Awesome Open Source
Awesome Open Source
Sponsorship

🏆 Trophy Case 🏆

A showcase of bugs found via fuzz testing Rust codebases. It serves multiple purposes:

  • Help the community see what issues are common in Rust codebases (useful when e.g. designing APIs)
  • Increase visibility of effective fuzz testing targets so people can reuse testing strategies
  • Provide insight into common issues they can expect to find if they use a certain fuzzer

These bugs aren't nearly as serious as the memory-safety issues afl has discovered in C and C++ projects. That's because Rust is memory-safe by default! Have you fuzzed Rust code and found a bug? Please consider adding it to this table via a pull request!

Security issues are marked with a ❗️ in the "Security?" column. Denial of service, including panics and out-of-memory, are not considered security issues.

Crate Information Fuzzer Category Security?
bmfont panic on unwrapping libfuzzer panic
boa invalid spans honggfuzz logic
boa Could not convert to BigInt honggfuzz logic
boa invalid utf16 honggfuzz logic
boa assignment to number honggfuzz logic
boa division by zero honggfuzz arith
brotli-rs #10 afl panic
brotli-rs #11 afl panic
brotli-rs #12 afl panic
brotli-rs #2 afl panic
brotli-rs #3 afl panic
brotli-rs #4 afl panic
brotli-rs #5 afl oor
brotli-rs #6 afl arith
brotli-rs #7 afl oor
brotli-rs #8 afl arith
brotli-rs #9 afl arith
bson #116 libfuzzer oom
bson multiple bugs, including arithmetic overflow libfuzzer arith, other, unwrap
capnproto-rust Multiple bugs, including a memory safety bug libfuzzer ❗️
capnproto-rust reddit, e72746c libfuzzer logic
claxon 0fd8815 libfuzzer unwrap
claxon 21b1db4 libfuzzer oor
claxon 875c3b2 libfuzzer logic
claxon c036944 libfuzzer logic
claxon Massive slowdown on malformed input libfuzzer other
claxon Memory disclosure on malformed input afl + libdiffuzz uninit ❗️
comrak #65 libfuzzer oor
cpp_demangle Multiple panics afl unwrap, arith
cranelift #418 libfuzzer logic
cssparser floating-point parsing imprecision libfuzzer logic
cursive grapheme boundary correctness libfuzzer utf-8
deflate-rs #40 afl logic
deflate-rs #42 afl logic
der-parser arithmetic overflow libfuzzer arith
dhcp4r #6 libfuzzer oor
encoding_rs #44 afl logic
flac #3 afl oom
flac index out of bounds libfuzzer oor
flif #26 libfuzzer oom
fontdue arithmetic overflow libfuzzer arith
goblin memory exhaustion afl oom
h2 #260 honggfuzz oor
h2 #261 honggfuzz panic
h2 #262 honggfuzz panic
hjson-rust invalid utf8 libfuzzer utf-8
hjson-rust subtract with overflow libfuzzer arith
hjson-rust removal index (is 0) should be < len libfuzzer logic
hjson-rust panics on ParseIntError libfuzzer arith
httparse #9 afl arith
httpdate accepted dates like "May 35" libfuzzer logic, arith
httpdate panic on "no character boundary" libfuzzer utf-8
hyper arithmetic overflow libfuzzer arith
image #1238 afl oor
image #414 afl logic
image #473 afl arith
image #474 afl unwrap
image #477 afl oor
image #622 libfuzzer oom
image #623 libfuzzer oom
image #624 libfuzzer oom
image #625 libfuzzer oor
image #876 afl oor
image #877 afl arith
image #878 afl oor
image Failed to break on an EOF afl oor
inflate arithmetic overflow libfuzzer arith
ipfix index out of bounds libfuzzer oor
jpeg-decoder #38 afl unwrap
jpeg-decoder #50 afl oom
jpeg-decoder arithmetic overflow libfuzzer arith
json-rust arithmetic overflow afl arith
juniper panic on "no character boundary" libfuzzer utf-8
just #363 libfuzzer logic
lewton enormous CPU and memory consumption on crafted input afl other
lewton index out of bounds honggfuzz oor
lewton index out of bounds afl oor
lewton index out of bounds afl oor
lewton index out of bounds afl oor
lewton infinite loop afl loop
lewton large CPU and memory consumption on crafted input afl other
lewton memory exhaustion due to integer underflow afl arith, oom
lewton memory exhaustion afl oom
lexical arithmetic overflow libfuzzer arith
lexical arithmetic overflow libfuzzer arith
lexical Out-of-bounds read in unsafe code libfuzzer oor
libflate 258cf44 honggfuzz oor
libflate 6157daa honggfuzz panic
libflate dc77163 honggfuzz unwrap
libflate Out-of-bounds read in unsafe code afl oor
libpnet arithmetic overflow libfuzzer arith
libstd overflow in range bounds calculation on Vec::drain rutenspitz arith
lodepng-rust memory leak libfuzzer oom
lz-fear index out of bounds libfuzzer oor
lz-fear index out of bounds libfuzzer oor
lz-fear memory exhaustion libfuzzer oom
lz4_flex memcpy-param-overlap libfuzzer other
lz4_flex heap-buffer-overflow libfuzzer oor ❗️
lzma-rs behavior mismatch with reference implementation libfuzzer logic
minidump #7 libfuzzer panic
miniz_oxide Infinite loop exhausting memory libfuzzer loop, oom
miniz_oxide Infinite loop libfuzzer loop
Molten #41 libfuzzer utf-8
Molten #42 libfuzzer oor
mongo_driver #55 libfuzzer unwrap
mp3-metadata Multiple panics afl oor
mp4parse-rust #2 afl panic
mp4parse-rust #4 afl panic
mp4parse-rust #5 afl panic
mp4parse-rust #6 afl panic
msgpack-rust #151 afl oom
naga slicing not on a character boundary libfuzzer utf-8
ncurses-rs string with \0 libfuzzer unwrap
nifti out of bounds array slicing libfuzzer oor
nom arithmetic overflow libfuzzer arith
npy-rs arithmetic overflow due to incorrect parameter declaration libfuzzer arith, logic
ntp panic caused by unwrap on invalid input libfuzzer unwrap
num panic on BigInt parsing libfuzzer unwrap
pancurses string with \0 libfuzzer unwrap
parity panic on BasicDecoder unchecked addition libfuzzer arith
pcapng arithmetic overflow libfuzzer arith
picky #10 libfuzzer unwrap
picky-asn1-der #10 libfuzzer arith, oom, oor
png crash on malformed input afl oom
png incorrect buffer size due to integer overflow afl arith, oom
png infinite loop on crafted input libfuzzer loop
png panic on malformed input libfuzzer oor
png panic on malformed input libfuzzer unwrap
png panic on malformed input libfuzzer oor
png panic on malformed input afl unwrap, logic
prettytable-rs subtract with overflow libfuzzer arith
proc-macro2 #54 afl utf-8
proc-macro2 #55 afl so
prost Stack overflow afl so ❗️
pulldown-cmark arithmetic overflow libfuzzer arith
pulldown-cmark Overflow ParseIntError libfuzzer unwrap
pulldown-cmark Panics and infinite loop libfuzzer loop, utf-8, oor
quick-xml arithmetic overflow libfuzzer arith
quick-xml arithmetic overflow libfuzzer arith
quick-xml index out of bounds libfuzzer oor
rawloader abort on huge memory allocation afl oom
rav1e Invalid assertion in rate control libfuzzer panic
rav1e LRF crash when encoding tiny frames libfuzzer panic
rav1e CDEF UV direction mismatch for 4:2:2 libfuzzer logic
rav1e Safe wrappers for-sys dav1d libfuzzer logic
rav1e Crash with 4 tiles for 1080p 4:2:2 libfuzzer logic
rav1e Buffer underflow in CDEF pad_into_tmp16 libfuzzer so
rav1e Tiling mismatch for 4:2:2 libfuzzer logic
rav1e Encode-decode mismatch libfuzzer logic
regex #417 afl utf-8
regex #84 afl unwrap
regex called Option::unwrap() on a None value honggfuzz unwrap
regex index out of bounds honggfuzz oor
regex regex parsing panics with blog post libfuzzer unwrap
regex Unexpected match branch honggfuzz logic
rmpv Unchecked vector pre-allocation afl oom
roughenough handle truncated message afl oor
roughenough incorrect range check fix libfuzzer logic
roughenough reject messages with zero tags afl logic, oor
roughenough reject short single tag messages afl logic, oor
roughenough return Error instead of panicking afl panic
roughenough validate tag offset not past end of message afl logic
roughenough validate value offset not pass end of message afl logic
rust-asn1 #32 afl oom
rust-ini invalid codepoint libfuzzer utf-8
rust-snappy #12 libfuzzer oor
rust-url #108 afl oor
rustc #24275 afl other
rustc #50577 prog-fuzz logic
rustc #50582 prog-fuzz logic
rustc #50585 prog-fuzz logic
rustc #50600 prog-fuzz logic
rustc #50637 prog-fuzz loop
rustc #51070 prog-fuzz logic
rustc-demangle multiply with overflow libfuzzer arith
rustc-serialize #109 afl arith
rustc-serialize #110 afl panic
semver logic error libfuzzer logic
Sequoia-PGP #514 libfuzzer arith
Sequoia-PGP #515 libfuzzer utf-8
Sequoia-PGP #516 libfuzzer oor
Sequoia-PGP #516 libfuzzer oor
serde #75 afl arith
serde #77 afl arith
serde #82 afl so
serde-yaml #49 libfuzzer so
serde-yaml #88 libfuzzer logic
simple_asn1 #9 libfuzzer arith, oor
sleep-parser #3 honggfuzz oor, utf-8
smoltcp arithmetic underflow libfuzzer arith
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
snmp-parser panic on unwrapping libfuzzer unwrap
ssh-keys #3 afl oor
ssh-keys panic on slice indexing libfuzzer oor
ssh-parser arithmetic overflow libfuzzer arith
svgparser arithmetic overflow, bound checking panic, incorrect result libfuzzer arith, oor, logic
svgparser endless loop libfuzzer loop
swf-parser #23 libfuzzer logic
sxd-document use after free libfuzzer uaf ❗️
syn Unrecognized literal libfuzzer logic
tar-rs #23 afl arith
tera #396 libfuzzer arith, logic
tiff index out of bounds afl oor
tiff infinite loop on malformed input afl loop
tiff memory exhaustion on malformed input afl oom
tiff panic on attempt to divide by zero afl arith
tinyvec arithmetic underflow rutenspitz arith
tinyvec resize() could set incorrect size for inline storage rutenspitz logic
tinyvec swap_remove() for last element worked incorrectly rutenspitz logic
todotxt.rs index out of bounds libfuzzer oor
toml #178 libfuzzer logic
toml #179 libfuzzer logic
toml #180 libfuzzer logic
toml #181 libfuzzer logic
toml #185 libfuzzer logic
toml #186 libfuzzer logic
unicode-segmentation grapheme boundary correctness libfuzzer logic
unicode-segmentation word boundary correctness libfuzzer logic
uuid index out of bounds libfuzzer oor
v_escape heap buffer overflow libfuzzer oor ❗️
vosub arithmetic overflow libfuzzer arith
vosub invalid slice libfuzzer oor
vosub invalid slice libfuzzer oor
vosub invalid slice libfuzzer panic
vosub shift overflow libfuzzer arith
wasmparser.rs arithmetic overflow libfuzzer arith
wayland-rs #187 libfuzzer oor
ws-rs arithmetic overflow libfuzzer arith
xml-rs #93 afl utf-8
zip-rs arithmetic overflow libfuzzer arith

Description of categories:

  • arith: Arithmetic error, eg. overflows
  • logic: Logic bug
  • loop: Infinite loop
  • oom: Out of memory
  • oor: Out of range access
  • segfault: Program segfaulted
  • so: Stack overflow
  • uaf: Use after free
  • uninit: Program discloses contents of uninitialized memory
  • unwrap: Call to unwrap on None or Err(_)
  • utf-8: Problem with UTF-8 strings handling, eg. get a char not at a char boundary
  • panic: A panic not covered by any of the above
  • other: Anything that does not fit in another category, or unclear what the problem is

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
rust (3,885) 
fuzzing (125) 
fuzz-testing (30) 

Find Open Source By Browsing 7,000 Topics Across 59 Categories