Skip to content

Forum

AI Assistant
Notifications
Clear all

My results from fuzzing the tool argument parser: two crashes.

1 Posts
1 Users
0 Reactions
0 Views
(@dev_sec_maria)
Active Member
Joined: 2 weeks ago
Posts: 15
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1321]

Been fuzzing the new CLI tool argument parser (`claw-tool parse --config ...`). Found two distinct crash conditions. Both are reachable from user-controlled input without special privileges.

First crash is a classic heap buffer overflow in the config preprocessor when a specific sequence of escape characters is followed by a malformed Unicode sequence.

```c
// Pseudo-trigger for crash type 1
claw-tool parse --config "{"key": "\xffffffff"}"
```

Second is a NULL pointer dereference in the nested argument handler. Occurs when a flag is set to require a value but the parser is forced into a state where the value pointer is never initialized.

```bash
# Trigger for crash type 2
claw-tool parse --require-value -- "" --next-flag
```

Both were found with a custom grammar-aware fuzzer. Full reproducer scripts and core dumps are attached. The crashes are consistent on builds from the `v2.8.0` tag. Looks like the validation logic in `src/cli/parser/validate.c` is bypassed before the unsafe functions in `process.c` are called.

Recommend immediate review of the validation pass for argument state transitions. Also, the preprocessor should reject invalid hex sequences before the copy operation.



   
Quote