These bugs aren't nearly as serious as the memory-safety issues afl has discovered in C and C++ projects. That's because Rust is memory-safe by default, but also because not many people have tried fuzzing yet! Over time we will update this section with the most interesting bugs, whether they're logic errors or memory-safety problems arising from unsafe code. Pull requests are welcome!
| Crate | Information | Fuzzer | Category |
|---|---|---|---|
| bmfont | panic on unwrapping | libfuzzer | panic |
| brotli-rs | #10 | afl | panic |
| brotli-rs | #11 | afl | panic |
| brotli-rs | #12 | afl | panic |
| brotli-rs | #2 | afl | panic |
| brotli-rs | #3 | afl | |
| brotli-rs | #4 | afl | |
| brotli-rs | #5 | afl | |
| brotli-rs | #6 | afl | |
| brotli-rs | #7 | afl | |
| brotli-rs | #8 | afl | |
| brotli-rs | #9 | afl | |
| bson | multiple bugs, including arithmetic overflow | libfuzzer | arith, other, unwrap |
| capnproto-rust | Multiple bugs, including a memory safety bug | libfuzzer | |
| cpp_demangle | #41 | afl | |
| cssparser | floating-point parsing imprecision | libfuzzer | logic |
| der-parser | arithmetic overflow | libfuzzer | arith |
| flac | #3 | afl | oom |
| flac | index out of bounds | libfuzzer | oor |
| httparse | #9 | afl | |
| httpdate | panics: "no character boundary" and arithmetic overflow | libfuzzer | |
| hyper | arithmetic overflow | libfuzzer | |
| image | #414 | afl | |
| image | #473 | afl | |
| image | #474 | afl | |
| image | #477 | afl | |
| image | 1 | libfuzzer | |
| image | 2 | libfuzzer | |
| image | 3 | libfuzzer | |
| image | 4 | libfuzzer | |
| inflate | arithmetic overflow | libfuzzer | arith |
| ipfix | index out of bounds | libfuzzer | oor |
| jpeg-decoder | #38 | afl | |
| jpeg-decoder | #50 | afl | |
| jpeg-decoder | arithmetic overflow | libfuzzer | |
| libpnet | arithmetic overflow | libfuzzer | |
| mp3-metadata | #9 | afl | |
| mp4parse-rust | #2 | afl | |
| mp4parse-rust | #4 | afl | |
| mp4parse-rust | #5 | afl | |
| mp4parse-rust | #6 | afl | |
| nom | arithmetic overflow | libfuzzer | arith |
| npy-rs | arithmetic overflow | libfuzzer | |
| ntp | panic caused by unwrap on invalid input | libfuzzer | |
| num | panic on BigInt parsing |
libfuzzer | unwrap |
| parity | panic on BasicDecoder unchecked addition |
libfuzzer | |
| pcapng | arithmetic overflow | libfuzzer | |
| pulldown-cmark | Overflow ParseIntError | libfuzzer | unwrap |
| pulldown-cmark | Panics and infinite loop | libfuzzer | loop, utf-8, oor |
| quick-xml | arithmetic overflow | libfuzzer | arith |
| quick-xml | arithmetic overflow | libfuzzer | arith |
| regex | #84 | afl | unwrap |
| regex | regex parsing panics with blog post | libfuzzer | unwrap |
| rust-asn1 | #32 | afl | |
| rust-url | #108 | afl | oor |
| rustc | #24275 | afl | other |
| rustc | #24276 | afl | segfault |
| rustc-serialize | #109 | afl | arith |
| rustc-serialize | #110 | afl | panic |
| semver | logic error | libfuzzer | logic |
| serde | #75 | afl | arith |
| serde | #77 | afl | arith |
| serde | #82 | afl | so |
| smoltcp | index out of bounds | libfuzzer | |
| smoltcp | index out of bounds | libfuzzer | |
| smoltcp | index out of bounds | libfuzzer | |
| smoltcp | arithmetic underflow | libfuzzer | arith |
| smoltcp | index out of bounds | libfuzzer | |
| smoltcp | index out of bounds | libfuzzer | |
| snmp-parser | panic on unwrapping | libfuzzer | unwrap |
| ssh-keys | panic on slice indexing | libfuzzer | oor |
| ssh-parser | arithmetic overflow | libfuzzer | arith |
| svgparser | arithmetic overflow, bound checking panic, incorrect result | libfuzzer | arith, oor, logic |
| svgparser | endless loop | libfuzzer | loop |
| sxd-document | use after free | libfuzzer | uaf |
| tar-rs | #23 | afl | arith |
| todotxt.rs | index out of bounds | libfuzzer | oor |
| toml | #178 | libfuzzer | logic |
| toml | #179 | libfuzzer | logic |
| toml | #180 | libfuzzer | logic |
| toml | #181 | libfuzzer | logic |
| toml | #185 | libfuzzer | logic |
| toml | #186 | libfuzzer | logic |
| unicode-segmentation | grapheme boundary correctness | libfuzzer | |
| unicode-segmentation | word boundary correctness | libfuzzer | |
| uuid | index out of bounds | libfuzzer | oor |
| vosub | 2 | libfuzzer | |
| vosub | 3 | libfuzzer | |
| vosub | arithmetic overflow | libfuzzer | |
| vosub | invalid slice 1 | libfuzzer | |
| vosub | shift overflow | libfuzzer | arith |
| wasmparser.rs | arithmetic overflow | libfuzzer | arith |
| xml-rs | #93 | afl | utf-8 |
| zip-rs | arithmetic overflow | libfuzzer | arith |
arith: Arithmetic error, eg. overflowslogic: Logic bugloop: Infinite loopoom: Out of memoryoor: Out of range accesssegfault: Program segfaultedso: Stack overflowuaf: Use after freeunwrap: Call tounwraponNoneorErr(_)utf-8: Problem with UTF-8 strings handling, eg. get a char not at a char boundarypanic: A panic not covered by any of the aboveother: Anything that does not fit in another category, or unclear what the problem is