Segmentation fault in utf8proc_normalize_utf32 with invalid options

[shuangxiangkan]

Description

While fuzzing utf8proc with AFL++, we discovered that pass invalid option flags to utf8proc_normalize_utf32, the API may trigger a segmentation fault.

// Valid option test - works correctly
utf8proc_option_t valid_options = 
    UTF8PROC_STRIPCC | 
    UTF8PROC_NLF2LS | 
    UTF8PROC_NLF2PS;
utf8proc_normalize_utf32(copy, num_codepoints, valid_options);

// Invalid option test - triggers crash
utf8proc_option_t invalid_options = 0xFFFF;
utf8proc_normalize_utf32(copy, num_codepoints, invalid_options);

Environment

• OS: Ubuntu 22.04
• Compiler: Clang 16.0.6
• AFL++ Version: afl-fuzz++4.22a

Reproduction

afl-clang-fast -o fuzzer_afl fuzzer_afl.c \
    -I/path/to/utf8proc/include \
    -L/path/to/utf8proc/lib \
    -lutf8proc \
    -fsanitize=address

./fuzzer_afl 

ASAN Log

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3853974==ERROR: AddressSanitizer: SEGV on unknown address 0x558dccc4294c (pc 0x558dcbbee9c7 bp 0x00007f000617 sp 0x7ffc0d45aeb0 T0)
==3853974==The signal is caused by a READ memory access.
    #0 0x558dcbbee9c7 in unsafe_get_property /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/utf8proc.c:237:7
    #1 0x558dcbbee9c7 in utf8proc_normalize_utf32 /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/utf8proc.c:655:53
    #2 0x558dcbbea291 in main /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/Fuzz/reproduce/fuzzer_afl.c:79:13
    #3 0x7fb067499249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7fb067499304 in __libc_start_main csu/../csu/libc-start.c:360:3
    #5 0x558dcbb2a3e0 in _start (/srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/Fuzz/reproduce/fuzzer_afl+0x223e0) (BuildId: e62e3f9342618db53c46bbabc796a818d12e19b0)

Fuzz file and input

fuzzer_afl.c.zip

crash_input.zip

The utf8proc_reencode function may have similar crash behavior with invalid options

[shuangxiangkan]

utf8proc_map_custom also crashes due to an invalid option

ASAN Log

=================================================================
==661819==ERROR: AddressSanitizer: global-buffer-overflow on address 0x56051d2da93e at pc 0x56051d266416 bp 0x7fffe70538b0 sp 0x7fffe70538a8
READ of size 2 at 0x56051d2da93e thread T0
    #0 0x56051d266415 in unsafe_get_property /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/utf8proc.c:237:7
    #1 0x56051d266415 in utf8proc_decompose_custom /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/utf8proc.c:599:19
    #2 0x56051d267cbd in utf8proc_map_custom /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/utf8proc.c:771:12
    #3 0x56051d2621cf in main /srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/Fuzz/fuzzer_afl.c:59:5
    #4 0x7f11125d7249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7f11125d7304 in __libc_start_main csu/../csu/libc-start.c:360:3
    #6 0x56051d1a23e0 in _start (/srv/scratch/PAG/ksx/Fuzz/Library/utf8proc/Fuzz/fuzzer_afl+0x223e0) (BuildId: 151cd15ebea154e929ab33a21a7599b86672b579)

input

crash_input2.zip