Home

Awesome

🏆 Trophy Case 🏆

A showcase of bugs found via fuzz testing Rust codebases. It serves multiple purposes:

These bugs aren't nearly as serious as the memory-safety issues afl has discovered in C and C++ projects. That's because Rust is memory-safe by default! Have you fuzzed Rust code and found a bug? Please consider adding it to this table via a pull request!

Security issues are marked with a ❗️ in the "Security?" column. Denial of service, including panics and out-of-memory, are not considered security issues.

CrateInformationFuzzerCategorySecurity?
alloy-json-abiStack Overflow in JsonAbi::parselibfuzzerso
artichokeinfinite loop in bison-generated C codelibfuzzerloop
asn1#32afloom
async-h1non-ASCII input to methodlibfuzzerpanic
bcryptindexing on non-utf8 boundrylibfuzzerutf-8
bincodeinvalid system time paniclibfuzzerpanic
bincodeinvalid duration paniclibfuzzerpanic
bmfontpanic on unwrappinglibfuzzerpanic
boainvalid spanshonggfuzzlogic
boaCould not convert to BigInthonggfuzzlogic
boainvalid utf16honggfuzzlogic
boaassignment to numberhonggfuzzlogic
boadivision by zerohonggfuzzarith
boaassertion failurelibfuzzerpanic
brotli-rs#10aflpanic
brotli-rs#11aflpanic
brotli-rs#12aflpanic
brotli-rs#2aflpanic
brotli-rs#3aflpanic
brotli-rs#4aflpanic
brotli-rs#5afloor
brotli-rs#6aflarith
brotli-rs#7afloor
brotli-rs#8aflarith
brotli-rs#9aflarith
bson#116libfuzzeroom
bsonmultiple bugs, including arithmetic overflowlibfuzzerarith, other, unwrap
bsonarithmetic overflow leading to out of memorylibfuzzerarith, oom
capnproto-rustMultiple bugs, including a memory safety buglibfuzzer❗️
capnproto-rustreddit, e72746clibfuzzerlogic
capnproto-rustOut-of-bounds readlibfuzzeroor❗️
chronooverflow in date arithmeticlibfuzzerarith
chronopanic in checked_add_dayslibfuzzer + boleropanic
clapissue/2264aflutf-8
claxon0fd8815libfuzzerunwrap
claxon21b1db4libfuzzeroor
claxon875c3b2libfuzzerlogic
claxonc036944libfuzzerlogic
claxonMassive slowdown on malformed inputlibfuzzerother
claxonMemory disclosure on malformed inputafl + libdiffuzzuninit❗️
comrak#65libfuzzeroor
cookieindexing on non-utf8 boundrylibfuzzerutf-8
cpp_demangleMultiple panicsaflunwrap, arith
cranelift#418libfuzzerlogic
csscolorparserindexing on non-utf8 boundrylibfuzzerutf-8
cssparserfloating-point parsing imprecisionlibfuzzerlogic
cursivegrapheme boundary correctnesslibfuzzerutf-8
deflate-rs#40afllogic
deflate-rs#42afllogic
derarithmetic overflow leading to index out of boundslibfuzzerarith
der-parserarithmetic overflowlibfuzzerarith
dhcp4r#6libfuzzeroor
encoding_rs#44afllogic
exmex#8honggfuzzarith, logic
exmex#13libfuzzerutf-8
fatfsarithmetic overflowlibfuzzerarith
flac#3afloom
flacindex out of boundslibfuzzeroor
flatgeobuf#85libfuzzeroom
flatgeobuf#86libfuzzeroor
flif#26libfuzzeroom
fontduearithmetic overflowlibfuzzerarith
fontdueslow parsinglibfuzzerother
geo#531libfuzzerlogic
geo#536libfuzzerlogic
goblinmemory exhaustionafloom
goblinmemory exhaustionlibfuzzeroom
h2#260honggfuzzoor
h2#261honggfuzzpanic
h2#262honggfuzzpanic
h2assertion failurelibfuzzerpanic
handlebarsindex out of boundslibfuzzeroor
handlebarsunwrap paniclibfuzzerunwrap
hjson-rustinvalid utf8libfuzzerutf-8
hjson-rustsubtract with overflowlibfuzzerarith
hjson-rustremoval index (is 0) should be < lenlibfuzzerlogic
hjson-rustpanics on ParseIntErrorlibfuzzerarith
httparse#9aflarith
httpdateaccepted dates like "May 35"libfuzzerlogic, arith
httpdatepanic on "no character boundary"libfuzzerutf-8
human-nameseveral panicslibfuzzerlogic, arith
hyperarithmetic overflowlibfuzzerarith
image#1238afloor
image#414afllogic
image#473aflarith
image#474aflunwrap
image#477afloor
image#622libfuzzeroom
image#623libfuzzeroom
image#624libfuzzeroom
image#625libfuzzeroor
image#876afloor
image#877aflarith
image#878afloor
imageFailed to break on an EOFafloor
imagearithmetic overflowlibfuzzerarith
image-gifinfinite looplibfuzzerloop
inflatearithmetic overflowlibfuzzerarith
ipfixindex out of boundslibfuzzeroor
jpeg-decoder#38aflunwrap
jpeg-decoder#50afloom
jpeg-decoderarithmetic overflowlibfuzzerarith
jpeg-decoder180libfuzzerlogic
jpeg-decoderarithmetic overflowlibfuzzerarith
json-rustarithmetic overflowaflarith
json-rustissue/193aflpanic
jsonschemaissue/253libfuzzeroor
juniperpanic on "no character boundary"libfuzzerutf-8
just#363libfuzzerlogic
kalkerindex out of boundslibfuzzeroor
lewtonenormous CPU and memory consumption on crafted inputaflother
lewtonindex out of boundshonggfuzzoor
lewtonindex out of boundsafloor
lewtonindex out of boundsafloor
lewtonindex out of boundsafloor
lewtoninfinite loopaflloop
lewtonlarge CPU and memory consumption on crafted inputaflother
lewtonmemory exhaustion due to integer underflowaflarith, oom
lewtonmemory exhaustionafloom
lexicalarithmetic overflowlibfuzzerarith
lexicalarithmetic overflowlibfuzzerarith
lexicalOut-of-bounds read in unsafe codelibfuzzeroor
libflate258cf44honggfuzzoor
libflate6157daahonggfuzzpanic
libflatedc77163honggfuzzunwrap
libflateOut-of-bounds read in unsafe codeafloor
libflateinternal assertion failurelibfuzzerpanic
libpnetarithmetic overflowlibfuzzerarith
libstdoverflow in range bounds calculation on Vec::drainrutenspitzarith
lodepng-rustmemory leaklibfuzzeroom
lopdfarithmetic overflowlibfuzzerarith
lz-fearindex out of boundslibfuzzeroor
lz-fearindex out of boundslibfuzzeroor
lz-fearmemory exhaustionlibfuzzeroom
lz4_flexmemcpy-param-overlaplibfuzzerother
lz4_flexheap-buffer-overflowlibfuzzeroor❗️
lzma-rsbehavior mismatch with reference implementationlibfuzzerlogic
matchitinvalid utf-8libfuzzerutf-8
minidump#7libfuzzerpanic
minidumpunbounded allocationlibfuzzeroom
minidumpslicing out of boundslibfuzzeroor
minidumpcreating backwards rangeslibfuzzerpanic
minidumpadd with overflow #413libfuzzerarith
minidumpadd with overflow #422libfuzzerarith
minidumpadd with overflow #425libfuzzerarith
minidumpinfinitely extending vec OOMlibfuzzeroom
minidumpsubtract with overflow #439libfuzzerarith
minidumpindex OOBlibfuzzeroor
miniz_oxideInfinite loop exhausting memorylibfuzzerloop, oom
miniz_oxideInfinite looplibfuzzerloop
Molten#41libfuzzerutf-8
Molten#42libfuzzeroor
mongo_driver#55libfuzzerunwrap
mp3-metadataMultiple panicsafloor
mp4ametaunbounded allocationlibfuzzeroom
mp4parse-rust#2aflpanic
mp4parse-rust#4aflpanic
mp4parse-rust#5aflpanic
mp4parse-rust#6aflpanic
msgpack-rust#151afloom
nagaslicing not on a character boundarylibfuzzerutf-8
ncurses-rsstring with \0libfuzzerunwrap
niftiout of bounds array slicinglibfuzzeroor
nomarithmetic overflowlibfuzzerarith
npy-rsarithmetic overflow due to incorrect parameter declarationlibfuzzerarith, logic
ntfsmultiply with overflowlibfuzzerarith
ntfsindex OOBlibfuzzeroor
ntppanic caused by unwrap on invalid inputlibfuzzerunwrap
numpanic on BigInt parsinglibfuzzerunwrap
pancursesstring with \0libfuzzerunwrap
paritypanic on BasicDecoder unchecked additionlibfuzzerarith
pcapngarithmetic overflowlibfuzzerarith
pdfindex out of boundslibfuzzeroor
pdfinfinite looplibfuzzerloop
pdfstack overflow (unbounded recursion)libfuzzerso
pdfstack overflow (unbounded recursion)libfuzzerso
pdfstack overflow (unbounded recursion)libfuzzerso
pdfstack overflow (unbounded recursion)libfuzzerso
pdfindex out of bounds #122libfuzzeroor
pdfindex out of bounds #123libfuzzeroor
pdfindex out of bounds #124libfuzzeroor
pdfindex out of bounds #126libfuzzeroor
pgpsubtract with overflowlibfuzzerarith
phonenumberinternal unwraplibfuzzerunwrap
picky#10libfuzzerunwrap
picky-asn1-der#10libfuzzerarith, oom, oor
plistarithmetic overflowlibfuzzerarith
pngcrash on malformed inputafloom
pngincorrect buffer size due to integer overflowaflarith, oom
pnginfinite loop on crafted inputlibfuzzerloop
pngpanic on malformed inputlibfuzzeroor
pngpanic on malformed inputlibfuzzerunwrap
pngpanic on malformed inputlibfuzzeroor
pngpanic on malformed inputaflunwrap, logic
prettytable-rssubtract with overflowlibfuzzerarith
proc-macro2#54aflutf-8
proc-macro2#55aflso
prostStack overflowaflso
pulldown-cmarkarithmetic overflowlibfuzzerarith
pulldown-cmarkOverflow ParseIntErrorlibfuzzerunwrap
pulldown-cmarkPanics and infinite looplibfuzzerloop, utf-8, oor
pulldown-cmarkstring slice out of boundslibfuzzeroor
pulldown-cmarkbeginning more than end slice indexlibfuzzeroor
pulldown-cmarkoption unwrap parsing heading attributeslibfuzzerunwrap
quick-xmlarithmetic overflowlibfuzzerarith
quick-xmlarithmetic overflowlibfuzzerarith
quick-xmlindex out of boundslibfuzzeroor
quick-xmlinternal unreachable paniclibfuzzerpanic
rasnfailed round triplibfuzzerlogic
rawloaderabort on huge memory allocationafloom
rav1eInvalid assertion in rate controllibfuzzerpanic
rav1eLRF crash when encoding tiny frameslibfuzzerpanic
rav1eCDEF UV direction mismatch for 4:2:2libfuzzerlogic
rav1eSafe wrappers for-sys dav1dlibfuzzerlogic
rav1eCrash with 4 tiles for 1080p 4:2:2libfuzzerlogic
rav1eBuffer underflow in CDEF pad_into_tmp16libfuzzerso
rav1eTiling mismatch for 4:2:2libfuzzerlogic
rav1eEncode-decode mismatch libfuzzerlogic
rav1eCrash on width or height of 1libfuzzerpanic
rav1eEncoder admits invalid color configurationlibfuzzerlogic
redisMultiplication overflow panics in the parseraflarith
regex#417aflutf-8
regex#84aflunwrap
regexcalled Option::unwrap() on a None valuehonggfuzzunwrap
regexindex out of boundshonggfuzzoor
regexregex parsing panics with blog postlibfuzzerunwrap
regexUnexpected match branchhonggfuzzlogic
regexissue/738aflarith, oor, utf-8
risutoserver DoS on user input date out of rangelibfuzzer + boleropanic
risutoserver DoS on user input date during a timezone changelibfuzzer + boleropanic
rmpvUnchecked vector pre-allocationafloom
ronstack overflow (unbounded recursion)libfuzzerso
ronMaps are wrapped in a sequencelibfuzzerlogic
roughenoughhandle truncated messageafloor
roughenoughincorrect range check fixlibfuzzerlogic
roughenoughreject messages with zero tagsafllogic, oor
roughenoughreject short single tag messagesafllogic, oor
roughenoughreturn Error instead of panickingaflpanic
roughenoughvalidate tag offset not past end of messageafllogic
roughenoughvalidate value offset not pass end of messageafllogic
rust-iniinvalid codepointlibfuzzerutf-8
rustc#24275aflother
rustc#50577prog-fuzzlogic
rustc#50582prog-fuzzlogic
rustc#50585prog-fuzzlogic
rustc#50600prog-fuzzlogic
rustc#50637prog-fuzzloop
rustc#51070prog-fuzzlogic
rustc#62524 #62546 #62554 #62863 #62881 #62894 #62895 #62913 #62973 #63116 #63135 #66473 #68629 #68730 #68890 #69130 #69310 #69378 #69396 #69401 #69600 #69602 #70549 #70552 #70594 #70608 #70677 #70724 #70736 #70763 #70813 #70942 #71297 #71471 #71798 #72410 #84104 #84117 #84148 #84149 #86895 #88770 #92267fuzz-rustcutf-8, panic, oom, loop, oor, unwrap
rustc-demanglemultiply with overflowlibfuzzerarith
rustc-serialize#109aflarith
rustc-serialize#110aflpanic
semverlogic errorlibfuzzerlogic
semverissue/227aflunwrap
Sequoia-PGP#514libfuzzerarith
Sequoia-PGP#515libfuzzerutf-8
Sequoia-PGP#516libfuzzeroor
Sequoia-PGP#516libfuzzeroor
serde#75aflarith
serde#77aflarith
serde#82aflso
serde-yaml#49libfuzzerso
serde-yaml#88libfuzzerlogic
simple_asn1#9libfuzzerarith, oor
sleep-parser#3honggfuzzoor, utf-8
smoltcparithmetic underflowlibfuzzerarith
smoltcpindex out of boundslibfuzzeroor
smoltcpindex out of boundslibfuzzeroor
smoltcpindex out of boundslibfuzzeroor
smoltcpindex out of boundslibfuzzeroor
smoltcpindex out of boundslibfuzzeroor
smoltcpindex out of boundslibfuzzeroor
smoltcpindex out of boundslibfuzzeroor
snap#12libfuzzeroor
snmp-parserpanic on unwrappinglibfuzzerunwrap
soroban-envincorrect comparison functionslibfuzzerlogic
soroban-envincorrect comparison functionslibfuzzerlogic
soroban-envincorrect conversionlibfuzzerlogic
sqlformatpanic on unwrapping error due to failure to parse intlibfuzzerunwrap
sqlparserstack overflow (unbounded recursion)libfuzzerso
ssh-keys#3afloor
ssh-keyspanic on slice indexinglibfuzzeroor
ssh-parserarithmetic overflowlibfuzzerarith
stellar-xdrincorrect comparison functionslibfuzzerlogic
svgparserarithmetic overflow, bound checking panic, incorrect resultlibfuzzerarith, oor, logic
svgparserendless looplibfuzzerloop
swf-parser#23libfuzzerlogic
sxd-documentuse after freelibfuzzeruaf❗️
symbolic-demangleextremely slow demangling, OOMlibfuzzeroom
symbolic-minidumpsegfault in exposed C++ librarylibfuzzersegfault❗️
symbolic-unrealunbounded allocationlibfuzzeroom
symphoniapanic on unwrappinglibfuzzerunwrap
synUnrecognized literallibfuzzerlogic
synpanic when parsing impllibfuzzerlogic
tar-rs#23aflarith
tera#396libfuzzerarith, logic
teraunimplemented paniclibfuzzerpanic
tf-demo-parserarithmetic overflow leading to out of memorylibfuzzerarith, oom
tiffindex out of boundsafloor
tiffinfinite loop on malformed inputaflloop
tiffmemory exhaustion on malformed inputafloom
tiffpanic on attempt to divide by zeroaflarith
timeissue/309aflpanic, arith
tinytemplatebeginning more than end on string slicinglibfuzzeroor
tinyvecarithmetic underflowrutenspitzarith
tinyvecresize() could set incorrect size for inline storagerutenspitzlogic
tinyvecswap_remove() for last element worked incorrectlyrutenspitzlogic
todotxt.rsindex out of boundslibfuzzeroor
tokeipaniclibfuzzeroor
tokeiconsistency #725libfuzzerlogic
toml#178libfuzzerlogic
toml#179libfuzzerlogic
toml#180libfuzzerlogic
toml#181libfuzzerlogic
toml#185libfuzzerlogic
toml#186libfuzzerlogic
tomlstack overflow (unbounded recursion)libfuzzerso
toml_editstack overflow (unbounded recursion)libfuzzerso
trust-dns-protoIncorrect length check in Encodinglibfuzzerlogic
trust-dns-protoZERO resouce records are mis-parsedlibfuzzerlogic
trust-dns-protoIncorrect handling of escapeslibfuzzerlogic
ttf-parserinfinite looplibfuzzerloop
ttf-parserassertion failurelibfuzzerpanic
tuiissue/446aflarith
ubytemultiply with overflow when parsing fractional numberlibfuzzerarith
unicode-segmentationgrapheme boundary correctnesslibfuzzerlogic
unicode-segmentationword boundary correctnesslibfuzzerlogic
unified-difflines before 1, with no contextlibFuzzerlogic
url#108afloor
urlinfinite looplibfuzzerloop
urlslicing errorafloor
urlout of indexafloor
urlfailed round trip parselibfuzzerlogic
uuidindex out of boundslibfuzzeroor
v_escapeheap buffer overflowlibfuzzeroor❗️
vialarithmetic overflowlibfuzzerarith
vosubarithmetic overflowlibfuzzerarith
vosubinvalid slicelibfuzzeroor
vosubinvalid slicelibfuzzeroor
vosubinvalid slicelibfuzzerpanic
vosubshift overflowlibfuzzerarith
wasmparser.rsarithmetic overflowlibfuzzerarith
wayland-rs#187libfuzzeroor
ws-rsarithmetic overflowlibfuzzerarith
xi-editorissue/1303aflarith
xml-rs#93aflutf-8
xml-rsarithmetic overflowlibfuzzerarith
yaxpeax-x86#12 arithmetic overflowlibfuzzerarith
yaxpeax-x86#13 arithmetic overflowlibfuzzerarith
yaxpeax-x86#15 arithmetic overflowlibfuzzerarith
zip-rsarithmetic overflowlibfuzzerarith
zip-rsarithmetic overflowlibfuzzerarith
zune-jpegheap buffer overflowlibfuzzeroor❗️

Description of categories: