Fix uregex_open_fuzzer: hardcoded flags and unaligned memory access#3919
Open
OwenSanzas wants to merge 2 commits intounicode-org:mainfrom
Open
Fix uregex_open_fuzzer: hardcoded flags and unaligned memory access#3919OwenSanzas wants to merge 2 commits intounicode-org:mainfrom
OwenSanzas wants to merge 2 commits intounicode-org:mainfrom
Conversation
…om fuzz data The harness reads UListFormatterType and UListFormatterWidth directly from fuzz data via memcpy into enum variables without validation. Loading arbitrary bit patterns into C++ enum types is undefined behavior, confirmed by UndefinedBehaviorSanitizer: runtime error: load of value 2125315823, which is not a valid value for type 'UListFormatterType' The fix reads into int32_t first, then clamps to valid enum ranges before casting. The redundant third createInstance call (which was the only one using validated values) is removed since the second call now uses validated values.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix two issues in
uregex_open_fuzzer.cppthat limit fuzzing effectiveness.1. Hardcoded flags parameter
The fuzzer always passes
0for theflagsparameter touregex_open(), meaning it only ever tests regex compilation with default flags. The regex engine supportsUREGEX_CASE_INSENSITIVE,UREGEX_MULTILINE,UREGEX_DOTALL,UREGEX_COMMENTS, and other flags that exercise different code paths — none of which are being tested.Fix: Derive flags from the first byte of fuzzer input instead of hardcoding
0.2. Unaligned memory access
The fuzzer casts
datadirectly tochar16_t*viareinterpret_cast<const char16_t*>(data). Sincedatais not guaranteed to be 2-byte aligned, this causes undefined behavior and faults on architectures with strict alignment requirements (e.g., ARM).Fix: Copy the pattern data to a properly aligned buffer using
memcpy, consistent with the approach used in other ICU fuzzers.Coverage comparison (60 seconds, empty seed corpus, ASan, libFuzzer)
The +18% edge coverage increase confirms that the hardcoded flags were preventing exploration of significant portions of the regex engine.