Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Large CPU and memory consumption on crafted input #41

Open
Shnatsel opened this issue Feb 24, 2019 · 2 comments
Open

Large CPU and memory consumption on crafted input #41

Shnatsel opened this issue Feb 24, 2019 · 2 comments
Labels

Comments

@Shnatsel
Copy link
Contributor

Shnatsel commented Feb 24, 2019

Given a crafted input, lewton allocates over 1500 Mb of physical memory and spends ~6 seconds decoding a tiny 18kb file. This issue can be used to cause denial of service.

Steps to reproduce:
RUSTFLAGS='--cfg=fuzzing' cargo run --release --example perf /path/to/malformed/file.ogg

Testcase: https://github.com/RustAudio/lewton/files/2897332/issue_35_hang_new.ogg.gz

Found using AFL.rs, which categorized this issue as a hang.

This issue is distinct from #34 which is about allocating terabytes of virtual memory that is not actually filled.

@est31 est31 added the bug label Feb 24, 2019
@Shnatsel
Copy link
Contributor Author

Shnatsel commented Mar 3, 2019

Here's a more egregious 14kb sample that takes 30 seconds and 5Gb of actually used memory to decode: tiny-5gb-30sec-input.ogg.zip

It should be possible to synthesize files causing even more dramatic load, but fuzzer normally doesn't do this because spending 30 seconds per execution would be impractically slow.

@est31
Copy link
Member

est31 commented Mar 3, 2019

Callgrind is telling me that most time is spent in lookup_vec_val_decode. Printing out codebook_entries and codebook_dimensions gives me really large values for both testcases if you multiply the two numbers together (1 364 875 785 for one sample, 376 286 472 for the other).

This is basically one of those "finding a reasonable limit" cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants