Go-fuzz is a coverage-guided fuzzing solution for testing of Go packages. Fuzzing is mainly applicable to packages that parse complex inputs (both text and binary), and is especially useful for hardening of systems that parse inputs from potentially malicious users (e.g. anything accepted over a network).
Note: go-fuzz has recently added preliminary support for fuzzing Go Modules. See the section below for more details.
If you encounter a problem with modules, please file an issue with details. A workaround might be to disable modules via export GO111MODULE=off
.
First, you need to write a test function of the form:
func Fuzz(data []byte) int
Data is a random input generated by go-fuzz, note that in most cases it is invalid. The function must return 1 if the fuzzer should increase priority of the given input during subsequent fuzzing (for example, the input is lexically correct and was parsed successfully); -1 if the input must not be added to corpus even if gives new coverage; and 0 otherwise; other values are reserved for future use.
The Fuzz
function must be in a package that go-fuzz
can import. This means
the code you want to test can't be in package main
. Fuzzing internal
packages is supported, however.
In its basic form the Fuzz function just parses the input, and go-fuzz ensures that it does not panic, crash the program, allocate insane amount of memory nor hang. Fuzz function can also do application-level checks, which will make testing more efficient (discover more bugs). For example, Fuzz function can serialize all inputs that were successfully deserialized, thus ensuring that serialization can handle everything deserialization can produce. Or, Fuzz function can deserialize-serialize-deserialize-serialize and check that results of first and second serialization are equal. Or, Fuzz function can feed the input into two different implementations (e.g. dumb and optimized) and check that the output is equal. To communicate application-level bugs Fuzz function should panic (os.Exit(1) will work too, but panic message contains more info). Note that Fuzz function should not output to stdout/stderr, it will slow down fuzzing and nobody will see the output anyway. The exception is printing info about a bug just before panicking.
Here is an example of a simple Fuzz function for image/png package:
package png
import (
"bytes"
"image/png"
)
func Fuzz(data []byte) int {
png.Decode(bytes.NewReader(data))
return 0
}
A more useful Fuzz function would look like:
func Fuzz(data []byte) int {
img, err := png.Decode(bytes.NewReader(data))
if err != nil {
if img != nil {
panic("img != nil on error")
}
return 0
}
var w bytes.Buffer
err = png.Encode(&w, img)
if err != nil {
panic(err)
}
return 1
}
The second step is collection of initial input corpus. Ideally, files in the corpus are as small as possible and as diverse as possible. You can use inputs used by unit tests and/or generate them. For example, for an image decoding package you can encode several small bitmaps (black, random noise, white with few non-white pixels) with different levels of compressions and use that as the initial corpus. Go-fuzz will deduplicate and minimize the inputs. So throwing in a thousand of inputs is fine, diversity is more important.
Put the initial corpus into the workdir/corpus directory (in our case
examples/png/corpus
). Go-fuzz will add own inputs to the corpus directory.
Consider committing the generated inputs to your source control system, this
will allow you to restart go-fuzz without losing previous work.
The go-fuzz-corpus repository contains a bunch of examples of test functions and initial input corpuses for various packages.
The next step is to get go-fuzz:
$ go install github.com/dvyukov/go-fuzz/go-fuzz@latest github.com/dvyukov/go-fuzz/go-fuzz-build@latest
Then, download the corpus and build the test program with necessary instrumentation:
$ git clone https://github.com/dvyukov/go-fuzz-corpus.git
$ cd go-fuzz-corpus
$ cd png
$ go-fuzz-build
This will produce png-fuzz.zip archive.
Now we are ready to go:
$ go-fuzz
Go-fuzz will generate and test various inputs in an infinite loop. Workdir is used to store persistent data like current corpus and crashers, it allows fuzzer to continue after restart. Discovered bad inputs are stored in workdir/crashers dir; where file without a suffix contains binary input, file with .quoted suffix contains quoted input that can be directly copied into a reproducer program or a test, file with .output suffix contains output of the test on this input. Every few seconds go-fuzz prints logs to stderr of the form:
2015/04/25 12:39:53 workers: 500, corpus: 186 (42s ago), crashers: 3,
restarts: 1/8027, execs: 12009519 (121224/sec), cover: 2746, uptime: 1m39s
Where workers
means number of tests running in parallel (set with -procs
flag). corpus
is current number of interesting inputs the fuzzer has
discovered, time in brackets says when the last interesting input was
discovered. crashers
is number of discovered bugs (check out
workdir/crashers dir). restarts
is the rate with which the fuzzer restarts
test processes. The rate should be close to 1/10000 (which is the planned
restart rate); if it is considerably higher than 1/10000, consider fixing already
discovered bugs which lead to frequent restarts. execs
is total number of
test executions, and the number in brackets is the average speed of test
executions. cover
is number of bits set in a hashed coverage bitmap, if this number
grows fuzzer uncovers new lines of code; size of the bitmap is 64K; ideally cover
value should be less than ~5000, otherwise fuzzer can miss new interesting inputs
due to hash collisions. And finally uptime
is uptime of the process. This same
information is also served via http (see the -http
flag).
go-fuzz has preliminary support for fuzzing Go Modules.
go-fuzz respects the standard GO111MODULE
environment variable, which can be set to on
, off
, or auto
.
go-fuzz-build will add a require
for github.com/dvyukov/go-fuzz
to your go.mod. If desired, you may remove this once the build is complete.
Vendoring with modules is not yet supported. A vendor
directory will be ignored, and go-fuzz will report an error if GOFLAGS=-mod=vendor
is set.
Note that while modules are used to prepare the build, the final instrumented build is still done in GOPATH mode. For most modules, this should not matter.
go-fuzz-build can also generate an archive file that can be used with libFuzzer instead of go-fuzz (requires linux).
Sample usage:
$ cd $GOPATH/src/github.com/dvyukov/go-fuzz-corpus/fmt
$ go-fuzz-build -libfuzzer # produces fmt.a
$ clang -fsanitize=fuzzer fmt.a -o fmt.libfuzzer
$ ./fmt.libfuzzer
When run with -libfuzzer
, go-fuzz-build adds the additional build tag
gofuzz_libfuzzer
when building code.
Just as unit-testing, fuzzing is better done continuously.
Currently there are 2 services that offer continuous fuzzing based on go-fuzz:
go-fuzz-build builds the program with gofuzz build tag, this allows to put the
Fuzz function implementation directly into the tested package, but exclude it
from normal builds with // +build gofuzz
directive.
If your inputs contain a checksum, it can make sense to append/update the checksum
in the Fuzz
function. The chances that go-fuzz will generate the correct
checksum are very low, so most work will be in vain otherwise.
Go-fuzz can utilize several machines. To do this, start the coordinator process separately:
$ go-fuzz -workdir=examples/png -coordinator=127.0.0.1:8745
It will manage persistent corpus and crashers and coordinate work of worker processes. Then run one or more worker processes as:
$ go-fuzz -bin=./png-fuzz.zip -worker=127.0.0.1:8745 -procs=10
- go-fuzz github.com/arolek/ase: A step-by-step tutorial
- DNS parser, meet Go fuzzer: A success story with suggestions on how to write the
Fuzz
function - Automated Testing with go-fuzz
- Going down the rabbit hole with go-fuzz
- Fuzzing markdown parser with go-fuzz
go-fuzz repository history was recently rewritten to exclude examples directory
to reduce total repository size and download time (see
#88,
#114 and
https://github.com/dvyukov/go-fuzz-corpus). Unfortunately, that means that
go get -u
command will fail if you had a previous version installed.
Please remove $GOPATH/github.com/dvyukov/go-fuzz before running go get
again.
Go-fuzz fuzzing logic is heavily based on american fuzzy lop, so refer to AFL readme if you are interested in technical details. AFL is written and maintained by Michal Zalewski. Some of the mutations employed by go-fuzz are inspired by work done by Mateusz Jurczyk, Gynvael Coldwind and Felix Gröbert.
- spec: non-integral constant can be converted to int fixed
- cmd/compile: out of fixed registers fixed
- cmd/compile: truncates constants fixed
- cmd/compile: overflow in int -> string fixed
- cmd/compile: bad HMUL fixed
- cmd/compile: treecopy Name fixed
- cmd/compile: accepts invalid identifiers fixed
- cmd/compile: hangs compiling hex fp constant fixed
- cmd/compile: mishandles int->complex conversion fixed
- cmd/compile: allows to define blank methods on builtin types fixed
- cmd/compile: mis-calculates a constant fixed
- cmd/compile: interface conversion panic fixed
- cmd/compile: nil pointer dereference fixed
- cmd/compile: nil pointer dereference (2) fixed
- cmd/compile: internal compiler error: plain block b3 len(Succs)==2, want 1 fixed
- cmd/compile: internal compiler error: b3.Succs has duplicate block b3 fixed
- cmd/compile: internal compiler error: newname nil fixed
- cmd/compile: accepts invalid function type fixed
- cmd/compile: internal compiler error: getinarg: not a func int fixed
- cmd/compile: hangs converting int const to complex64 fixed
- cmd/compile: nil deref in error message fixed
- cmd/compile: use of untyped nil in switch fixed
- cmd/compile: implicitly converts complex constant to integer fixed
- cmd/compile: assignment to entry in nil map fixed
- cmd/compile: does not diagnose constant division by zero fixed
- cmd/compile: does not detect a missing return fixed
- cmd/compile: symbol ""._.args_stackmap listed multiple times fixed
- cmd/compile: "0"[0] should not be a constant fixed
- cmd/compile: unexpected %!(NOVERB) fixed
- cmd/compile: wrong line number in error message fixed
- cmd/compile: not-deterministic output fixed
- cmd/compile: parsing problem fixed
- cmd/compile: compiles incorrect program fixed
- cmd/compile: does not compile correct program
- cmd/compile: compiles incorrect program (2) fixed
- cmd/compile: internal compiler error: want FUNC, but have int fixed
- cmd/compile: nil deref fixed
- cmd/asm: index out of range fixed
- cmd/asm: index out of range (2) fixed
- cmd/asm: index out of range (3) fixed
- cmd/asm: index out of range (4) fixed
- cmd/asm: slice bounds out of range fixed
- cmd/asm: hang fixed
- cmd/asm: hang (2) fixed
- cmd/asm: hang (3) fixed
- cmd/asm: nil deref fixed
- cmd/asm: nil deref (2) fixed
- cmd/asm: nil deref (3) fixed
- cmd/asm: nil deref (4) fixed
- cmd/asm: nil deref (5) fixed
- cmd/asm: cannot happen: slice col fixed
- cmd/asm: unactionable "invalid local variable type 0"
- internal/trace: index out of range fixed
- internal/trace: index out of range (2) fixed
- internal/trace: nil deref fixed
- internal/trace: nil deref (2) fixed
- fmt: Printf loops on invalid verb spec fixed
- fmt: incorrect overflow detection fixed
- fmt: index out of range fixed
- fmt: index out of range (2) fixed
- fmt: index out of range (3) fixed
- fmt: index out of range (4) fixed
- fmt: index out of range (5) fixed
- fmt: index out of range (6) fixed
- regexp: slice bounds out of range fixed
- regexp: slice bounds out of range (2) fixed
- regexp: LiteralPrefix lies about completeness
- regexp: LiteralPrefix lies about completeness (2)
- regexp: POSIX regexp takes 4 seconds to execute
- regexp: confusing behavior on invalid utf-8 sequences
- regexp: considers "\Q\E*" as valid regexp fixed
- time: allows signs for year/tz in format string
- time: RFC3339 time.Parse can not parse string that come from time.Format
- time: Parse panic: runtime error: index out of range fixed
- math/big: incorrect string->Float conversion fixed
- math/big: MakeFromLiteral with 0 mantissa and large exponent hangs fixed
- net/http: can't send star request fixed
- net/http: allows empty header names fixed
- net/http: allows invalid characters in header values fixed
- net/http: allows %-encoding after [] fixed
- net/mail: ParseAddress/String corrupt address fixed
- net/mail: parses invalid address fixed
- net/mail: fails to escape address fixed
- net/textproto: fails to trim header value fixed
- archive/zip: cap out of range fixed
- archive/zip: bad file size fixed
- archive/zip: unexpected EOF fixed
- archive/zip: file with wrong checksum is successfully decompressed fixed
- archive/zip: unexpected EOF when reading archive fixed
- archive/tar: slice bounds out of range fixed
- archive/tar: slice bounds out of range (2) fixed
- archive/tar: slice bounds out of range (3) fixed
- archive/tar: slice bounds out of range (4) fixed
- archive/tar: slice bounds out of range (5) fixed
- archive/tar: deadly hang fixed
- archive/tar: invalid memory address or nil pointer dereference fixed
- archive/tar: invalid memory address or nil pointer dereference (2) fixed
- archive/tar: Reader.Next returns nil header fixed
- archive/tar: Writer incorrectly encodes header data fixed
- archive/tar: incorrectly claims huge file size
- archive/tar: reader returns bogus headers fixed
- encoding/gob: panic: drop fixed
- encoding/gob: makeslice: len out of range [3 bugs] fixed
- encoding/gob: stack overflow fixed
- encoding/gob: excessive memory consumption fixed
- encoding/gob: decoding hangs fixed
- encoding/gob: pointers to zero values are not initialized in Decode
- encoding/gob: crash on malicious input
- encoding/xml: allows invalid comments
- encoding/json: detect circular data structures when encoding
- encoding/asn1: index out of range fixed
- encoding/asn1: incorrectly handles incorrect utf8 strings fixed
- encoding/asn1: slice is lost during marshal/unmarshal fixed
- encoding/asn1: call of reflect.Value.Type on zero Value fixed
- encoding/asn1: Unmarshal accepts negative dates fixed
- encoding/pem: can't decode encoded message fixed
- crypto:x509: input not full blocks fixed
- crypto/x509: division by zero fixed
- image/jpeg: unreadByteStuffedByte call cannot be fulfilled fixed
- image/jpeg: index out of range fixed
- image/jpeg: invalid memory address or nil pointer dereference fixed
- image/jpeg: Decode hangs fixed
- image/jpeg: excessive memory usage fixed
- image/png: slice bounds out of range fixed
- image/png: slice bounds out of range (2) fixed
- image/png: interface conversion: color.Color is color.NRGBA, not color.RGBA fixed
- image/png: nil deref fixed
- image/gif: image block is out of bounds fixed
- image/gif: Decode returns an image with empty palette fixed
- image/gif: LoopCount changes on round trip fixed
- image/gif: Disposal is corrupted after round trip
- image/gif: EOF instead of UnexpectedEOF
- compress/flate: hang fixed
- compress/lzw: compress/decompress corrupts data fixed
- text/template: leaks goroutines on errors
- text/template: Call using string as type int fixed
- text/template: Call using complex128 as type string fixed
- text/template: stack overflow
- html/template: unidentified node type in allIdents fixed
- html/template: unidentified node type in allIdents (2) fixed
- html/template: unidentified node type in allIdents (3) fixed
- html/template: unidentified node type in allIdents (4) fixed
- html/template: escaping {{else}} is unimplemented fixed
- html/template: runtime error: slice bounds out of range fixed
- html/template: runtime error: slice bounds out of range (2) fixed
- html/template: invalid memory address or nil pointer dereference fixed
- html/template: panic: Call using zero Value argument fixed
- html/template: nil pointer dereference fixed
- html/template: slice bounds out of range fixed
- mime: ParseMediaType parses invalid media types fixed
- mime: Parse/Format corrupt parameters fixed
- mime: Parse/Format corrupt parameters (2) fixed
- go/constant: hang evaluating "-6e-1886451601" fixed
- go/constant, math/big: panic while constructing constant "1i/1E-612198397"
- go/scanner: accepts floating point literals with no decimals after E fixed
- go/parser: eats \r in comments
- go/format: turns correct program into incorrect one
- go/format: non-idempotent format fixed
- go/format: adds } fixed
- go/types: panics on invalid constant fixed
- go/types: compiling hangs fixed
- go/types: stupid shift fixed
- go/types: line number out of range
- go/types: assertion failed fixed
- go/types: converts fp constant to string fixed
- go/types: converts complex constant to string fixed
- go/types: misses '-' in error message fixed
- go/types: compiles invalid program with overflow
- go/types: allows duplicate switch cases fixed
- go/types: can shift complex numbers fixed
- go/types: parses comma terminated fields fixed
- go/types: int overflow in switch expression fixed
- go/types: allows multiple-value in switch and case fixed
- go/types: invalid error message for valid conversion to complex64 fixed
- debug/elf: index out of range
- debug/elf: makeslice: len out of range fixed
- debug/elf: slice bounds out of range
- debug/pe: panic on interface conversion
- debug/pe: slice bounds out of range
- x/image/webp: index out of range fixed
- x/image/webp: invalid memory address or nil pointer dereference fixed
- x/image/webp: excessive memory consumption
- x/image/webp: excessive memory consumption (2)
- x/image/tiff: integer divide by zero fixed
- x/image/tiff: index out of range fixed
- x/image/tiff: slice bounds out of range fixed
- x/image/tiff: index out of range fixed
- x/image/tiff: slice bounds out of range fixed
- x/image/tiff: integer divide by zero fixed
- x/image/tiff: index out of range fixed
- x/image/tiff: index out of range
- x/image/tiff: excessive memory consumption
- x/image/{tiff,bmp}: EOF instead of UnexpectedEOF
- x/image/bmp: hang on degenerate image fixed
- x/image/bmp: makeslice: len out of range fixed
- x/image/bmp: out of memory fixed
- x/net/icmp: runtime error: slice bounds out of range
- x/net/html: void element has child nodes
- x/net/spdy: unexpected EOF fixed
- x/net/spdy: EOF fixed
- x/net/spdy: fatal error: runtime: out of memory fixed
- x/net/spdy: stream id zero is disallowed fixed
- x/net/spdy: processing of 35 bytes takes 7 seconds fixed
- x/net/spdy: makemap: size out of range fixed
- x/net/spdy: makeslice: len out of range fixed
- x/crypto/ssh: Server panic on invalid input fixed
- x/crypto/openpgp: ReadMessage(): Panic on invalid input in packet.nextSubpacket fixed
- x/crypto/openpgp: ReadMessage(): Panic on invalid input in packet.PublicKeyV3.setFingerPrintAndKeyId fixed
- x/crypto/openpgp: ReadMessage(): Panic on invalid input in math/big.nat.div fixed
- gccgo: bogus index out of bounds fixed
- gccgo: does not see stupidness of shift count fixed
- gccgo: bogus integer constant overflow fixed
- gccgo: segmentation fault fixed
- gccgo: segmentation fault (2) fixed
- gccgo: segmentation fault (3) fixed
- gccgo: segmentation fault (4) fixed
- gccgo: internal compiler error in set_type fixed
- gccgo: internal compiler error in global_variable_set_init fixed
- gccgo: internal compiler error: in wide_int_to_tree fixed
- gccgo: internal compiler error in wide_int_to_tree (2) fixed
- gccgo: internal compiler error in record_var_depends_on fixed
- gccgo: internal compiler error in Builtin_call_expression fixed
- gccgo: internal compiler error in check_bounds fixed
- gccgo: internal compiler error in do_determine_type fixed
- gccgo: internal compiler error in do_determine_type (2) fixed
- gccgo: internal compiler error in backend_numeric_constant_expression fixed
- gccgo: internal compiler error in type_size fixed
- gccgo: internal compiler error in type_size (2) fixed
- gccgo: internal compiler error in type_size (3) fixed
- gccgo: internal compiler error in do_get_backend fixed
- gccgo: internal compiler error in do_get_backend (2) fixed
- gccgo: internal compiler error in do_get_backend (3) fixed
- gccgo: internal compiler error in do_get_backend (4) fixed
- gccgo: internal compiler error in create_tmp_var fixed
- gccgo: internal compiler error in methods fixed
- gccgo: internal compiler error in do_flatten fixed
- gccgo: internal compiler error in do_flatten (2) fixed
- gccgo: internal compiler error in do_flatten (3) fixed
- gccgo: internal compiler error in declare_function fixed
- gccgo: internal compiler error: in define fixed
- gccgo: internal compiler error: in do_export
- gccgo: internal compiler error in do_lower fixed
- gccgo: internal compiler error in insert fixed
- gccgo: internal compiler error in uniform_vector_p fixed
- gccgo: accepts invalid UTF-8 fixed
- gccgo: spurious expected newline error fixed
- gccgo: can apply ^ to true fixed
- gccgo: hangs fixed
- gccgo: hangs (2) fixed
- gccgo: hangs (3) fixed
- gccgo: rejects valid imaginary literal fixed
- gccgo: rejects valid fp literal fixed
- gccgo: accepts program with invalid identifier fixed
- gccgo: accepts program with invalid identifier (2) fixed
- gccgo: compiles weird construct fixed
- gccgo: can do bitwise or on fp constants fixed
- gccgo: treats nil as type fixed
- gccgo: does not understand greek capiltal letter yot fixed
- gccgo: does not understand CUNEIFORM SIGN DUG TIMES MI fixed
- gccgo: allows to refer to builtin function not in call expression fixed
- gccgo: bogus incompatible types in binary expression error fixed
- gccgo: allows multiple definitions of a function fixed
- gccgo: can shift by complex number fixed
- gccgo: knowns unknown escape sequence fixed
- gccgo: internal compiler error in start_function fixed
- gccgo: internal compiler error: in start_function (2) fixed
- gccgo: heap-buffer-overflow in Lex::skip_cpp_comment fixed
- gccgo: does not convert untyped complex 0i to int in binary operation involving an int
- gccgo: does not detect missing return fixed
- gccgo: invalid error message for valid conversion to complex64
- gccgo: can shift complex numbers fixed
- gccgo: does not error on unused var fixed
- gccgo: treats 0 as channel fixed
- gccgo: does not recognize unused import fixed
- gccgo: can shift by string fixed
- github.com/golang/protobuf: call of reflect.Value.SetMapIndex on zero Value fixed
- github.com/golang/protobuf: call of reflect.Value.Interface on zero Value in MarshalText fixed
- github.com/golang/protobuf: Invalid map is successfully decoded
- github.com/golang/protobuf: MarshalText incorrectly handles unknown bytes
- github.com/golang/protobuf: MarshalText fails and prints to stderr
- github.com/golang/protobuf: Unmarshaling errors for packed fields fixed
- Equal prints to stderr and fails on what's handled by Marshal/Unmarshal
- code.google.com/p/freetype-go: 42 crashers [42 bugs]
- github.com/cryptix/wav: 2 panics in header decoding fixed
- github.com/spf13/hugo: 7 crashers 7 fixed
- github.com/Sereal/Sereal: 8 crashers fixed
- github.com/bradfitz/http2: Server.handleConn hangs fixed
- github.com/bradfitz/http2: nil pointer dereference in hpack.HuffmanDecode fixed
- github.com/bradfitz/http2: serverConn.readFrames goroutine leak
- github.com/golang/snappy: index out of range panic fixed
- github.com/bkaradzic/go-lz4: slice bounds out of range fixed
- github.com/kurin/blazer: string escape/unescape edge-cases, need to escape filename in DownloadFileByName() fixed
- github.com/gocql/gocql: slice bounds out of range fixed
- github.com/gocql/gocql: slice bounds out of range fixed
- github.com/mdlayher/aoe: binary marshal/unmarshal inconsistency fixed
- github.com/mdlayher/arp: slice bounds out of range fixed
- github.com/mdlayher/ethernet: slice bounds out of range fixed
- github.com/mdlayher/ndp: multiple crashers fixed
- github.com/mdlayher/netlink: slice bounds out of range fixed
- github.com/mdlayher/netlink: slice bounds out of range fixed
- github.com/russross/blackfriday: index out of range panic in scanLinkRef fixed
- github.com/russross/blackfriday: index out of range panic in isReference fixed
- github.com/rwcarlsen/goexif: index out of range
- github.com/tdewolff/minify: 8 crashers fixed
- github.com/youtube/vitess/go/vt/sqlparser: index out of range fixed
- github.com/youtube/vitess/go/vt/sqlparser: statement serialized incorrectly fixed
- github.com/youtube/vitess/go/vt/sqlparser: statement serialized incorrectly (2)
- gopkg.in/mgo.v2/bson: slice bounds out of range fixed
- gopkg.in/mgo.v2/bson: Document is corrupted fixed
- gopkg.in/mgo.v2/bson: Attempted to marshal empty Raw document fixed
- cockroachdb/cockroach: crash on x % 0 fixed
- cockroachdb/cockroach: panic when dealing with empty sql ident fixed
- cockroachdb/cockroach: parse literals more like Postgres fixed
- cockroachdb/cockroach: SELECT ("*") parse oddities fixed
- cockroachdb/cockroach: weird QualifiedName.Base panics on reproduce
- github.com/google/open-location-code: Extremely long codes can cause underflow errors
- github.com/akrennmair/gopcap: incorrectly formed IP, UDP, TCP, ICMP packets can cause out of range errors fixed
- github.com/gogo/protobuf: gogofast generates Unmarshal code that can panic fixed
- github.com/DHowett/go-plist: Various panics found through go-fuzz
- github.com/streadway/amqp: go-fuzz fixes
- github.com/andybalholm/cascadia: panic when parsing selectors like
:contains(
fixed - github.com/Azure/go-pkcs12: panic on malformed certificates
- github.com/nats-io/gnatsd: panic on malformed input
- github.com/miekg/dns: 8 crashers fixed
- github.com/influxdb/influxdb: index out of range fixed
- collectd.org/network: 2 crashers fixed
- collectd.org/network: index out of range fixed
- github.com/arolek/ase: 2 crashers fixed
- github.com/lytics/confl: infinite loop on malformed input fixed
- github.com/zeebo/bencode: reject strings with negative length fixed
- github.com/hydrogen18/stalecucumber: 4 crashers
- github.com/gonum/blas: cgo indexing error fixed
- OpenBLAS: incorrect idamax with NaN value
- github.com/eaburns/flac: 3 crashers
- github.com/yvasiyarov/php_session_decoder: 4 crashers
- xi2.org/x/xz: index out of bounds fixed
- github.com/pierrec/lz4: 2 crashers fixed
- github.com/dustin/go-coap: slice bounds out of range (1) fixed
- github.com/dustin/go-coap: slice bounds out of range (2) fixed
- github.com/dgryski/go-quicklz: many array-out-of-bounds issues fixed
- github.com/rasky/go-lzo: possible infinite loop with single byte input fixed
- github.com/ulikunitz/xz: panic in lzma.writeRep
- github.com/Preetam/sflow: excessive memory consumption fixed
- github.com/hashicorp/go-version: unhandled value out of range fixed
- github.com/atlassian/gostatsd: Return an error instead of nil when parseline gets nil/empty input
- github.com/flynn/flynn/pkg/syslog/rfc5424: off-by-one fixed
- github.com/flynn/flynn/json5: decoder out of sync with scanner fixed
- github.com/flynn/flynn/json5: broken carriage return parsing fixed
- github.com/ipfs/go-ipfs: nil pointer deference in DHT RPC handler fixed
- github.com/buger/goreplay: fix panic in http headers parser function fixed
- github.com/digitalocean/captainslog: incomplete timestamp caused panic fixed
- github.com/jlaffaye/ftp: panic: runtime error: index out of range fixed
- github.com/unidoc/unidoc: panic: interface conversion: pdf.PdfObject is nil, not *pdf.PdfObjectInteger fixed
- github.com/unidoc/unidoc: panic: runtime error: invalid memory address or nil pointer dereference fixed
- github.com/unidoc/unidoc: runtime: goroutine stack exceeds 1000000000-byte limit fixed
- github.com/spenczar/tdigest: check slice bounds when unmarshaling fixed
- github.com/spenczar/tdigest: check expected invariants while unmarshaling fixed
- github.com/vcabbage/amqp: index out of range fixed
- github.com/gomarkdown/markdown: inifinite loop fixed
- github.com/gomarkdown/markdown: inifinite loop fixed
- github.com/gomarkdown/markdown: index out of range fixed
- github.com/hajimehoshi/go-mp3: index out of range (1) fixed
- github.com/hajimehoshi/go-mp3: index out of range (2) fixed
- github.com/hajimehoshi/go-mp3: index out of range (3) fixed
- github.com/dhowden/tag: slice bounds out of range (1) fixed
- github.com/dhowden/tag: slice bounds out of range (2) fixed
- github.com/dhowden/tag: len out of range (3) fixed
- github.com/dhowden/tag: slice bounds out of range (4) fixed
- github.com/tealeg/xlsx: slice bounds out of range (1) fixed
- github.com/hashicorp/hcl: crasher (logic error) fixed
- github.com/hashicorp/hcl: crasher (off-by-one) fixed
- github.com/hashicorp/hcl: format produces unparsable output (1) fixed
- github.com/hashicorp/hcl: format produces unparsable output (2) fixed
- github.com/hashicorp/hcl: format produces unparsable output (3) fixed
- github.com/hashicorp/hcl: format produces unparsable output (4) fixed
- github.com/francoispqt/gojay: panic on malformed JSON integers fixed
- github.com/francoispqt/gojay: panic on malformed JSON floats fixed
- github.com/eapache/go-xerial-snappy multiple panics with malformed inputs fixed
- github.com/trustelem/zxcvbn: multiple panics in password strength estimator fixed
- https://github.com/google/syzkaller: 6 crashers ( 1, 2, 3, 4, 5, 6)
- github.com/chai2010/guetzli-go: index out of range
- github.com/pixiv/go-libjpeg: segmentation violation (1) fixed
- github.com/pixiv/go-libjpeg: segmentation violation (2)
- github.com/pixiv/go-libjpeg: panic on encoding after decoding fixed
- github.com/z7zmey/php-parser: index out of range and nil pointer dereference
- github.com/uber/makisu: index out of range (1) fixed
- github.com/uber/makisu: index out of range (2)
- github.com/google/go-attestation: out of memory fixed
- github.com/buger/jsonparser index out of range
- github.com/buger/jsonparser infinite loop
- github.com/hjson/hjson-go: panic on nil fixed
- github.com/hjson/hjson-go: panic on invalid syntax fixed
- github.com/google/gofuzz: off-by-one error fixed
- github.com/bookingcom/nanotube: index out of range fixed
- github.com/ProtonMail/crypto: panic on fingerpring subpacket fixed
- github.com/robfig/cron: panic on malformed schedule string
- github.com/cronokirby/saferith: infinite loop in ModSqrt fixed
- github.com/go-git/go-git: infinite loop in revision parser
If you find some bugs with go-fuzz and are comfortable with sharing them, I would like to add them to this list. Please either send a pull request for README.md (preferable) or file an issue. If the source code is closed, you can say just "found N bugs in project X". Thank you.