | libfuzzer | oom | |
bson | multiple bugs, including arithmetic overflow | libfuzzer | arith , other , unwrap | |
bson | arithmetic overflow leading to out of memory | libfuzzer | arith , oom | |
capnproto-rust | Multiple bugs, including a memory safety bug | libfuzzer | ❗️ | |
capnproto-rust | reddit, e72746c | libfuzzer | logic | |
capnproto-rust | Out-of-bounds read | libfuzzer | oor | ❗️ |
chrono | overflow in date arithmetic | libfuzzer | arith | |
chrono | panic in checked_add_days | libfuzzer + bolero | panic | |
clap | issue/2264 | afl | utf-8 | |
claxon | 0fd8815 | libfuzzer | unwrap | |
claxon | 21b1db4 | libfuzzer | oor | |
claxon | 875c3b2 | libfuzzer | logic | |
claxon | c036944 | libfuzzer | logic | |
claxon | Massive slowdown on malformed input | libfuzzer | other | |
claxon | Memory disclosure on malformed input | afl + libdiffuzz | uninit | ❗️ |
comrak | #65 | libfuzzer | oor | |
cookie | indexing on non-utf8 boundry | libfuzzer | utf-8 | |
cpp_demangle | Multiple panics | afl | unwrap , arith | |
cranelift | #418 | libfuzzer | logic | |
csscolorparser | indexing on non-utf8 boundry | libfuzzer | utf-8 | |
cssparser | floating-point parsing imprecision | libfuzzer | logic | |
cursive | grapheme boundary correctness | libfuzzer | utf-8 | |
deflate-rs | #40 | afl | logic | |
deflate-rs | #42 | afl | logic | |
der | arithmetic overflow leading to index out of bounds | libfuzzer | arith | |
der-parser | arithmetic overflow | libfuzzer | arith | |
dhcp4r | #6 | libfuzzer | oor | |
encoding_rs | #44 | afl | logic | |
exmex | #8 | honggfuzz | arith , logic | |
exmex | #13 | libfuzzer | utf-8 | |
fatfs | arithmetic overflow | libfuzzer | arith | |
flac | #3 | afl | oom | |
flac | index out of bounds | libfuzzer | oor | |
flatgeobuf | #85 | libfuzzer | oom | |
flatgeobuf | #86 | libfuzzer | oor | |
flif | #26 | libfuzzer | oom | |
fontdue | arithmetic overflow | libfuzzer | arith | |
fontdue | slow parsing | libfuzzer | other | |
geo | #531 | libfuzzer | logic | |
geo | #536 | libfuzzer | logic | |
goblin | memory exhaustion | afl | oom | |
goblin | memory exhaustion | libfuzzer | oom | |
h2 | #260 | honggfuzz | oor | |
h2 | #261 | honggfuzz | panic | |
h2 | #262 | honggfuzz | panic | |
h2 | assertion failure | libfuzzer | panic | |
handlebars | index out of bounds | libfuzzer | oor | |
handlebars | unwrap panic | libfuzzer | unwrap | |
hjson-rust | invalid utf8 | libfuzzer | utf-8 | |
hjson-rust | subtract with overflow | libfuzzer | arith | |
hjson-rust | removal index (is 0) should be < len | libfuzzer | logic | |
hjson-rust | panics on ParseIntError | libfuzzer | arith | |
httparse | #9 | afl | arith | |
httpdate | accepted dates like "May 35" | libfuzzer | logic , arith | |
httpdate | panic on "no character boundary" | libfuzzer | utf-8 | |
human-name | several panics | libfuzzer | logic , arith | |
hyper | arithmetic overflow | libfuzzer | arith | |
image | #1238 | afl | oor | |
image | #414 | afl | logic | |
image | #473 | afl | arith | |
image | #474 | afl | unwrap | |
image | #477 | afl | oor | |
image | #622 | libfuzzer | oom | |
image | #623 | libfuzzer | oom | |
image | #624 | libfuzzer | oom | |
image | #625 | libfuzzer | oor | |
image | #876 | afl | oor | |
image | #877 | afl | arith | |
image | #878 | afl | oor | |
image | Failed to break on an EOF | afl | oor | |
image | arithmetic overflow | libfuzzer | arith | |
image-gif | infinite loop | libfuzzer | loop | |
inflate | arithmetic overflow | libfuzzer | arith | |
ipfix | index out of bounds | libfuzzer | oor | |
jpeg-decoder | #38 | afl | unwrap | |
jpeg-decoder | #50 | afl | oom | |
jpeg-decoder | arithmetic overflow | libfuzzer | arith | |
jpeg-decoder | 180 | libfuzzer | logic | |
jpeg-decoder | arithmetic overflow | libfuzzer | arith | |
json-rust | arithmetic overflow | afl | arith | |
json-rust | issue/193 | afl | panic | |
jsonschema | issue/253 | libfuzzer | oor | |
juniper | panic on "no character boundary" | libfuzzer | utf-8 | |
just | #363 | libfuzzer | logic | |
kalker | index out of bounds | libfuzzer | oor | |
lewton | enormous CPU and memory consumption on crafted input | afl | other | |
lewton | index out of bounds | honggfuzz | oor | |
lewton | index out of bounds | afl | oor | |
lewton | index out of bounds | afl | oor | |
lewton | index out of bounds | afl | oor | |
lewton | infinite loop | afl | loop | |
lewton | large CPU and memory consumption on crafted input | afl | other | |
lewton | memory exhaustion due to integer underflow | afl | arith , oom | |
lewton | memory exhaustion | afl | oom | |
lexical | arithmetic overflow | libfuzzer | arith | |
lexical | arithmetic overflow | libfuzzer | arith | |
lexical | Out-of-bounds read in unsafe code | libfuzzer | oor | |
libflate | 258cf44 | honggfuzz | oor | |
libflate | 6157daa | honggfuzz | panic | |
libflate | dc77163 | honggfuzz | unwrap | |
libflate | Out-of-bounds read in unsafe code | afl | oor | |
libflate | internal assertion failure | libfuzzer | panic | |
libpnet | arithmetic overflow | libfuzzer | arith | |
libstd | overflow in range bounds calculation on Vec::drain | rutenspitz | arith | |
lodepng-rust | memory leak | libfuzzer | oom | |
lopdf | arithmetic overflow | libfuzzer | arith | |
lz-fear | index out of bounds | libfuzzer | oor | |
lz-fear | index out of bounds | libfuzzer | oor | |
lz-fear | memory exhaustion | libfuzzer | oom | |
lz4_flex | memcpy-param-overlap | libfuzzer | other | |
lz4_flex | heap-buffer-overflow | libfuzzer | oor | ❗️ |
lzma-rs | behavior mismatch with reference implementation | libfuzzer | logic | |
matchit | invalid utf-8 | libfuzzer | utf-8 | |
minidump | #7 | libfuzzer | panic | |
minidump | unbounded allocation | libfuzzer | oom | |
minidump | slicing out of bounds | libfuzzer | oor | |
minidump | creating backwards ranges | libfuzzer | panic | |
minidump | add with overflow #413 | libfuzzer | arith | |
minidump | add with overflow #422 | libfuzzer | arith | |
minidump | add with overflow #425 | libfuzzer | arith | |
minidump | infinitely extending vec OOM | libfuzzer | oom | |
minidump | subtract with overflow #439 | libfuzzer | arith | |
minidump | index OOB | libfuzzer | oor | |
miniz_oxide | Infinite loop exhausting memory | libfuzzer | loop , oom | |
miniz_oxide | Infinite loop | libfuzzer | loop | |
Molten | #41 | libfuzzer | utf-8 | |
Molten | #42 | libfuzzer | oor | |
mongo_driver | #55 | libfuzzer | unwrap | |
mp3-metadata | Multiple panics | afl | oor | |
mp4ameta | unbounded allocation | libfuzzer | oom | |
mp4parse-rust | #2 | afl | panic | |
mp4parse-rust | #4 | afl | panic | |
mp4parse-rust | #5 | afl | panic | |
mp4parse-rust | #6 | afl | panic | |
msgpack-rust | #151 | afl | oom | |
naga | slicing not on a character boundary | libfuzzer | utf-8 | |
ncurses-rs | string with \0 | libfuzzer | unwrap | |
nifti | out of bounds array slicing | libfuzzer | oor | |
nom | arithmetic overflow | libfuzzer | arith | |
npy-rs | arithmetic overflow due to incorrect parameter declaration | libfuzzer | arith , logic | |
ntfs | multiply with overflow | libfuzzer | arith | |
ntfs | index OOB | libfuzzer | oor | |
ntp | panic caused by unwrap on invalid input | libfuzzer | unwrap | |
num | panic on BigInt parsing | libfuzzer | unwrap | |
pancurses | string with \0 | libfuzzer | unwrap | |
parity | panic on BasicDecoder unchecked addition | libfuzzer | arith | |
pcapng | arithmetic overflow | libfuzzer | arith | |
index out of bounds | libfuzzer | oor | ||
infinite loop | libfuzzer | loop | ||
stack overflow (unbounded recursion) | libfuzzer | so | ||
stack overflow (unbounded recursion) | libfuzzer | so | ||
stack overflow (unbounded recursion) | libfuzzer | so | ||
stack overflow (unbounded recursion) | libfuzzer | so | ||
index out of bounds #122 | libfuzzer | oor | ||
index out of bounds #123 | libfuzzer | oor | ||
index out of bounds #124 | libfuzzer | oor | ||
index out of bounds #126 | libfuzzer | oor | ||
pgp | subtract with overflow | libfuzzer | arith | |
phonenumber | internal unwrap | libfuzzer | unwrap | |
picky | #10 | libfuzzer | unwrap | |
picky-asn1-der | #10 | libfuzzer | arith , oom , oor | |
plist | arithmetic overflow | libfuzzer | arith | |
png | crash on malformed input | afl | oom | |
png | incorrect buffer size due to integer overflow | afl | arith , oom | |
png | infinite loop on crafted input | libfuzzer | loop | |
png | panic on malformed input | libfuzzer | oor | |
png | panic on malformed input | libfuzzer | unwrap | |
png | panic on malformed input | libfuzzer | oor | |
png | panic on malformed input | afl | unwrap , logic | |
prettytable-rs | subtract with overflow | libfuzzer | arith | |
proc-macro2 | #54 | afl | utf-8 | |
proc-macro2 | #55 | afl | so | |
prost | Stack overflow | afl | so | |
pulldown-cmark | arithmetic overflow | libfuzzer | arith | |
pulldown-cmark | Overflow ParseIntError | libfuzzer | unwrap | |
pulldown-cmark | Panics and infinite loop | libfuzzer | loop , utf-8 , oor | |
pulldown-cmark | string slice out of bounds | libfuzzer | oor | |
pulldown-cmark | beginning more than end slice index | libfuzzer | oor | |
pulldown-cmark | option unwrap parsing heading attributes | libfuzzer | unwrap | |
quick-xml | arithmetic overflow | libfuzzer | arith | |
quick-xml | arithmetic overflow | libfuzzer | arith | |
quick-xml | index out of bounds | libfuzzer | oor | |
quick-xml | internal unreachable panic | libfuzzer | panic | |
rasn | failed round trip | libfuzzer | logic | |
rawloader | abort on huge memory allocation | afl | oom | |
rav1e | Invalid assertion in rate control | libfuzzer | panic | |
rav1e | LRF crash when encoding tiny frames | libfuzzer | panic | |
rav1e | CDEF UV direction mismatch for 4:2:2 | libfuzzer | logic | |
rav1e | Safe wrappers for-sys dav1d | libfuzzer | logic | |
rav1e | Crash with 4 tiles for 1080p 4:2:2 | libfuzzer | logic | |
rav1e | Buffer underflow in CDEF pad_into_tmp16 | libfuzzer | so | |
rav1e | Tiling mismatch for 4:2:2 | libfuzzer | logic | |
rav1e | Encode-decode mismatch | libfuzzer | logic | |
rav1e | Crash on width or height of 1 | libfuzzer | panic | |
rav1e | Encoder admits invalid color configuration | libfuzzer | logic | |
redis | Multiplication overflow panics in the parser | afl | arith | |
regex | #417 | afl | utf-8 | |
regex | #84 | afl | unwrap | |
regex | called Option::unwrap() on a None value | honggfuzz | unwrap | |
regex | index out of bounds | honggfuzz | oor | |
regex | regex parsing panics with blog post | libfuzzer | unwrap | |
regex | Unexpected match branch | honggfuzz | logic | |
regex | issue/738 | afl | arith , oor , utf-8 | |
risuto | server DoS on user input date out of range | libfuzzer + bolero | panic | |
risuto | server DoS on user input date during a timezone change | libfuzzer + bolero | panic | |
rmpv | Unchecked vector pre-allocation | afl | oom | |
ron | stack overflow (unbounded recursion) | libfuzzer | so | |
ron | Maps are wrapped in a sequence | libfuzzer | logic | |
roughenough | handle truncated message | afl | oor | |
roughenough | incorrect range check fix | libfuzzer | logic | |
roughenough | reject messages with zero tags | afl | logic , oor | |
roughenough | reject short single tag messages | afl | logic , oor | |
roughenough | return Error instead of panicking | afl | panic | |
roughenough | validate tag offset not past end of message | afl | logic | |
roughenough | validate value offset not pass end of message | afl | logic | |
rust-ini | invalid codepoint | libfuzzer | utf-8 | |
rustc | #24275 | afl | other | |
rustc | #50577 | prog-fuzz | logic | |
rustc | #50582 | prog-fuzz | logic | |
rustc | #50585 | prog-fuzz | logic | |
rustc | #50600 | prog-fuzz | logic | |
rustc | #50637 | prog-fuzz | loop | |
rustc | #51070 | prog-fuzz | logic | |
rustc | #62524 #62546 #62554 #62863 #62881 #62894 #62895 #62913 #62973 #63116 #63135 #66473 #68629 #68730 #68890 #69130 #69310 #69378 #69396 #69401 #69600 #69602 #70549 #70552 #70594 #70608 #70677 #70724 #70736 #70763 #70813 #70942 #71297 #71471 #71798 #72410 #84104 #84117 #84148 #84149 #86895 #88770 #92267 | fuzz-rustc | utf-8 , panic , oom , loop , oor , unwrap | |
rustc-demangle | multiply with overflow | libfuzzer | arith | |
rustc-serialize | #109 | afl | arith | |
rustc-serialize | #110 | afl | panic | |
semver | logic error | libfuzzer | logic | |
semver | issue/227 | afl | unwrap | |
Sequoia-PGP | #514 | libfuzzer | arith | |
Sequoia-PGP | #515 | libfuzzer | utf-8 | |
Sequoia-PGP | #516 | libfuzzer | oor | |
Sequoia-PGP | #516 | libfuzzer | oor | |
serde | #75 | afl | arith | |
serde | #77 | afl | arith | |
serde | #82 | afl | so | |
serde-yaml | #49 | libfuzzer | so | |
serde-yaml | #88 | libfuzzer | logic | |
simple_asn1 | #9 | libfuzzer | arith , oor | |
sleep-parser | #3 | honggfuzz | oor , utf-8 | |
smoltcp | arithmetic underflow | libfuzzer | arith | |
smoltcp | index out of bounds | libfuzzer | oor | |
smoltcp | index out of bounds | libfuzzer | oor | |
smoltcp | index out of bounds | libfuzzer | oor | |
smoltcp | index out of bounds | libfuzzer | oor | |
smoltcp | index out of bounds | libfuzzer | oor | |
smoltcp | index out of bounds | libfuzzer | oor | |
smoltcp | index out of bounds | libfuzzer | oor | |
snap | #12 | libfuzzer | oor | |
snmp-parser | panic on unwrapping | libfuzzer | unwrap | |
soroban-env | incorrect comparison functions | libfuzzer | logic | |
soroban-env | incorrect comparison functions | libfuzzer | logic | |
soroban-env | incorrect conversion | libfuzzer | logic | |
sqlformat | panic on unwrapping error due to failure to parse int | libfuzzer | unwrap | |
sqlparser | stack overflow (unbounded recursion) | libfuzzer | so | |
ssh-keys | #3 | afl | oor | |
ssh-keys | panic on slice indexing | libfuzzer | oor | |
ssh-parser | arithmetic overflow | libfuzzer | arith | |
stellar-xdr | incorrect comparison functions | libfuzzer | logic | |
svgparser | arithmetic overflow, bound checking panic, incorrect result | libfuzzer | arith , oor , logic | |
svgparser | endless loop | libfuzzer | loop | |
swf-parser | #23 | libfuzzer | logic | |
sxd-document | use after free | libfuzzer | uaf | ❗️ |
symbolic-demangle | extremely slow demangling, OOM | libfuzzer | oom | |
symbolic-minidump | segfault in exposed C++ library | libfuzzer | segfault | ❗️ |
symbolic-unreal | unbounded allocation | libfuzzer | oom | |
symphonia | panic on unwrapping | libfuzzer | unwrap | |
syn | Unrecognized literal | libfuzzer | logic | |
syn | panic when parsing impl | libfuzzer | logic | |
tar-rs | #23 | afl | arith | |
tera | #396 | libfuzzer | arith , logic | |
tera | unimplemented panic | libfuzzer | panic | |
tf-demo-parser | arithmetic overflow leading to out of memory | libfuzzer | arith , oom | |
tiff | index out of bounds | afl | oor | |
tiff | infinite loop on malformed input | afl | loop | |
tiff | memory exhaustion on malformed input | afl | oom | |
tiff | panic on attempt to divide by zero | afl | arith | |
time | issue/309 | afl | panic , arith | |
tinytemplate | beginning more than end on string slicing | libfuzzer | oor | |
tinyvec | arithmetic underflow | rutenspitz | arith | |
tinyvec | resize() could set incorrect size for inline storage | rutenspitz | logic | |
tinyvec | swap_remove() for last element worked incorrectly | rutenspitz | logic | |
todotxt.rs | index out of bounds | libfuzzer | oor | |
tokei | panic | libfuzzer | oor | |
tokei | consistency #725 | libfuzzer | logic | |
toml | #178 | libfuzzer | logic | |
toml | #179 | libfuzzer | logic | |
toml | #180 | libfuzzer | logic | |
toml | #181 | libfuzzer | logic | |
toml | #185 | libfuzzer | logic | |
toml | #186 | libfuzzer | logic | |
toml | stack overflow (unbounded recursion) | libfuzzer | so | |
toml_edit | stack overflow (unbounded recursion) | libfuzzer | so | |
trust-dns-proto | Incorrect length check in Encoding | libfuzzer | logic | |
trust-dns-proto | ZERO resouce records are mis-parsed | libfuzzer | logic | |
trust-dns-proto | Incorrect handling of escapes | libfuzzer | logic | |
ttf-parser | infinite loop | libfuzzer | loop | |
ttf-parser | assertion failure | libfuzzer | panic | |
tui | issue/446 | afl | arith | |
ubyte | multiply with overflow when parsing fractional number | libfuzzer | arith | |
unicode-segmentation | grapheme boundary correctness | libfuzzer | logic | |
unicode-segmentation | word boundary correctness | libfuzzer | logic | |
unified-diff | lines before 1, with no context | libFuzzer | logic | |
url | #108 | afl | oor | |
url | infinite loop | libfuzzer | loop | |
url | slicing error | afl | oor | |
url | out of index | afl | oor | |
url | failed round trip parse | libfuzzer | logic | |
uuid | index out of bounds | libfuzzer | oor | |
v_escape | heap buffer overflow | libfuzzer | oor | ❗️ |
vial | arithmetic overflow | libfuzzer | arith | |
vosub | arithmetic overflow | libfuzzer | arith | |
vosub | invalid slice | libfuzzer | oor | |
vosub | invalid slice | libfuzzer | oor | |
vosub | invalid slice | libfuzzer | panic | |
vosub | shift overflow | libfuzzer | arith | |
wasmparser.rs | arithmetic overflow | libfuzzer | arith | |
wayland-rs | #187 | libfuzzer | oor | |
ws-rs | arithmetic overflow | libfuzzer | arith | |
xi-editor | issue/1303 | afl | arith | |
xml-rs | #93 | afl | utf-8 | |
xml-rs | arithmetic overflow | libfuzzer | arith | |
yaxpeax-x86 | #12 arithmetic overflow | libfuzzer | arith | |
yaxpeax-x86 | #13 arithmetic overflow | libfuzzer | arith | |
yaxpeax-x86 | #15 arithmetic overflow | libfuzzer | arith | |
zip-rs | arithmetic overflow | libfuzzer | arith | |
zip-rs | arithmetic overflow | libfuzzer | arith | |
zune-jpeg | heap buffer overflow | libfuzzer | oor | ❗️ |
Description of categories:
arith
: Arithmetic error, eg. overflowslogic
: Logic bugloop
: Infinite loopoom
: Out of memoryoor
: Out of range accesssegfault
: Program segfaultedso
: Stack overflowuaf
: Use after freeuninit
: Program discloses contents of uninitialized memoryunwrap
: Call tounwrap
onNone
orErr(_)
utf-8
: Problem with UTF-8 strings handling, eg. get a char not at a char boundarypanic
: A panic not covered by any of the aboveother
: Anything that does not fit in another category, or unclear what the problem is