Skip to content

fix(payload): reject zero-byte arbitrary input for Block #1892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
goxberry wants to merge 1 commit into
base: goxberry/expect-cleanup-payload-handle-contracts
Choose a base branch
from
Draft

fix(payload): reject zero-byte arbitrary input for Block #1892

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## Unreleased
- Fixed a latent panic in `lading_payload::block::Block::arbitrary`
(`#[cfg(feature = "arbitrary")]`). `u32::arbitrary` can legitimately
produce 0, but `Block::total_bytes` is `NonZeroU32`; the previous code
called `NonZeroU32::new(total_bytes).expect("total_bytes must be
non-zero")` and panicked on the zero case. The fix returns
`arbitrary::Error::IncorrectFormat` so the fuzzer rejects the input
and moves on. A regression test (`arbitrary_rejects_zero_total_bytes`)
pins the new behavior.
- Annotated 11 `lading_payload` functions that intentionally panic on
invariant violations with `#[expect(clippy::expect_used, reason = "...")]`.
Covered: `block::Cache::read_at` (documented `usize`/`u64` overflow
Expand Down
32 changes: 29 additions & 3 deletions lading_payload/src/block.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,10 +117,16 @@ pub enum ConstructBlockCacheError {
#[cfg(feature = "arbitrary")]
impl<'a> arbitrary::Arbitrary<'a> for Block {
fn arbitrary(u: &mut arbitrary::Unstructured<'a>) -> arbitrary::Result<Self> {
let total_bytes = u32::arbitrary(u)?;
let bytes = u.bytes(total_bytes as usize).map(Bytes::copy_from_slice)?;
// `u32::arbitrary` can legitimately produce 0, but `Block::total_bytes`
// is `NonZeroU32`. Reject zero-byte inputs via `IncorrectFormat` so the
// fuzzer skips them and tries another input.
let total_bytes =
NonZeroU32::new(u32::arbitrary(u)?).ok_or(arbitrary::Error::IncorrectFormat)?;
let bytes = u
.bytes(total_bytes.get() as usize)
.map(Bytes::copy_from_slice)?;
Ok(Self {
total_bytes: NonZeroU32::new(total_bytes).expect("total_bytes must be non-zero"),
total_bytes,
bytes,
metadata: BlockMetadata::default(),
})
Expand Down Expand Up @@ -766,3 +772,23 @@ where
})
}
}

#[cfg(all(test, feature = "arbitrary"))]
mod arbitrary_tests {
use super::Block;
use arbitrary::{Arbitrary, Unstructured};

/// Regression: prior to the fix, `Block::arbitrary` could panic via
/// `NonZeroU32::new(0).expect(...)` whenever `u32::arbitrary` produced 0.
/// The fixed version must reject zero-byte inputs via
/// `arbitrary::Error::IncorrectFormat` so the fuzzer skips them.
#[test]
fn arbitrary_rejects_zero_total_bytes() {
let data = [0u8; 16];
let mut u = Unstructured::new(&data);
match Block::arbitrary(&mut u) {
Err(arbitrary::Error::IncorrectFormat) => {}
other => panic!("expected IncorrectFormat, got {other:?}"),
}
}
}
Loading