Skip to content

ICU-23336 Fix undefined behavior in dtfmtsym_fuzzer: validate enum values#3889

Open
OwenSanzas wants to merge 1 commit intounicode-org:mainfrom
OwenSanzas:fix/dtfmtsym-fuzzer-enum-validation
Open

ICU-23336 Fix undefined behavior in dtfmtsym_fuzzer: validate enum values#3889
OwenSanzas wants to merge 1 commit intounicode-org:mainfrom
OwenSanzas:fix/dtfmtsym-fuzzer-enum-validation

Conversation

@OwenSanzas
Copy link
Copy Markdown

@OwenSanzas OwenSanzas commented Mar 5, 2026

Summary

The dtfmtsym_fuzzer harness reads DtContextType and DtWidthType directly from fuzz data via memcpy into enum variables without validation. Loading arbitrary bit patterns into C++ enum types is undefined behavior.

Confirmed with UndefinedBehaviorSanitizer:

runtime error: load of value 3735928559, which is not a valid value
for type 'icu::DateFormatSymbols::DtContextType'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior dtfmtsym_fuzzer.cpp:28:13

The harness already partially addressed this by creating context_mod and width_mod validated versions, but it also passed the raw unvalidated context and width to getMonths(), getWeekdays(), getYearNames(), and getZodiacNames().

Changes

  1. Read fuzz data into int32_t instead of directly into enum types (eliminates UB at the memcpy point)
  2. Validate values with abs + modulo before casting to the enum type
  3. Remove duplicate API calls that used raw unvalidated values alongside validated _mod versions

Experimental Verification (60-second fuzzing, AddressSanitizer)

Metric Original Fixed
Edge cov 3197 3181
Features 9373 9199
Corpus 448 444
Exec/s 4754 4729

Coverage is equivalent — the fix eliminates the UB without affecting fuzzing effectiveness.

UBSan Evidence

  • Original: crashes with crafted input containing context=0xDEADBEEF, width=0xDEADBEEF
  • Fixed: passes cleanly with the same input

@OwenSanzas
Fix undefined behavior in dtfmtsym_fuzzer: validate enum values from …
55261e0 
…fuzz data

The harness reads DtContextType and DtWidthType directly from fuzz data
via memcpy into enum variables without validation. These arbitrary values
are undefined behavior when loaded as C++ enum types, confirmed by
UndefinedBehaviorSanitizer:

  runtime error: load of value 3735928559, which is not a valid value
  for type 'icu::DateFormatSymbols::DtContextType'

The fix reads into int32_t first, then clamps to valid enum ranges using
modulo before casting to the enum type. Also removes duplicate API calls
that used the raw unvalidated values alongside validated _mod versions.
@OwenSanzas OwenSanzas changed the title Fix undefined behavior in dtfmtsym_fuzzer: validate enum values ICU-23336 Fix undefined behavior in dtfmtsym_fuzzer: validate enum values Mar 7, 2026
@markusicu markusicu self-assigned this Mar 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@markusicu markusicu

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@OwenSanzas @markusicu