rust-fuzz / Trophy Case
Licence: other
π Collection of bugs uncovered by fuzzing Rust code
Stars: β 225
Programming Languages
rust
11053 projects
Labels
Projects that are alternatives of or similar to Trophy Case
Burpsuite Collections
BurpSuiteζΆιοΌε
ζ¬δΈιδΊ Burp ζη« γη ΄θ§£ηγζδ»Ά(ιBApp Store)γζ±εηηΈε
³ζη¨οΌζ¬’θΏζ·»η ε η¦---burpsuite-pro burpsuite-extender burpsuite cracked-version hackbar hacktools fuzzing fuzz-testing burp-plugin burp-extensions bapp-store brute-force-attacks brute-force-passwords waf sqlmap jar
Stars: β 1,081 (+380.44%)
Mutual labels: fuzzing, fuzz-testing
Javafuzz
coverage guided fuzz testing for java
Stars: β 193 (-14.22%)
Mutual labels: fuzzing, fuzz-testing
Book
π Guides and tutorials on how to fuzz Rust code
Stars: β 67 (-70.22%)
Mutual labels: fuzzing, fuzz-testing
Sharpfuzz
AFL-based fuzz testing for .NET
Stars: β 185 (-17.78%)
Mutual labels: fuzzing, fuzz-testing
Afl.rs
π Fuzzing Rust code with American Fuzzy Lop
Stars: β 1,013 (+350.22%)
Mutual labels: fuzzing, fuzz-testing
Test Each
π€ Repeat tests. Repeat tests. Repeat tests.
Stars: β 89 (-60.44%)
Mutual labels: fuzzing, fuzz-testing
Crosshair
An analysis tool for Python that blurs the line between testing and type systems.
Stars: β 586 (+160.44%)
Mutual labels: fuzzing, fuzz-testing
Snodge
Randomly mutate JSON, XML, HTML forms, text and binary data for fuzz testing
Stars: β 121 (-46.22%)
Mutual labels: fuzzing, fuzz-testing
Aflplusplus
The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
Stars: β 2,319 (+930.67%)
Mutual labels: fuzzing, fuzz-testing
Fuzzit
CLI to integrate continuous fuzzing with Fuzzit
Stars: β 220 (-2.22%)
Mutual labels: fuzzing, fuzz-testing
Oss Fuzz
OSS-Fuzz - continuous fuzzing for open source software.
Stars: β 6,937 (+2983.11%)
Mutual labels: fuzzing, fuzz-testing
Pythonfuzz
coverage guided fuzz testing for python
Stars: β 175 (-22.22%)
Mutual labels: fuzzing, fuzz-testing
Cargo Fuzz
Command line helpers for fuzzing
Stars: β 725 (+222.22%)
Mutual labels: fuzzing, fuzz-testing
Awesome Directed Fuzzing
A curated list of awesome directed fuzzing research papers
Stars: β 77 (-65.78%)
Mutual labels: fuzzing, fuzz-testing
Awesome Fuzzing
A curated list of awesome Fuzzing(or Fuzz Testing) for software security
Stars: β 399 (+77.33%)
Mutual labels: fuzzing, fuzz-testing
Jsfuzz
coverage guided fuzz testing for javascript
Stars: β 532 (+136.44%)
Mutual labels: fuzzing, fuzz-testing
Ansvif
A Not So Very Intelligent Fuzzer: An advanced fuzzing framework designed to find vulnerabilities in C/C++ code.
Stars: β 107 (-52.44%)
Mutual labels: fuzzing, fuzz-testing
Libdiffuzz
Custom memory allocator that helps discover reads from uninitialized memory
Stars: β 147 (-34.67%)
Mutual labels: fuzzing, fuzz-testing
π Trophy Case π
A showcase of bugs found via fuzz testing Rust codebases. It serves multiple purposes:
- Help the community see what issues are common in Rust codebases (useful when e.g. designing APIs)
- Increase visibility of effective fuzz testing targets so people can reuse testing strategies
- Provide insight into common issues they can expect to find if they use a certain fuzzer
These bugs aren't nearly as serious as the memory-safety issues afl has discovered in C and C++ projects. That's because Rust is memory-safe by default! Have you fuzzed Rust code and found a bug? Please consider adding it to this table via a pull request!
Security issues are marked with a βοΈ in the "Security?" column. Denial of service, including panics and out-of-memory, are not considered security issues.
Crate | Information | Fuzzer | Category | Security? |
---|---|---|---|---|
bmfont | panic on unwrapping | libfuzzer | panic |
|
boa | invalid spans | honggfuzz | logic |
|
boa | Could not convert to BigInt | honggfuzz | logic |
|
boa | invalid utf16 | honggfuzz | logic |
|
boa | assignment to number | honggfuzz | logic |
|
boa | division by zero | honggfuzz | arith |
|
brotli-rs | #10 | afl | panic |
|
brotli-rs | #11 | afl | panic |
|
brotli-rs | #12 | afl | panic |
|
brotli-rs | #2 | afl | panic |
|
brotli-rs | #3 | afl | panic |
|
brotli-rs | #4 | afl | panic |
|
brotli-rs | #5 | afl | oor |
|
brotli-rs | #6 | afl | arith |
|
brotli-rs | #7 | afl | oor |
|
brotli-rs | #8 | afl | arith |
|
brotli-rs | #9 | afl | arith |
|
bson | #116 | libfuzzer | oom |
|
bson | multiple bugs, including arithmetic overflow | libfuzzer |
arith , other , unwrap
|
|
capnproto-rust | Multiple bugs, including a memory safety bug | libfuzzer | βοΈ | |
capnproto-rust |
reddit, e72746c
|
libfuzzer | logic |
|
claxon | 0fd8815 | libfuzzer | unwrap |
|
claxon | 21b1db4 | libfuzzer | oor |
|
claxon | 875c3b2 | libfuzzer | logic |
|
claxon | c036944 | libfuzzer | logic |
|
claxon | Massive slowdown on malformed input | libfuzzer | other |
|
claxon | Memory disclosure on malformed input | afl + libdiffuzz | uninit |
βοΈ |
comrak | #65 | libfuzzer | oor |
|
cpp_demangle | Multiple panics | afl |
unwrap , arith
|
|
cranelift | #418 | libfuzzer | logic |
|
cssparser | floating-point parsing imprecision | libfuzzer | logic |
|
cursive | grapheme boundary correctness | libfuzzer | utf-8 |
|
deflate-rs | #40 | afl | logic |
|
deflate-rs | #42 | afl | logic |
|
der-parser | arithmetic overflow | libfuzzer | arith |
|
dhcp4r | #6 | libfuzzer | oor |
|
encoding_rs | #44 | afl | logic |
|
flac | #3 | afl | oom |
|
flac | index out of bounds | libfuzzer | oor |
|
flatgeobuf | #85 | libfuzzer | oom |
|
flatgeobuf | #86 | libfuzzer | oor |
|
flif | #26 | libfuzzer | oom |
|
fontdue | arithmetic overflow | libfuzzer | arith |
|
geo | #531 | libfuzzer | logic |
|
geo | #536 | libfuzzer | logic |
|
goblin | memory exhaustion | afl | oom |
|
h2 | #260 | honggfuzz | oor |
|
h2 | #261 | honggfuzz | panic |
|
h2 | #262 | honggfuzz | panic |
|
hjson-rust | invalid utf8 | libfuzzer | utf-8 |
|
hjson-rust | subtract with overflow | libfuzzer | arith |
|
hjson-rust | removal index (is 0) should be < len | libfuzzer | logic |
|
hjson-rust | panics on ParseIntError | libfuzzer | arith |
|
httparse | #9 | afl | arith |
|
httpdate | accepted dates like "May 35" | libfuzzer |
logic , arith
|
|
httpdate | panic on "no character boundary" | libfuzzer | utf-8 |
|
hyper | arithmetic overflow | libfuzzer | arith |
|
image | #1238 | afl | oor |
|
image | #414 | afl | logic |
|
image | #473 | afl | arith |
|
image | #474 | afl | unwrap |
|
image | #477 | afl | oor |
|
image | #622 | libfuzzer | oom |
|
image | #623 | libfuzzer | oom |
|
image | #624 | libfuzzer | oom |
|
image | #625 | libfuzzer | oor |
|
image | #876 | afl | oor |
|
image | #877 | afl | arith |
|
image | #878 | afl | oor |
|
image | Failed to break on an EOF | afl | oor |
|
inflate | arithmetic overflow | libfuzzer | arith |
|
ipfix | index out of bounds | libfuzzer | oor |
|
jpeg-decoder | #38 | afl | unwrap |
|
jpeg-decoder | #50 | afl | oom |
|
jpeg-decoder | arithmetic overflow | libfuzzer | arith |
|
jpeg-decoder | 180 | libfuzzer | logic |
|
json-rust | arithmetic overflow | afl | arith |
|
juniper | panic on "no character boundary" | libfuzzer | utf-8 |
|
just | #363 | libfuzzer | logic |
|
lewton | enormous CPU and memory consumption on crafted input | afl | other |
|
lewton | index out of bounds | honggfuzz | oor |
|
lewton | index out of bounds | afl | oor |
|
lewton | index out of bounds | afl | oor |
|
lewton | index out of bounds | afl | oor |
|
lewton | infinite loop | afl | loop |
|
lewton | large CPU and memory consumption on crafted input | afl | other |
|
lewton | memory exhaustion due to integer underflow | afl |
arith , oom
|
|
lewton | memory exhaustion | afl | oom |
|
lexical | arithmetic overflow | libfuzzer | arith |
|
lexical | arithmetic overflow | libfuzzer | arith |
|
lexical | Out-of-bounds read in unsafe code | libfuzzer | oor |
|
libflate | 258cf44 | honggfuzz | oor |
|
libflate | 6157daa | honggfuzz | panic |
|
libflate | dc77163 | honggfuzz | unwrap |
|
libflate | Out-of-bounds read in unsafe code | afl | oor |
|
libpnet | arithmetic overflow | libfuzzer | arith |
|
libstd | overflow in range bounds calculation on Vec::drain | rutenspitz | arith |
|
lodepng-rust | memory leak | libfuzzer | oom |
|
lz-fear | index out of bounds | libfuzzer | oor |
|
lz-fear | index out of bounds | libfuzzer | oor |
|
lz-fear | memory exhaustion | libfuzzer | oom |
|
lz4_flex | memcpy-param-overlap | libfuzzer | other |
|
lz4_flex | heap-buffer-overflow | libfuzzer | oor |
βοΈ |
lzma-rs | behavior mismatch with reference implementation | libfuzzer | logic |
|
minidump | #7 | libfuzzer | panic |
|
miniz_oxide | Infinite loop exhausting memory | libfuzzer |
loop , oom
|
|
miniz_oxide | Infinite loop | libfuzzer | loop |
|
Molten | #41 | libfuzzer | utf-8 |
|
Molten | #42 | libfuzzer | oor |
|
mongo_driver | #55 | libfuzzer | unwrap |
|
mp3-metadata | Multiple panics | afl | oor |
|
mp4parse-rust | #2 | afl | panic |
|
mp4parse-rust | #4 | afl | panic |
|
mp4parse-rust | #5 | afl | panic |
|
mp4parse-rust | #6 | afl | panic |
|
msgpack-rust | #151 | afl | oom |
|
naga | slicing not on a character boundary | libfuzzer | utf-8 |
|
ncurses-rs | string with \0 | libfuzzer | unwrap |
|
nifti | out of bounds array slicing | libfuzzer | oor |
|
nom | arithmetic overflow | libfuzzer | arith |
|
npy-rs | arithmetic overflow due to incorrect parameter declaration | libfuzzer |
arith , logic
|
|
ntp | panic caused by unwrap on invalid input | libfuzzer | unwrap |
|
num | panic on BigInt parsing |
libfuzzer | unwrap |
|
pancurses | string with \0 | libfuzzer | unwrap |
|
parity | panic on BasicDecoder unchecked addition |
libfuzzer | arith |
|
pcapng | arithmetic overflow | libfuzzer | arith |
|
picky | #10 | libfuzzer | unwrap |
|
picky-asn1-der | #10 | libfuzzer |
arith , oom , oor
|
|
png | crash on malformed input | afl | oom |
|
png | incorrect buffer size due to integer overflow | afl |
arith , oom
|
|
png | infinite loop on crafted input | libfuzzer | loop |
|
png | panic on malformed input | libfuzzer | oor |
|
png | panic on malformed input | libfuzzer | unwrap |
|
png | panic on malformed input | libfuzzer | oor |
|
png | panic on malformed input | afl |
unwrap , logic
|
|
prettytable-rs | subtract with overflow | libfuzzer | arith |
|
proc-macro2 | #54 | afl | utf-8 |
|
proc-macro2 | #55 | afl | so |
|
prost | Stack overflow | afl | so |
βοΈ |
pulldown-cmark | arithmetic overflow | libfuzzer | arith |
|
pulldown-cmark | Overflow ParseIntError | libfuzzer | unwrap |
|
pulldown-cmark | Panics and infinite loop | libfuzzer |
loop , utf-8 , oor
|
|
quick-xml | arithmetic overflow | libfuzzer | arith |
|
quick-xml | arithmetic overflow | libfuzzer | arith |
|
quick-xml | index out of bounds | libfuzzer | oor |
|
rawloader | abort on huge memory allocation | afl | oom |
|
rav1e | Invalid assertion in rate control | libfuzzer | panic |
|
rav1e | LRF crash when encoding tiny frames | libfuzzer | panic |
|
rav1e | CDEF UV direction mismatch for 4:2:2 | libfuzzer | logic |
|
rav1e | Safe wrappers for-sys dav1d | libfuzzer | logic |
|
rav1e | Crash with 4 tiles for 1080p 4:2:2 | libfuzzer | logic |
|
rav1e | Buffer underflow in CDEF pad_into_tmp16 | libfuzzer | so |
|
rav1e | Tiling mismatch for 4:2:2 | libfuzzer | logic |
|
rav1e | Encode-decode mismatch | libfuzzer | logic |
|
rav1e | Crash on width or height of 1 | libfuzzer | panic |
|
rav1e | Encoder admits invalid color configuration | libfuzzer | logic |
|
regex | #417 | afl | utf-8 |
|
regex | #84 | afl | unwrap |
|
regex | called Option::unwrap() on a None value | honggfuzz | unwrap |
|
regex | index out of bounds | honggfuzz | oor |
|
regex | regex parsing panics with blog post | libfuzzer | unwrap |
|
regex | Unexpected match branch | honggfuzz | logic |
|
rmpv | Unchecked vector pre-allocation | afl | oom |
|
roughenough | handle truncated message | afl | oor |
|
roughenough | incorrect range check fix | libfuzzer | logic |
|
roughenough | reject messages with zero tags | afl |
logic , oor
|
|
roughenough | reject short single tag messages | afl |
logic , oor
|
|
roughenough | return Error instead of panicking | afl | panic |
|
roughenough | validate tag offset not past end of message | afl | logic |
|
roughenough | validate value offset not pass end of message | afl | logic |
|
rust-asn1 | #32 | afl | oom |
|
rust-ini | invalid codepoint | libfuzzer | utf-8 |
|
rust-snappy | #12 | libfuzzer | oor |
|
rust-url | #108 | afl | oor |
|
rustc | #24275 | afl | other |
|
rustc | #50577 | prog-fuzz | logic |
|
rustc | #50582 | prog-fuzz | logic |
|
rustc | #50585 | prog-fuzz | logic |
|
rustc | #50600 | prog-fuzz | logic |
|
rustc | #50637 | prog-fuzz | loop |
|
rustc | #51070 | prog-fuzz | logic |
|
rustc-demangle | multiply with overflow | libfuzzer | arith |
|
rustc-serialize | #109 | afl | arith |
|
rustc-serialize | #110 | afl | panic |
|
semver | logic error | libfuzzer | logic |
|
Sequoia-PGP | #514 | libfuzzer | arith |
|
Sequoia-PGP | #515 | libfuzzer | utf-8 |
|
Sequoia-PGP | #516 | libfuzzer | oor |
|
Sequoia-PGP | #516 | libfuzzer | oor |
|
serde | #75 | afl | arith |
|
serde | #77 | afl | arith |
|
serde | #82 | afl | so |
|
serde-yaml | #49 | libfuzzer | so |
|
serde-yaml | #88 | libfuzzer | logic |
|
simple_asn1 | #9 | libfuzzer |
arith , oor
|
|
sleep-parser | #3 | honggfuzz |
oor , utf-8
|
|
smoltcp | arithmetic underflow | libfuzzer | arith |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
smoltcp | index out of bounds | libfuzzer | oor |
|
snmp-parser | panic on unwrapping | libfuzzer | unwrap |
|
ssh-keys | #3 | afl | oor |
|
ssh-keys | panic on slice indexing | libfuzzer | oor |
|
ssh-parser | arithmetic overflow | libfuzzer | arith |
|
svgparser | arithmetic overflow, bound checking panic, incorrect result | libfuzzer |
arith , oor , logic
|
|
svgparser | endless loop | libfuzzer | loop |
|
swf-parser | #23 | libfuzzer | logic |
|
sxd-document | use after free | libfuzzer | uaf |
βοΈ |
syn | Unrecognized literal | libfuzzer | logic |
|
tar-rs | #23 | afl | arith |
|
tera | #396 | libfuzzer |
arith , logic
|
|
tiff | index out of bounds | afl | oor |
|
tiff | infinite loop on malformed input | afl | loop |
|
tiff | memory exhaustion on malformed input | afl | oom |
|
tiff | panic on attempt to divide by zero | afl | arith |
|
tinyvec | arithmetic underflow | rutenspitz | arith |
|
tinyvec | resize() could set incorrect size for inline storage | rutenspitz | logic |
|
tinyvec | swap_remove() for last element worked incorrectly | rutenspitz | logic |
|
todotxt.rs | index out of bounds | libfuzzer | oor |
|
toml | #178 | libfuzzer | logic |
|
toml | #179 | libfuzzer | logic |
|
toml | #180 | libfuzzer | logic |
|
toml | #181 | libfuzzer | logic |
|
toml | #185 | libfuzzer | logic |
|
toml | #186 | libfuzzer | logic |
|
unicode-segmentation | grapheme boundary correctness | libfuzzer | logic |
|
unicode-segmentation | word boundary correctness | libfuzzer | logic |
|
unified-diff | lines before 1, with no context | libFuzzer | logic |
|
uuid | index out of bounds | libfuzzer | oor |
|
v_escape | heap buffer overflow | libfuzzer | oor |
βοΈ |
vosub | arithmetic overflow | libfuzzer | arith |
|
vosub | invalid slice | libfuzzer | oor |
|
vosub | invalid slice | libfuzzer | oor |
|
vosub | invalid slice | libfuzzer | panic |
|
vosub | shift overflow | libfuzzer | arith |
|
wasmparser.rs | arithmetic overflow | libfuzzer | arith |
|
wayland-rs | #187 | libfuzzer | oor |
|
ws-rs | arithmetic overflow | libfuzzer | arith |
|
xml-rs | #93 | afl | utf-8 |
|
zip-rs | arithmetic overflow | libfuzzer | arith |
Description of categories:
-
arith
: Arithmetic error, eg. overflows -
logic
: Logic bug -
loop
: Infinite loop -
oom
: Out of memory -
oor
: Out of range access -
segfault
: Program segfaulted -
so
: Stack overflow -
uaf
: Use after free -
uninit
: Program discloses contents of uninitialized memory -
unwrap
: Call tounwrap
onNone
orErr(_)
-
utf-8
: Problem with UTF-8 strings handling, eg. get a char not at a char boundary -
panic
: A panic not covered by any of the above -
other
: Anything that does not fit in another category, or unclear what the problem is
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].